Ask HN: How important is Single Sign-On (SSO) for an application?
I have recently seen a lot of Saas/Micro-Saas offering SSO which leaves me wondering if it is common in the industry.
Does your organization use one?
Builders, do you spin up your own infra for SSO (keycloak, etc) or you use some serivce like Auth0 etc? Her are my two cents. For all type and size of the businesses, having an IAM governance is important. This way password policies can be set up and enforced. When the SaaS landscape starts growing, this governance becomes more important and mission critical. The attack surface of the business expands with the number of passwords needed to manage by the employees. In the above picture SSO brings significant relief to IT and Finance managers with less management hassle and reduced risk scores on the business side. For the employees, SSO integrations gives more streamlined and smooth experience. Not only password policies, but authentication policies as a while. For example, the location from where you may authenticate, or the times, the IP address ranges, the device you're using, and so on. It is also important for user account lifecycle. If a user joins or leaves the company, IT need to be able to grant or revoke access without having to go on an individual account hunt. If a service does not offer SSO (or a good implementation of it, because most services seem to follow some YouTube guide in how to add SSO - it's that bad) our policies forbid us from buying it. Interesting. How do you analyze if a SSO implementation is good or not? Check if they follow the specs. Especially with SAML, I've found many, many implementations that are just broken. Such es logging a user out of the IdP after idling, when they should just revoke the session for their SP. Another good one is when they INSIST on using an email address for the name-id. These things change, so let me PLEASE use an immutable I'd ... That's already close to not getting accepted because it invites problems. Another one being Auto-Provision ing not being implemented, needing an additional user sync. This also contributes to not getting accepted. If an SP does not implement certificate rollover, it's getting an Instant NO! But to be fair, Microsoft's IdP side has some flaws as well, which is annoying. And people complain about an SSO tax... Rightfully so. It isn't that SSO is important because of your application - it is important because of your audience -- B2C apps don't need SSO. B2B apps probably do. I think this blog explained why in details: https://blog.logto.io/sso-is-better/