As the former CTO of an Insurtech and Fintech startup I always had the “pleasure” to keep regulators and auditors happy. Think of documenting who has access to what, quarterly access reviews, yearly audits and so on…
Like many others we couldn’t justify the Enterprise-plan for every SaaS tool to simply get access to SSO and SCIM/SAML APIs. For Notion alone the cost would have nearly doubled to $14 per user per month. That’s insane! Mostly unknown to people, SSO Tax also limits access to APIs that are used for managing user access (SCIM/SAML).
This has proven to be an incredibly annoying roadblock that prevented me from doing anything useful with our user data: - You want to download the current list of users and their permissions? Forget about it! - You want to centrally assign user roles and permissions? Good luck with that! - You want to delete user accounts immediately? Yeah right, like that's ever gonna happen!
It literally cost me hours to update our access matrix at the end of every quarter for our access reviews and manually assigning user accounts and permissions.
I figured, there must be a better way than praying to the SaaS gods to miraculously make the SSO Tax disappear (and open up SCIM/SAML along the way). That’s why I sat down a few weeks ago and started building OpenOwl (https://github.com/AccessOwl/open_owl). It allows me to just plug in my user credentials and automatically download user lists, including permissions from SaaS tools.
Granted, OpenOwl is still a work in progress, and it's not perfect. At the moment it's limited to non-SSO login flows and covers only 7 SaaS vendors. My favorite part is that you can configure integrations as “recipes”. The goal was for anybody to be able to add new integrations (IT managers and developers alike). Therefore you ideally don’t even have to write any new code, just tell OpenOwl how the new SaaS vendor works.
What do you think? Have you dealt with manually maintaining a list of users and their permissions? Could this approach get us closer to overcoming parts of the SSO Tax?
A documented rant has made the rounds at https://sso.tax , which lists all vendors and their pricing of SSO.
Basically it allowed IT Admins to “hide” the password from users logging into websites with traditional user/pass login flows.
https://resmo.com/saas-discovery
Then you can do `SELECT * FROM users WHERE mail = 'mustafa@resmo.com'`
(To be clear: I'm not talking about the "SaaS vampires" bit - it's colorful language that's not targeting anyone in particular; it's flamebait, but not so bad that we'd post a scolding. It's the personal swipes in the first and last sentences that are the problem.)
If you could make your substantive points within the site guidelines, that would be the sweet spot. They're here: https://news.ycombinator.com/newsguidelines.html.
There is at least one other 'open' library for solving this problem (https://github.com/ConductorOne/baton).
However, I like how you're scraping web data for apps that don't have APIs. I've been waiting for someone to do that. That said, I want it built into other tooling I have purchased, so I don't have to implement myself.
Understanding how your breach impacts me, or detecting how the abuse of your tools are used to impact our organizations shouldn't cost additional money or be gated to only enterprise contracts.
Happy to take PRs for other vendors logs being added: https://github.com/shellcromancer/audit-log-wall-of-shame
> Glim is a simple identity access management system that speaks some LDAP and has a REST API to manage users and groups
"Proxy LDAP to limit scope of access #60" https://github.com/doncicuto/glim/issues/60
Out of curiosity, what made you choose Elixir?
I wanted to use Elixir to build my PDF scraper (https://github.com/Nezteb/scrape-pdf) but didn't want to spend too much time figuring out how to use Playwright from Elixir, so I went with Node. I'll have to borrow some of your methods!
As a small team we get constant requests to integrate with a customers SAML provider - eventually we just switched to https://workos.com/pricing We explain to our customers that we have a hard cost for the integration and we pass that cost to them directly. The SSO version of our product and our self signup product do the same thing the same way - it's the compliance or risk management requirement mandated by our customers that require that we sell it the way we do. In our case our SSO or Enterprise version is $125 more expensive than the self signup product. Our money is in the product itself not in the SSO.
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
SCIM: System for Cross-domain Identity Management
System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems.
SAML: Security Assertion Markup Language
Security Assertion Markup Language (SAML, pronounced SAM-el, /ˈsæməl/)[1] is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
https://en.wikipedia.org/wiki/Single_sign-on
https://en.wikipedia.org/wiki/System_for_Cross-domain_Identi...
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Lang...
(if you work at SpaceX, SSO might also mean Single Stage to Orbit, which is lots more exciting - but since Elon banned acronyms maybe it's not used)
[0] https://www.priceintelligently.com/blog/j-c-penny-s-pricing-...