Ask HN: A good way to support SSO in bootstrapped SaaS?

[gary__]

I'm looking for an identity solution that allows me to offer SSO in a typical SAAS scenario:

-Multitenant support where tenants can be created in an automated fashion

-Allows SSO to be setup back to a tenant's own identity provider (saml2)

-There could be between 2 and 300 users per tenant. I'd be happy to have 3 tenants with 20 users each to begin with.

-No real need for logins to link to multiple tenants

Auth0 is expensive for this relative to where I am at. I'm on the .net core stack where identityserver4 is often used, but some of the (java) based offerings appear to come with more out of the box (for free). In saying that, integration with SAAS of this nature looks to complicate things. So I'd appreciate any advice from HN's experience on the options available.

[quickthrower2]

I rolled my own at work based on https://github.com/displayr/AspNetSaml which I forked from https://github.com/jitbit/AspNetSaml

There is a PR to make it work with .NET core at the moment.

Once you understand the protocol it’s a case of storing some fields relating to the IdP in your database, for each tenant. Redirect to the IdP website and they’ll redirect back to you and post a signed XML doc to daub Joe is authenticated and belongs to these groups.

[gtsteve]

I gave this code a quick skim and it seems reasonably well thought out and I wish I'd seen it before I rolled my own at work. There are numerous security flaws that one can accidentally introduce with SAML and it seems you've avoided the obvious ones at the very least (i.e. not checking there's only a single assertion, etc).

Just in case you weren't aware of it, I found this page very helpful when developing mine: https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...

[quickthrower2]

Thanks. I can’t take too much credit: Jitbit did most of that work, I added some integration testing and added a couple of methods.

[mariushn]

Unless I'm misunderstanding your needs, why wouldn't http://www.passportjs.org/ work? I've used it successfully for Google & Facebook signup/signin.

It has SAML support and I guess one of these packages could be customized to your needs? http://www.passportjs.org/packages/

[dmarlow]

I highly recommend ComponentSpace SAML SSO. There is a cost, but well worth it, imo. It's well maintained, support and forum available, fast responses, etc. I tried a few OSS, but they had some limitations that I couldn't get around in a short timeframe.

[avitzurel]

Used Auth0 before with great success. They support SSO and everything you need.

[edit] The right name this time