Hi, I'm the founder of RoleUp. It's a simple identity management service for small to medium teams that don't want to deal with LDAP or complex identity providers.
We have about 20 integrations right now, but we'll be adding many more over the next month.
Let me know what you think or if you have any questions.
You could do that, it's just way more complicated to setup and maintain.
TBH, I basically got the idea for this after spending most of a day trying and failing to get Okta to work. Not to mention the vagueness of their pricing.
I'm sure Okta is great for large companies, but it's just way too much complexity for what should be a rather simple problem for small teams.
For the teams I've lead, all I've wanted is just a simple service that lists the accounts in each SaaS, and allow you to create and remove accounts.
It can sync as many accounts as you have in the integrations you connect. The billing is done based on usage, so you only pay for what you use. It's $0.60 USD per synced account per month.
Looks nice, and solves a problem. But you're entering a really difficult niche against strong competition from auth0 and Okta.
Personally, I'm a "roll your own auth" kinda guy. I have trouble justifying offloading a core part of my infrastructure to a third party, especially if it has a per-user cost and I have a free tier or am not charging users.
If I were to choose "buy" in the "build vs. buy" of an auth system, it would be for internal apps only. My number one criterion would be finding a reliable provider that will still exist in five years. Based on that, if I'm choosing between Roleup, Okta and auth0... I'm not going to go with Roleup. And even if there are some awesome features you have that they don't, you don't have a free tier to try them out.
Here are my suggestions:
- Eliminate the free trial and replace it with a free tier (something like free for your first 1000 users). Let me sign up immediately, and funnel me to the dev docs. Do not make me confirm my email before I can even see anything.
- Find a way to differentiate from Okta/auth0 beyond "we're simpler than them because we're missing so many of their features." You can't compete on features right now; their products are just far too developed. But you can differentiate on price. Their biggest weakness is per-user pricing. Would-be entrepreneurs see that, imagine their successful product, and extrapolate how much it'll cost them 2 years down the line. Play into those hopes; show them that your service will never cost more than a few hundred a month.
- Consider offering a self-hosted version. There are many approaches to pricing/licensing for this.
- Consider open sourcing core parts of the implementation (maybe everything except the dashboard), or making a commitment that you'll open source the code if you ever shut down the company.
- Focus on authentication for internal apps where 100% uptime 24/7/365 is not as critical a feature as it is for user-facing apps.
- Target the marginally tech-savvy founders of fast growing, small startups who have a bunch of internal tools made by contractors, and want to make some kind of admin dashboard for them
- Build out integrations in as many languages as possible (things like passport.js strategy for logging in via Roleup)
- Make it clear what "integration" means in the context of Roleup on your landing pages. For SEO, you probably want a landing page per integration. For each one, show screen shots of the integration and using it. This page [0] is great, but it's still unclear to me what "integration" means in this context. Does an integration with Zoom mean I can use my Zoom account to log into an internal app via Roleup? Or does it mean I can use my Roleup account to authenticate with Zoom? What does the process look like for devs, and for users? (EDIT: Just saw you have this for slack. I could barely see the "Details" link FWIW. Bring this info forward!)
- Setup at least one demo administration node (maybe more if you want to automate setting up for users) pre-filled with data. Make "try demo" your landing page call-to-action. Give the user a functioning admin dashboard with a bunch of accounts that resets its data every hour. Make sure the demo shows how it works for both admins and users.
- Give people reason to trust you with their most sensitive credential data. You're a brand new company run by one person -- why should I let you handle my users' credentials? Where is the security documentation? About page? Who are you? Why should I trust you?
Before I respond to the individual stuff, I'll define some of the functionality because you rightly point out that it might be a bit vague.
At a high level, RoleUp uses OAuth or API keys to connect to different services and pull in the details of all the user accounts it finds. Depending on the service, each integration can:
- list accounts
- create/remove accounts
- list memberships of those accounts (any groups, teams, orgs, etc)
- list the roles of those accounts (developer, admin, owner, cloud-function:viewer, etc)
Then those accounts are grouped by email into identities that you can manually adjust if you want.
But it doesn't provide an identity service itself, I don't offer single-sign on. I just help with managing accounts and onboarding/offboarding people.
In terms of security, all credentials are encrypted at rest, and in transit, and only decrypted by the application immediately before being used to call the target service. On top of that, it uses Google's KMS for key management, and all keys in the system are auto-rotated every 30 days.
- In terms of cost, my initial thoughts were that it would be easier for the customer to manage if it's just an inexpensive usage-based plan, rather than having the whole thing randomly stop working when they cross the threshold of some tier.
- That said, I see what you are saying. Firstly people expect a tiered model, and without that, it's a bit scary because they can't visualize the cost. Also, even if their whole shop is going to cost them only $10 a month in usage, they won't know that until they sign up and get the bill. So a free tier, with middle limited one, and upper unlimited would probably be best.
- Definitely had considered the self-hosted option, but kicked that can down the road. It wouldn't be too difficult at this point though. It can work with basically any DB the way it's written and requires minimal resources.
- Open source too is fine. If anything, maybe preferred for me tbh.
- In terms of "auth for internal services", I think that's a point of confusion. I tried to summarize at the beginning.
- And yeah, already on the demo idea. I need a lower barrier to allowing people to try it out.
- Good point about the integrations, I was relying on people trying it to see how it works, but I can see why that's too high a bar.
- And I thought about the security page, but had not gotten to it. It's something I put a lot of thought into, and I was going to do a sort of technical series of blog posts on the subject to show the architecture and the choices I made. But you're right. Even just a simple page explaining that everything is encrypted with auto-rotating keys would be useful.
- Another thing I considered in order to deal with the security concerns, is to just 100% end-to-end encrypt all user data and credentials. It wouldn't actually require too much modification to how the system is designed, but it would mean that syncing could only happen if an admin was logged in and provided the key, or if they made their key available via a webhook or something.
We have about 20 integrations right now, but we'll be adding many more over the next month.
Let me know what you think or if you have any questions.