[gizmo]

Frankly, you have no chance of making a secure product if you don't have a ton of experience in this area.

For single sign on, SAML for instance, you have to get a ton right with security certificates, xml parsing, manifest rules, signing algorithms, request expiration, etc. SAML (and other single sign-on protocols) are poorly designed and any single mistake is fatal. Some SAML libraries have support for null signing for instance, which allows anybody to sign on as anybody by simply sending a null-signed response. If you don't know about this attack vector you would never think of testing for it. There are many similar SAML pitfalls and you have to think hard about all of them.

For password reset you have to think what kind of tokens you use. How and when they expire. How to protect against length extension attacks (use HMAC).

Anyway, I'm not writing this to discourage you. If you want to go for it, go for it. But enterprise saas software is a serious responsibility and you'll have to work hard at security even though there is no business upside to it.

[konha]

The obvious solution to all these problems is to not implement them yourself and use a platform like Auth0 or WorkOS.

[gizmo]

That’s a solution only from a business perspective. Some of these SSO platforms have a “move fast break things” attitude to software development and a security track record to match.

[konha]

> That’s a solution only from a business perspective.

That’s not the worst perspective to prioritize when building a B2B SaaS product.

You’re right of course about the risk / the trust you’ll have to put into a third party.