[vishnugupta]

I was heading tech and product of a SAAS software for ~15 months so writing this from that experience.

- Who is the buyer? Typically they are not same as the user of the product so understand what they look for in similar products.

- SSO, preferably SAML based.

- As for security, take care of OWASP top-10 [1] and you should be covered for app-sec.

- Implement RBAC. Make it easy to add/manage users for an admin-user.

- Setup a demo account in sandbox, fill it with data as close to real world as possible. Makes it super easy during sale pitch. You let your product talk instead of you.

- Consider multi-tenancy from right off the bat. It's hard to add it later.

- Look up your domain specific compliance requirements and build those from ground up. Some such as SOC 2 don't hurt. While at it, get a decent security vendor to pen-test your product, work with them to fix high/medium priority issues and get them to issue certificate. It builds credibility with customers.

- Reports. Typically the admins will require a bunch of reports. It's best to give them a CSV/Excel download and let them slice and dice in their spread sheet software.

- Users will make mistakes so always use soft-delete. You can always do hard-delete after a few months.

[1] https://owasp.org/Top10/

[mooreds]

Disclosure: I work for an auth service vendor.

Great feedback about knowing who the buyer is. Lots of folks think about the user, but knowing the buyer (and they are usually not the same person) is critical too.

If you are a building a SaaS, I'd recommend outsourcing your auth, since that is both critical and undifferentiated functionality.

There are lots of solutions out there. FusionAuth is one option (I work there); here's our multi-tenant guide: https://fusionauth.io/docs/v1/tech/guides/multi-tenant .

There are of course other options too. Here are some I've heard of that seem like they fit your needs (offering some combination of RBAC, SSO, and multi-tenancy), but I'd suggest doing a spike:

* clerk.dev

* workos

* supertokens

* propelauth

You could also start off with an open source solution like devise/omniauth (if building on rails) or passport.js (if building on JS). I'd only go down this path if you are familiar with the tech, as it can be difficult to configure if it is your first time, and, again, this is critical but undifferentiated functionality.

[pclmulqdq]

I'm not entirely sure I agree with this - most auth providers are very expensive, and if you don't need the full-featured offering, you are way overpaying for the engineering time to build your replacement.

If you need all the features, it's a good deal, but you rarely do unless you are building something like Notion or Jira.

Open source components (Ory) can do the basic cryptography, and if you go completely from scratch, the NIST and their European counterparts have well-written standards for how to do this, and if you follow the relevant parts of the standard, you will get something essentially perfect without the baggage.

[mooreds]

> most auth providers are very expensive

Some are, sure, but there are many that are not.

FusionAuth (again, I'm an employee) has a free community edition ( https://fusionauth.io/pricing?step=plan&hosting=self-hosting ) if you run it yourself with no limits on MAUs, SAML connections, tenants or users. Of course, we have plans that cost money because, hey, we all like to eat.

Auth0 has a basic plan that is free for 7k users. Mostly focuses on username and password, but is entirely adequate for getting started.

Ory (suggested elsewhere in the thread and by you) is OSS and free. Again, you have to operate it, which isn't free, but you get the benefits of upgrades and a team focused on auth.

Keycloak has a lot of features and is free if your run it yourself.

Supertokens has a basic plan that is free for 5k users.

There are many more, as well. And that is to say nothing of the OSS libraries (like devise/omniauth) which you can leverage.

Coding this from scratch seems like an enormous waste of time for something that is not typically a differentiator. At the least, use an OSS library or auth service and limit yourself to the features you need.

Customers pay for features, not for auth. Auth is just the front door to the application.

[pclmulqdq]

I think you're assuming that scratch coding is slower than integrating an OSS you don't know. When I was thinking about this for one project, it came close enough that I rolled my own basic auth system according to the NIST recommendations and it definitely took less time than integrating something that I didn't know (and accepting all the unknown bugs that are inevitably there).

I also don't buy the argument "don't waste time on something that is not a differentiator" - I'm going to spend time on it anyway, so I might as well spend the time in the most productive way possible. Also, I guarantee that your solution isn't bug-free, and eventually one of them is going to bite me, so that also factors into the decision about time.

The basic version of authentication is actually really simple. When you add SSO, RBAC, Oauth2, ACLs, and other stuff, it gets really complicated. People should make intelligent decisions about what they want to do here rather than just using a provider.

[mooreds]

> I think you're assuming that scratch coding is slower than integrating an OSS you don't know.

I think that depends on all kinds of factors (domain knowledge, docs of the library, etc). I think learning one or two auth libraries or frameworks will be useful to most devs, as they can re-use that knowledge repeatedly. But I get your point, sometimes rolling your own can be quicker. (And it is certainly more fun to code something up than to read up on integration docs.)

However, I think you're dismissing the long term maintainability advantages you get from using a focused library or auth server.

When a request comes in for a feature (let's change the hashing algorithm and factor of our passwords to meet new NIST standards, let's add login with LinkedIn, can we integrate using SAML), if you have the right library or auth server, it's often a configuration parameter, as opposed to code.

When there's a security issue, someone clearly owns it and has an incentive to fix it as fast as possible. Some auth servers (FusionAuth among them) pay people regularly to penetration test the system. Is that something you are going to do with your homegrown auth system?

That said, I'm glad you found a solution that works for you. Different strokes for different folks, as they say.

[braveyellowtoad]

Thanks for sharing. Do you know of any auth providers that charge based on auth event (login / logout / password change / etc) rather than per user?

[mooreds]

The big cloud providers have substantial free tiers (50k MAUs). Cognito, Firebase and Azure AD B2C all have a similar free tier. After you go through the free tier, you pay per MAU ($0.005 per MAU, according to https://aws.amazon.com/cognito/pricing/ , I think similar for the other providers. For smaller players, I think Stytch is 10c/MAU/month, where an MAU is any interaction with the Stytch service (login in all the many forms). https://stytch.com/pricing has more.

You'll have to dig a bit deeper into each pricing page to determine what actions make a user 'active'. I'm not aware of anyone who does MAU calculations on a day to day basis; monthly rollups are the standard.

Some folks charge per MAU (FusionAuth does) but in a band (the first 10k MAUs for a FusionAuth paid version are all one price).

HTH.

[braveyellowtoad]

Thank you

[sebmellen]

IMO https://ory.sh has completely changed this calculation. With the help of Ory Kratos it makes sense to roll your own auth.

[mooreds]

Do you mean to use Ory Kratos in a self-hosted manner? From a brief look it seems like you aren't rolling your own auth when you use this, but rather integrating it into your application.

What am I missing?

[sebmellen]

Kratos is not a complete Auth solution - if you self host you still need to write your own UI. We built another layer over it to handle RBAC and organization management. But at least Kratos covers all the complex crypto and security items related to authentication (not authorization, which I consider to be a part of “auth” writ large).

[mooreds]

Gotcha. There are still security concerns with the UI, but I agree, offloading the heavy lifting of password hashing, preventing enumeration attacks, and algorithm selection to a dedicated system makes sense.

Authorization is a whole other ball of wax. You can sometimes get by with RBAC, but it is far more often entangled with business logic. I've seen a set of new companies that offer outsourced authorization like permit.io and cerbos, and for an app of a certain complexity, think they are worth evaluating.

[akajla]

Building and maintaining UIs for RBAC and org management (including self-service, user-facing UIs) isn't trivial. That's why we built it into Warrant. We handle basic authz schemes like RBAC as well as fine-grained authz: https://blog.warrant.dev/introducing-the-self-service-dashbo...

[sebmellen]

We’ve found one of the biggest issue with RBAC services to be the integrations with our tech stack. Building the RBAC system ourselves helped it be congruent with our stack.

[mooreds]

That's cool. FusionAuth has a self service function: https://fusionauth.io/docs/v1/tech/account-management/ but it is limited to user profile data, rather than roles and permissions.

How do you prevent a user from assigning themselves roles they shouldn't? Is there some kind of cage preventing escalation?

[saluki]

Don't outsource your auth, auth is a solved problem for every framework worth using for the rest of your SaaS.

Don't outsource critical functionality.

[subbu]

This, totally. I manage a large B2B CRM with complex user-auth requirements and we use an off the shelf provider. It was an easy decision when we began, but now it has become a bottle neck in many ways. As your application becomes big you need a lot more customization to your auth logic. Large customers have specific customizations that off the shelf auth providers don't provide, or make it complex to implement. Over time auth and RBAC becomes crucial to your application. Engineering effort required to read through your providers documentation and implement workarounds exceeds a purpose built, native solution.

[moneywoes]

What about next js auth

[mooreds]

If it fits with your tech stack, definitely worth evaluating.

[x0x0]

Background: cofounded an enterprise saas company.

I like this coverage of tech, though it's missing soc2 which will be required. And 27001 eventually.

I disagree on making it easy for admins to add users. Just don't: rather, implement (a bit of) scim or jit user creation with the idp flows.

The big thing it's missing is sales. This software is sold not bought. In any sales process with 3 different constituencies (users who really don't matter much, a champion, and an economic buyer) you need talented sales people. Bluntly, the vast majority of b2b / midmarket or enterprise tech companies are dead without an exceptional salesperson as a founder. The reason is that you have to sell your first 10 deals while the software basically doesn't work.

Realistically, tech matters less than sales here. When you look at your risks, tech falls well below sales and execution risks, because you're highly unlikely to be building something that's never been built before. ie it's not like google, which basically was build a significantly better search engine using novel relevance tech. Almost all midmarket or enterprise saas products have no novel technology inside them. (Which is not to say that you don't have to build a high-quality implementation: you do. But "can we build this / can we make it work" is rarely a top risk.)

[moneywoes]

How did you build your sales skills and get those first 10 customers?

Like I want to Build a property saas should I start prospecting first

[x0x0]

> How did you build your sales skills

I didn't. I paired w/ a cofounder that is a fantastic salesperson. He ran gtm, I ran prodeng.

[stevesimmons]

When would you prioritise SOC2 before ISO27001? And when the other way around?

[x0x0]

I'm not an expert on this, but I'd start with a soc2 type 2. soc2 served us well in the US. Some of Europe prefers 27001, but we sold into the EU with just a soc2 in the beginning.

a soc2 is also a choose-your-own-adventure cert: you describe your processes (within constraints imposed by the goals you must achieve per the soc2 principles), and then you get audited on following your process.

[throwaway20222]

This is a really solid reply - I would emphasize “know your buyer.”

We thought we had a solution to a problem. We were told from the end users we had a solution to the problem. We thought we knew the value to those people as far as pricing for the product. But the actual buyer didn’t at all value our product the way the end user did, especially when factoring switching costs etc and it was crippling.

[bradgessler]

https://www.enterpriseready.io/ is a good starting place that enumerates most of the great points made in the parent comment.

[jollofricepeas]

I disagree.

I manage a multi-million security tools and services budget for a Fortune 20.

MY ADVICE: Focus on go-to-market strategy and value proposition before figuring out security.

REASONS:

1. We dodge salespeople like the plague. There’s a reason enterprise sales timelines are 18 months. If we don’t want you first, then expect to chase us for a year plus trying to convince us.

2. Enterprises of a decent size usually have a vendor/supplier/third party risk program. If your service is identified as low risk, then we may have little to no requirements for you. Everyone doesn’t need to provide a SOC2 Type II, align with NIST or certify ISO.

3. Mine your network for prospective enterprise design partners and build something that meets their needs. As your product grows in risk, they’ll let you know what you need to have in order to win or keep their business.

ADVICE:

- Focusing in security before you have a product is a direct route to failure.

- Providing a service that doesn’t require handling sensitive enterprise data means less requirements and quicker onboarding

[ajax33]

This is a really good list.

I head engineering for an enterprise SaaS startup in the manufacturing space. Wanted to add a few points to this:

1. Software Integrations: Enterprise software is almost never deployed in a vacuum. There will be a ton of existing software that companies use that they would want you to integrate with - most commonly being either some CRM like Salesforce or an ERP like SAP, Oracle. When pitching to a customer, it would be great to try and learn what existing software tools they use and see if opportunities exist to try and integrate with them ultimately. This will make your software very very hard for them to get rid off later and will also help distinguish you from your competitors who might try to be avoiding integrations. Designing your architecture with integrations in mind is a good idea.

2. Audit logs: Depending on the industry, there might be a strong requirement for compliance/auditing. The enterprise would want to ensure that every action undertaken on the platform is audited and can be reviewed on-demand later.

3. On-premise vs Cloud deployments: You might find certain clients that operate their own hardware and software and want you to just hand them some executable that they can deploy in their systems. On the other hand you'll also find companies that have gone all-in on cloud and won't bat an eyelid as long as you are deployed on some known cloud like Azure, AWS or GCP. Increasingly more and more companies are going the private cloud route and ask you to deploy on their cloud accounts (most commonly Azure - Microsoft has a much stronger hold on the enterprise market). Be prepared to handle requests like these. In several cases, you might be able push to have the SaaS being served from your cloud accounts but not always.

4. IT departments: Enterprise companies will invariably have an IT department that is supposed to ensure that the procurement process goes smoothly from a technical perspective and that you are compliant with all of their technical requirements. Their primary job is to ensure their asses are covered and nobody blames them later for technical/compliance issues later. Do not cut them out of the sales process. While they don't have the ability to approve the sale, they definitely have the ability to block it. Involve them closely and get their strong buy-in so that they don't become a bottleneck later.

[john_the_writer]

If you can avoid ON-premise do so. Unless you have full control. I've had a few rails apps go pear shape when the customer updates their ruby version. Then fixing the app is on me.

I spent weeks building an app, and I send it out in a nice package. 18 months later I get a call telling me it stopped working. I (being honourable) looked into the issue (free of charge). When I found out they'd updated their OS and Ruby version I bowed out. There's a line between building something and maintaining it for free for ever.

[dieselgate]

I wasn't familiar with the acronym RBAC (but certainly familiar with the concept) until web searching for it. First link was from solarwinds.. nope, found an okta link.. yep! Thanks for the well thought out list this was helpful

[twojacobtwo]

Since I had the same experience just now, it seems useful to post the answer here.

    In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control (DAC). 

https://en.m.wikipedia.org/wiki/Role-based_access_control

[dieselgate]

Thanks for the call out

[john_the_writer]

I don't agree with the multi-tenancy. I've been part of two start ups that cracked the 3 million user mark (from staff to 3 million +). They all lived happily on one postgresql database. We didn't even consider breaking the DB apart until near this point. When we did we had the income to support the staff.

I'd say don't build for scale. When you need it, you'll be making enough to pay for it. Even if you have to start over, you're income will pay the devs.

[brickers]

I took multi-tenancy here to mean that you have multiple customers on the same instance of your software, with separate user/data control, admins, configuration, etc for each customer, rather than what youve described with databases.

[mywacaday]

Some great points there. I would also add a way for business users or admins to easily review accounts and privileges and sign off on that review if you are targeting any kind of regulated industry.

[vishnugupta]

+100.

Look up maker-checker [1]. Almost all the enterprise systems require a human to review and approve changes initiated by someone else.

Even if you don't implement it right away, be aware of it and if possible build your entity/data model such a way you can add it later without turning your architecture upside down.

[1] https://en.wikipedia.org/wiki/Maker-checker

[roflyear]

Don't do soc just to do it. It's a lot of overhead if you don't need it, and your clients if they require it should give you a grace period.

[NetOpWibby]

This is excellent, thank you!