[nickmyersdt]

One of the things my business needs, but I cannot find a SaaS solution for is:

Multi-tenant (each of my customers gets a fully separate directory, with access to all tenants for our admins)

SAML and OAuth (customers can set up SAML themselves via the SaaS interface, or we set the SP up for them)

Rule based group assignment based on SAML attribute evaluation (e.g. assign users to this group if the attribute X = Y)

APIs to manage users, groups, organisations (tenants)

We've built something using Okta, but all our customer users are in one Directory/Tenant.

Auth0 nearly gets there with Organisations but can't help with the sub-groups and rule based management.

For context, we have an education product and customers are districts or schools, and the sub-groups are typically schools and/or classes or groups of users (e.g. seniors or juniors).

We also need to support SAML Federations like InCommon, OpenAthens, UK Access Management Federation which makes the challenge harder (these federations want a single SP to which many IDPs authenticate) for Universities. None of the modern platforms support this.

If anyone has found an out of the box solution for this, I'd love to hear about it.

[mooreds]

Disclosure, I work for FusionAuth.

> Multi-tenant (each of my customers gets a fully separate directory, with access to all tenants for our admins)

Yup.

> SAML and OAuth (customers can set up SAML themselves via the SaaS interface, or we set the SP up for them)

You'd have to build an interface using our APIs for this. Not available out of the box, but we do have it in the general roadmap (https://github.com/fusionauth/fusionauth-issues/issues/91 is the tracking issue).

> Rule based group assignment based on SAML attribute evaluation (e.g. assign users to this group if the attribute X = Y)

You could do this with Lambda HTTP Connect (a paid feature) or webhooks (a free feature. https://fusionauth.io/docs/v1/tech/lambdas/#using-lambda-htt... has more

> APIs to manage users, groups, organisations (tenants)

Yup.

> SAML Federations like InCommon...

Hmmm. We have an open issue for supporting this, but I'm not sure what is involved. If it is straight SAML, it should work, but SAML is pretty ... multi-facted so testing would be needed.

[nickmyersdt]

Yeah, we're looking at webhook type solutions but that puts the clever stuff "outside the box" which we're paying for. Okta's group rules do exactly what we want but we can't do the multi-tenant stuff and it doesn't do the SAML Federation side of things.

The SAML Federation one is where all the modern SaaS fall short. Its still SAML but it involves:

All the metadata for 100s of IDPs being downloaded and made available to enable

Publishing the SP metadata to the federation(s) which may involve fees.

Specific rules around metadata (attributes) being released and adhered to.

And if your directory insists on having an email addresses for a user, that might be an issue.

There's a reason why Higher Education businesses have cropped up around doing SAML Federation.

I have had a trial of FusionAuth, and it was great, just didn't solve enough of our pain points to justify a migration.

[mooreds]

Thanks for the feedback!

Sounds like the SAML federation is pretty education focused, so maybe FusionAuth isn't a good fit. Maybe something more open source like Shibboleth would help? Seems like a tough spot, hope you find something.

I went to a talk by Heather Flanagan[0] about how the browser third party cookie changes are going to impact the education space, and the education sector does have some special requirements.

I will say that we do sometimes move items on our roadmap around and can prioritize certain features. This requires a customer to commit to contract of a certain size, of course. Our sales people would love to chat if this is you :) .

0: https://www.youtube.com/watch?v=7L4Atm9FEBw

[brooksnaylor]

Hey! Full disclosure I work at PropelAuth, and unfortunately it doesn't look like we would meet all these needs, which is a bummer since it looks like we could help with most of it (multi tenancy, UIs for your customers to set up SAML, etc). We have the same problem as Auth0 though, and don't currently have sub-groups within organizations out of the box.

I am really curious to hear more about what a good solution there looks like to you?

[hden]

Auth0's Fine Grained Authorization is in developer preview.

https://auth0.com/developers/lab/fine-grained-authorization

[nickmyersdt]

Thank you, will keep an eye on it. Auth0 is definitely the closest I've seen to what my business needs (and I've spent waaay to much time one trials and demos of too many products so far).

If it would:

a.) Perform group assignment based on SAML attributes (like Okta's group rules), and, b.) "natively" support SAML Federations used in the Higher Education space (which Shibboleth appears to be the only thing that supports)

I'd sign up tomorrow and start migration of my 150k users.

[akajla]

What we're building at Warrant (https://warrant.dev/) might work for a lot of what you mentioned including APIs to build and manage multi-tenancy, groups, users, orgs/tenants.

Note - Warrant is an authz engine so it doesn't handle authn/identity/SSO but can plug-in with any authn system.

[jhogendorn]

Would fusionauth meet all these needs?

[nickmyersdt]

Unfortunately not. It's capabilities are good but missing the same as the other popular options. So it can do everything our current platform can, but we need extra "stuff" to justify the migration.

[mooreds]

I work for FusionAuth and responded to your comment elsewhere.

Would love to know what particular things FusionAuth lacked, or what is a dealbreaker. Based on your requirements, I didn't see any issue, but maybe I'm missing something?

My email is in my profile if you'd prefer to use that.

[adambrauer]

Have you checked out Frontegg?

I think it checks all your boxes :)

[nickmyersdt]

A new one to me, will check it out, thanks.

[adambrauer]

let me know if you want to connect directly adam.brauer@frontegg.com