[timetopay]

One thing that SSO isn't great at is deactivating live sessions. Often, you either solve this with short session times (annoying to users), making a note in the de-provisioning steps document (not foolproof), or using a third party vendor (costly).

[tw04]

Sure it is, this problem has been solved for a long time: SCIM. Any modern idp should support SCIM and if the app doesn’t I’d question using it at all.

[leeter]

Me: "We should use SCIM, our IDP and our App both support it" PM: "No that's too complicated, we'll roll our own provisioning and never worry about de-provisioning because they won't be able to log in due to SAML anyway!"

I can't tell you how many times I've had that conversation... but I'd need at least both hands and a foot.

[grinich]

This is why most SSO forces you to sign in again every day. So frustrating!

[timetopay]

SCIM adoption isn't near where it needs to be. I guess yeah, this is the correct answer. We live in a world where SSO is considered an enterprise feature, I hope one day that it's considered default.

[grinich]

Shameless plug for my startup (hope that's ok!)

If you're building an app and need to add SCIM, check out WorkOS. My email is in my profile to chat.

More info -> https://workos.com/directory-sync

[amenghra]

$125 per connection / month and then you wonder why companies don't offer SSO/SCIM by default in their free/cheap plans.

[mooreds]

(I work for a competitor in the same space as grinich.)

Charging for scim is a convenient way to segment customers, the same way SLAs are. For companies that care deeply about controlling user access (or are forced to by law or regulator), that isn't much money.

Features like this subsidize the free/cheap version, which you can then offer to let folks learn about and love your software, and use. After all, you can replace scim with careful manual processes until you get to a certain size.

It's similar to the sso tax: https://sso.tax/

I'm not aware of a scim.tax site, but maybe there should be one? :)

[newdee]

> Charging for scim is a convenient way to segment customers

It’s also a convenient way to keep charging non-SCIM customers for unused licenses when they inevitably forget to manually nuke accounts belonging to leavers.

[mooreds]

Agreed. And most apps have it locked to the most expensive level.

Slack, to their credit, offers this at the business+ tier: https://api.slack.com/admins/scim

[cco]

>...using a third party vendor (costly).

I promise we're not _that_ costly.

But yes, having built a slackbot/Slack OAuth myself and dealing with it at my $CURRENT_CO (stytch.com), Slack is a service you have to be very careful with. They offer a very powerful API and permissioning model, but it can be nerve wracking.