Hacker News new | ask | show | jobs
by atilla_bilgic 806 days ago
Her are my two cents.

For all type and size of the businesses, having an IAM governance is important. This way password policies can be set up and enforced.

When the SaaS landscape starts growing, this governance becomes more important and mission critical. The attack surface of the business expands with the number of passwords needed to manage by the employees.

In the above picture SSO brings significant relief to IT and Finance managers with less management hassle and reduced risk scores on the business side.

For the employees, SSO integrations gives more streamlined and smooth experience.
1 comments
7bit 806 days ago
Not only password policies, but authentication policies as a while. For example, the location from where you may authenticate, or the times, the IP address ranges, the device you're using, and so on.

It is also important for user account lifecycle. If a user joins or leaves the company, IT need to be able to grant or revoke access without having to go on an individual account hunt.

If a service does not offer SSO (or a good implementation of it, because most services seem to follow some YouTube guide in how to add SSO - it's that bad) our policies forbid us from buying it.

link
swaptr 806 days ago
Interesting. How do you analyze if a SSO implementation is good or not?
link
7bit 806 days ago
Check if they follow the specs. Especially with SAML, I've found many, many implementations that are just broken. Such es logging a user out of the IdP after idling, when they should just revoke the session for their SP.

Another good one is when they INSIST on using an email address for the name-id. These things change, so let me PLEASE use an immutable I'd ... That's already close to not getting accepted because it invites problems.

Another one being Auto-Provision ing not being implemented, needing an additional user sync. This also contributes to not getting accepted.

If an SP does not implement certificate rollover, it's getting an Instant NO!

But to be fair, Microsoft's IdP side has some flaws as well, which is annoying.

link
ezekg 805 days ago
And people complain about an SSO tax...
link
7bit 804 days ago
Rightfully so.
link