[ericalexander0]

I've built security programs at 3 companies. This is how I would solve these problems.

1. SSO everywhere. Okta if budget is no concern and Keycloak if it is.

2. Password manager for the entire company. Even if it's possible to go SSO everywhere, there are still secrets employees will need to manage. Give them a solution or they'll solve it on their own and not in a good way. I like 1Password.

3. All services use a secret solution that can broker short lived secrets and a policy that limits secret TTL to a day or less. I like HashiCorp Vault.

[jasongill]

Okta is inexpensive for small companies (our bill for 200+ employees is like, $3000 a year; it's a couple bucks per user per month). You can use Okta as a password manager as well - just add a new "application" and pick the choice for "shared username and password", which basically makes Okta's browser extension just autofill the password for the user. Works great for sites that don't have SSO as an option.

[vrosas]

Next you’re gonna tell me “send me the password over slack and then delete the message” isn’t good password security.

[nolok]

About 1, unless you have a dev team and dedicated time to make compatibility layers, you're more or less limited to whatever application and saas supports your sso of choice though, correct ?

[cj]

No, SAML is the standard these days and it’s supported nearly everywhere (where it matters). No vendor lock-in.

Although I’m not sure why you’d go with a 3rd party idp rather than just using Google Workspace (or Microsoft equivalent).