Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 2 days ago

I support SSO as well, and have in previous roles, and support costs did not drive SSO pricing.

One way you can see this is the case is that there are stiff SSO taxes from some vendors who don't even do custom SSO, just OIDC.

The major identity support cost is 2FA, because people constantly lose it, and you need to design and manage an account recovery process.

haswell 2 days ago | parent | next [-]

To add an anecdote from the other perspective, I was the PM for the authn/z capabilities of a big enterprise platform.

SSO was one of the greatest support burdens due to the numerous protocols we supported and the vast array of sometimes bizarre, often complex auth environments across the customer base.

The biggest hidden cost came from the complete lack of consistency in auth implementations from 3rd party vendors, i.e. it wasn’t enough to implement the SAML/OIDC/etc specs, because many of the systems our customers wanted to connect with had not implemented to spec.

This is all prior to dealing with 2FA which was definitely another major factor.

tptacek 2 days ago | parent | next [-]

If you just supported OIDC, you'd still have upcharged for it, at least unless you had an ideological reason not to (we don't, for ideological reasons, but I sort of rue that decision).

haswell 2 days ago | parent [-]

I realize in retrospect my comment was probably confusing as written.

The company didn’t charge extra for SSO despite the support cost, also for ideological reasons. But they were also singularly focused on large enterprise customers so it was table stakes. Plenty of other platform modules to upsell.

My point was mostly to highlight that it can be costly for a bunch of reasons.

Too a day ago | parent | prev [-]

But with SSO you can offload all the 2FA handling to the IdP.

haswell a day ago | parent [-]

Most customers did. But due to a wide variety of customer types and various hybrid auth environments, we had to support 2FA directly in-platform as well.

There were also privilege elevation scenarios to consider, e.g. to access highly sensitive data, the current authenticated user must enter a 2nd factor to continue.

Marsymars 2 days ago | parent | prev | next [-]

> The major identity support cost is 2FA, because people constantly lose it, and you need to design and manage an account recovery process.

Some of this is self-inflicted, e.g. a few of my banks only support 2FA via their own apps, so while I'd never lose my TOTP code, it's a hassle every time I lose my phone. (Or it breaks, is stolen, etc.)

Aeolun 2 days ago | parent | prev [-]

But for enterprise SSO they get to handle all that right? That’s a pure win for your support burden.

tptacek 2 days ago | parent [-]

Yes, that's my point.