
Ask HN: How to handle user management for a SaaS without SAML support? - andygrunwald
As a company the usage of various SaaS is quite common (e.g. DockerHub, Github, Google Analytics for techblogs, ...).
Some of those services offer auth interfaces like SAML (LDAP, Active Directory). Github is one. Some services offer nothing in this direction. DockerHub is one.<p>Often the usage of a private account (eg in Github) make sense to keep history, resume and so on. Even google is doing this. See https:&#x2F;&#x2F;opensource.google.com&#x2F;docs&#x2F;github&#x2F;#accounts
The issue here: You are not able to get a mapping to the employee because their username, email or avatar can be quite wired&#x2F;different.<p>The big issue appears when the employee is leaving the company. That is the main reason for this Ask HN.<p>I &quot;dream&quot; from a kind of engineers self service center.
A web ui that has several &quot;plugins&quot;. Each plugin related to one service (Github, Dockerhub, GA for techblog and so on).
Every person who wants to see the analytics of the techblog requests access via this web ui. In the background a mapping between their google account and the company email &#x2F; employee identifier is maintained. And the user is connected to your GA account via an API call to google. This could be done with various services.
In the background a cronjob is running and asking the LDAP &#x2F; Active Directory if this user is still active (i assume that when an employee is leaving that the AD account is disabled&#x2F;deleted). If the user is not active anymore, access on all services will be revoked automatically.<p>I think that this problem is faced by many companies.
Maybe this is a free startup idea.<p>How you deal with this in your company? Or what solution you use &#x2F; suggest &#x2F; refer to?
Or is there already a open source version of my dream service center?
Or any reason why this is a dumb idea and you have a better alternative in mind?
======
caseysoftware
The official terminology for this is "provisioning" and "deprovisioning" or
overall "lifecycle management" and is a pain for lots of companies in lots of
different contexts.

 _For example, when I left [then startup, now publicly traded] in Nov 2013, it
took them 15+ months until they turned off my Github access.. in the meantime,
I had access to all the private repositories. (Yes, I notified them multiple
times.)_

SAML is pretty widely supported but yes, it's a pain. SCIM[0] is less painful
approach for the provisioning side and maps to the API mindset better.
Unfortunately, it hasn't seen mass adoption so far but I think we'll get there
as more people understand it and/or realize that companies will pay for it.
But you'll still need SAML or OIDC for the SSO piece.

I _do_ think there's a business need for this which is why I joined Okta in
2016, which does exactly this. I'll refrain from a sales pitch but you can
explore it on your own[1].

0 - [https://en.wikipedia.org/wiki/System_for_Cross-
domain_Identi...](https://en.wikipedia.org/wiki/System_for_Cross-
domain_Identity_Management)

1 - [https://developer.okta.com/signup/](https://developer.okta.com/signup/)

edit: clarified SAML vs SCIM

~~~
mrep
Your product and pricing page are super confusing to me. You talk about
"users" but don't you mean "employees".

The product I am looking for is one where I manage all of my employees access
to all of our relevant SAAS applications. Employees log onto this 1 single
service and then can log onto all of our tools federated by this 1 service. If
an employee leaves, then I simply remove them from this 1 centralized service
and they are removed from all of our SAAS services.

~~~
newscracker
Note: I'm not connected with the GP in any way and do not have any financial
or material interest in Okta.

Users don't necessarily have to be employees, although for many smaller
companies the employees may be all the users. For example, say your company
buys computers for your employees from a vendor and gives the vendor access to
one of your applications to send invoices and manage orders (with appropriate
controls and privileges). You would want to manage this external vendor user
in a way similar to how you manage employees' access to applications. For a
system like Okta, this external person is also a user, though not your
employee.

For your use case described above, a system/platform like Okta may be a good
fit — all your user identity management and application access management
would be on Okta alone.

Keep in mind that individual applications may still have copies of user
identity and profile records and their own (closed) mechanisms of storing user
privilege information. Those cases would have to be managed separately anyway,
even though it generally may not cause any harm as such to keep such "junk"
around when the main user identification record has been purged from a central
system like Okta (the same can be said of AD, LDAP, etc.).

~~~
skissane
Or consider the case of a university: users can be staff, students,
contractors, alumni, and various other random categories. For example, at the
university I used to work for, any member of the general public could purchase
a library borrowing card, and that meant they had to have a login to the
university library systems (to see what books they had borrowed).

------
kevlened
I think you're trying to solve two problems:

1\. Single-Sign On (SSO) - Log in once for access to many services. SaaS with
SAML and OpenID Connect support are ideal in this space, but services without
support can be used with a browser plugin

2\. User/Lifecycle Mgmt - CRUD operations for users. SCIM support is ideal in
this space, but many companies offer services beyond simple CRUD using bespoke
APIs. Without support for either, it's very difficult to integrate a service.
The bespoke APIs mean that you'll see varying depths of integration across
services. For example, one service may allow you to control whether a user is
in a group in Dropbox, while another won't.

There are several companies in this space (known as IDaaS), so I'll leave the
Googling to you. Of those, some do User Mgmt. I'm not aware of any companies
that do User Mgmt without SSO

------
Xaena
In a past life as a solutions engineer at a SaaS company, I'll address a
couple points specific to a unified solution.

Problem 1: Not every SaaS platform has a company with an API to manage user
accounts. Even then, I would be skeptical of a company that offered it and
didn't offer it via oauth tokens.

Problem 2: Automating the task within the browser also fails when it comes to
uniformity. Any company that lacks an API endpoint for user management means
you need to interact with a browser or some other hacky nonsense. With that
solution comes the problem of understanding the site structure, login forms,
and action menus.

Problem 3: Even if you did the above 2, you now have additional points of
failure within your offboarding. If a failure occurs in the automation
process, is it silent? What if the API changes (not that it should) or the UI?

The best solution is to look for companies that offer the API option or that
support SAML.

------
zytek
From experience: after company grew to more than .. 200-300 people and user
management/termination became a big burden we hired a person that would write
tools to automate user management, and if something wasn't supporting SAML we
did manage users via its API. If API was not available then we reverted to
"Termination checklist" aka manual work.

Clarification: it wasn't that persons only responsibility, just one of many
assignments to help automate Ops in the company.

------
san_at_weblegit
This is a common problem with more and more companies relying on SAML
federation. A part of this problem is solved by using SCIM provided your IDP
and service supports it. Ironically even though SCIM is a protocol, the
implementations vary across different IDP,s.

A second common issue is ability of changing the email addresses in AD, this
breaks the mapping cause most of the times email is primary identifier.

------
beejiu
The only way I could see you doing this is by automatically scanning an
employee's email archive and producing a list of services.

I do not see how introducing yet another standard solves the problem. SAML and
similar standards already solve this problem; just many SaaS do not support
SAML.

------
j45
It sounds like something like Okta is what you're looking for to help with
provisioning, authentication and deprovisioning

------
wrs
BetterCloud does something like this.

