
Show HN: WorkOS – APIs for enterprise features like SSO/SAML - grinich
https://workos.com/
======
grinich
Hi HN! I’m the founder of WorkOS ([https://workos.com](https://workos.com)) We
provide a developer API for making your app enterprise-ready. You can quickly
add features including SSO/SAML, Director Sync (SCIM), Audit Logs, and more.

WorkOS is “Plaid for enterprise IT systems.”

I learned about these enterprise requirements the hard way. Previously, I
founded Nylas where we built an email app called Nylas Mail. We couldn’t
monetize that app and shut it down (RIP) and the main reason was that we
couldn’t sell it to enterprise because it was missing features.

Here’s a short Twitter thread with more info about WorkOS:
[https://twitter.com/grinich/status/1239943470271188992](https://twitter.com/grinich/status/1239943470271188992)

Best place to start is with the docs:
[http://docs.workos.com/](http://docs.workos.com/)

Would love to get your feedback, questions, and ideas. Thanks! :)

~~~
bigbossman
Just want to clarify - is this different from Monday.com? I saw a bunch of
billboards on 101 advertising Monday as your new Work OS.

~~~
slimsag
Monday.com is the worst product I have ever had the experience of working
with.

Spreadsheet with 200 rows and 20 columns? Your browser will be laggy as all
hell thanks to their wonderful UI.

Try to tell support? The entire page jitters up and down as you type every
single character in the support box on Chrome.

Reload the page? Well now the page isn't laggy at all, but literally it is not
rendering rows that _are definitely there_.

I really wanted to like it -- beautiful user interface -- but it's an
absolutely terrible product. And it was ~15 people on my team reporting the
same exact behavior as we tried it.

I would consider recommending Monday.com to my worst enemy.

------
mdeeks
Slightly off-topic complaint: I really wish these features weren't considered
"Enterprise" by so many people. Do you have a company that uses third party
tools and has employees that leave? Congrats, you're an "enterprise" and need
the "enterprise" plan.

I dream of the day that these features (SSO, Sync/SCIM, auditing) are
considered table stakes.

I hope WorkOS takes off and drives that.

P.S. RIP Nylus

~~~
xellisx
I wish people would stop using 'OS' when naming things, when it's not an
Operating System.

~~~
grinich
So there used to be a platform that gave you all the things you needed to
build an app...

It handled stuff like authentication, user management, provisioning, security,
compliance, etc. It had a fantastic developer experience and was beloved by
developers and at the _same time_ loved by IT. It allowed developers to focus
exclusively on product features, and it seamlessly took care of administrative
needs of corporate IT.

It was called Microsoft Windows. :)

But in today's era, everything has moved to the cloud and that's made the
situation fragmented. There's over a dozen IdP and even more directory systems
and logging systems. There's no source of truth! In order to build an app for
enterprise, you have to write all of this boilerplate integration code. And
right now every company does it themselves in-house.

The goal for WorkOS is to handle all the complicated undifferentiated
complexity that every workplace app needs. It runs "under the hood" and lets
you focus on building unique product features. It's a standard set of
interfaces and features shared across applications.

That's the role of the operating system and that's why we call it an OS. :)

------
dmarlow
I've had the same thought/idea myself. There's so much more this can branch
into if you want.

It looks like this is very targeted towards the SMB space. I'm wondering if
you could adjust your pricing and features to help modernize & consolidate
some of the overlap at larger businesses in general.

~~~
grinich
Yep we can help with those needs too and have custom pricing for large
enterprise deployments. (If you need that, get in touch.)

------
edelans
Looks nice indeed @grinich ! Excuse the naive question but : what's the
difference between workOS and software such as amplitude or mixpanel for audit
trail logs ?

From what I understand, you have to declare events as you would do with
analytics software. And your docs doesn't say how you make the audit trail
available to the customers. If I have to do the proxy myself, then I really do
not see the difference with an analytics software.

------
Wolfmother
Realy nice and clean website, I love the simplicity. It's a small thing but I
would avoid black CTA in the project. Using colors could increase interaction
with design ;) Maybe you would like to also introduce your tool to our
audience on Owwly ([https://owwly.com](https://owwly.com))? I think you can
find there some potential users.

------
dathinab
A slightly offtopic question. Besides older systems/older systems integration
is there any reason to have SAML based SSO?

It always seemed to me that if you do not have to support SAML for some older
systems the get to go solution is to use a OAuth2 based solution like OpenId
Connect.

~~~
tylerrobinson
I think you answered your own question. If the client/partner/customer
supports SAML, now you do, too.

------
hashamali
It looks like RBAC isn't out yet, any timeline on that? This seems like a very
useful product!

~~~
grinich
Hopefully a beta in a few months. It will integrate closely with the
Directory/SCIM services so we want to get that part right first.

------
teddyh
Note: Not related to Workplace OS:
[https://en.wikipedia.org/wiki/Workplace_OS](https://en.wikipedia.org/wiki/Workplace_OS)

------
aktive0
Since this is enterprise tool, what's your security posture like? Are you
compliant/certified with framework's like ISO27001?

~~~
grinich
We're currently in the middle of our SOC-2 Type 2 observation period and
should have that certification in Q2.

The company is barely 1 year old and the process of certification can be a bit
slow. Other attestations including ISO/IEC 27001, 27017, and 27018 will come
later.

We also have a lot of internal practices and policy for how we secure WorkOS
while still allowing our engineering team to ship code incredibly fast. It
involves separation of duties, hardware security keys (YubiKey), and lots of
automation with alerting.

Hopefully we can write something public about it later this year. Many of the
ideas came from Stripe's security team. (Thanks Angie! <3)

~~~
j4ah4n
Will you be supporting HIPAA/PIPEDA as well? I'm just teeing up all of this
work for a healthcare SaaS offering, non-trivial. We're presently deployed as
a "per-customer" model as some require enterprise options, others not so much.
Would be great to have a tool that fills those gaps simply when/as required.

Looks great, I'll definitely be going through it in more detail after work.

~~~
grinich
Yep - everything in WorkOS already pipes into our Audit Log so it's quite
close.

Would love to learn more about your app. Send me a note and we can chat?
mg@workos.com

~~~
Reebz
This is extremely impressive. The value prop, the product, all of it. It
resonates.

I was at a startup 5 or so years ago, and now am at a very large company. The
world of pain you enter as a small shop when the Large Co. takes you through
their third-party compliance and enterprise IT requirements are mind boggling.
WorkOS seems to be that critical and much overdue on-ramp between startups and
the FT500.

------
leetrout
How does this compare / contrast to Auth0?

~~~
grinich
Similar and different in some ways. Our SSO is free, which makes it a lot more
accessible to startups and companies just beginning to go up-market.

We also provide a more generic abstraction than Auth0. They essentially "take
over" your auth screens and show Auth0 UI. If you use WorkOS, it's not visible
to your end-users and you can customize the sign-in experience how ever you
want.

~~~
ucarion
You can do this with the Auth0 APIs as well, no? By hitting the `/authorize`
endpoint for saml-typed Auth0 connections? In that case Auth0 then acts as a
SAML-to-OpenID Connect translation layer.

~~~
ct520
there is a couple ways to do and handle this. It seems like the best practices
change every 6 months. There is a similar way to do this with azure AD also.
I'm curious how workos differs. Seeing this field evolve over the last 2-3
years has been interesting.

------
nick_urban
Sounds very cool. For the purposes of pricing, what are "enterprise users"?

------
stereobit
I wish I would have found this 3 month ago ...

~~~
grinich
Oof sorry you had to go through it! What did you end up building?

~~~
stereobit
We just build our own SCIM endpoint and are now trying to integrate it into
OKTA. I'll never get that time back that I spend reading the SCIM spec. Could
have used it to build something that adds value to our customers.

~~~
neLrivVK
How would this solution have helped you? You'd have to integrate WorkOS in
your app instead of standardised SCIM?

~~~
grinich
Yep but our directory APIs are a lot simpler than SCIM. Plus we normalize user
attributes across non-SCIM directories like G Suite and Azure.

WorkOS also has webhooks, which makes integrating a breeze:
[https://docs.workos.com/directory-
sync/webhooks](https://docs.workos.com/directory-sync/webhooks)

