
Ask HN: A good way to support SSO in bootstrapped SaaS? - gary__
I&#x27;m looking for an identity solution that allows me to offer SSO in a typical SAAS scenario:<p>-Multitenant support where tenants can be created in an automated fashion<p>-Allows SSO to be setup back to a tenant&#x27;s own identity provider (saml2)<p>-There could be between 2 and 300 users per tenant. I&#x27;d be happy to have 3 tenants with 20 users each to begin with.<p>-No real need for logins to link to multiple tenants<p>Auth0 is expensive for this relative to where I am at. I&#x27;m on the .net core stack where identityserver4 is often used, but some of the (java) based offerings appear to come with more out of the box (for free). In saying that, integration with SAAS of this nature looks to complicate things. So I&#x27;d appreciate any advice from HN&#x27;s experience on the options available.
======
quickthrower2
I rolled my own at work based on
[https://github.com/displayr/AspNetSaml](https://github.com/displayr/AspNetSaml)
which I forked from
[https://github.com/jitbit/AspNetSaml](https://github.com/jitbit/AspNetSaml)

There is a PR to make it work with .NET core at the moment.

Once you understand the protocol it’s a case of storing some fields relating
to the IdP in your database, for each tenant. Redirect to the IdP website and
they’ll redirect back to you and post a signed XML doc to daub Joe is
authenticated and belongs to these groups.

~~~
gtsteve
I gave this code a quick skim and it seems reasonably well thought out and I
wish I'd seen it before I rolled my own at work. There are numerous security
flaws that one can accidentally introduce with SAML and it seems you've
avoided the obvious ones at the very least (i.e. not checking there's only a
single assertion, etc).

Just in case you weren't aware of it, I found this page very helpful when
developing mine:
[https://github.com/OWASP/CheatSheetSeries/blob/master/cheats...](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/SAML_Security_Cheat_Sheet.md)

~~~
quickthrower2
Thanks. I can’t take too much credit: Jitbit did most of that work, I added
some integration testing and added a couple of methods.

------
mariushn
Unless I'm misunderstanding your needs, why wouldn't
[http://www.passportjs.org/](http://www.passportjs.org/) work? I've used it
successfully for Google & Facebook signup/signin.

It has SAML support and I guess one of these packages could be customized to
your needs?
[http://www.passportjs.org/packages/](http://www.passportjs.org/packages/)

------
dmarlow
I highly recommend ComponentSpace SAML SSO. There is a cost, but well worth
it, imo. It's well maintained, support and forum available, fast responses,
etc. I tried a few OSS, but they had some limitations that I couldn't get
around in a short timeframe.

------
avitzurel
Used Auth0 before with great success. They support SSO and everything you
need.

[edit] The right name this time

