Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: WorkOS – APIs for enterprise features like SSO/SAML (workos.com)
205 points by grinich on March 17, 2020 | hide | past | favorite | 55 comments

Hi HN! I’m the founder of WorkOS (https://workos.com) We provide a developer API for making your app enterprise-ready. You can quickly add features including SSO/SAML, Director Sync (SCIM), Audit Logs, and more.

WorkOS is “Plaid for enterprise IT systems.”

I learned about these enterprise requirements the hard way. Previously, I founded Nylas where we built an email app called Nylas Mail. We couldn’t monetize that app and shut it down (RIP) and the main reason was that we couldn’t sell it to enterprise because it was missing features.

Here’s a short Twitter thread with more info about WorkOS: https://twitter.com/grinich/status/1239943470271188992

Best place to start is with the docs: http://docs.workos.com/

Would love to get your feedback, questions, and ideas. Thanks! :)

I fully appreciate how difficult this is to do, but I think it would be immensely useful if WorkOS provided the docs that I (the SAML SP, your customer) provide to my customers who are setting up SAML (as an IdP) on their end.

One of the biggest pain points I've experienced with SAML is that people come to me asking for help, but only understanding their IdP; the only IdP I know how to use is Okta, and I don't have access to their IdP to test with.

I'd love it if WorkOS could give me documentation that I can give to my customers about how they can set up Okta/Azure ADFS/whatever with my product. I can edit those docs to account for idiosyncratic stuff my product does (e.g. requiring a particular SAML user attribute or format for user IDs).

Aside: the support burden of SAML is a big part of why the sso.tax exists. Nobody on the SP or IdP end knows how to set this stuff up!

Yep we're already looking at doing this with docs. :)

One thing to help with the SAML support is WorkOS.js. It's essentially an embeddable configuration flow, so you don't need to build the UI to collect x.509 certs, generate the ACS URL, etc. Similar architecture to "Plaid Link" so users never leave your app.

Docs here: https://docs.workos.com/sso/embed-workosjs

Yeah this is really cool! To your point about WorkOS.js -- how would a customer know where to find their SAML metadata? Some of this can be done inline in WorkOS.js, of course.

But no amount of inline docs in WorkOS.js's UI is going to get around the high-level guidance docs, both for your customers ("where do I even start") and your customers' customers ("how do I fit my IdP peg into your SP round hole").

Ah yeah I'm talking about two different things. The docs for getting SAML config would be on a separate public site.

WorkOS.js is for the IT admin to configure their SSO/SAML integration.

With both of these things, you can make SAML fully self-serve and include it in your base tier, which drives adoption and retention in bigger companies.

Congrats on the launch, Michael. Been experiencing the same - after conducting demos of our application, we've been told that we aren't enterprise-ready and so we've gone away to figure out what that looks like. I've got extensive experience in the enterprise space having worked in banking tech for a few years so happy to help. Currently, we're building an AI performance management platform for enterprises and so could leverage WorkOS to accelerate our go-to-market. How do you compare to Replicated (https://www.replicated.com/)?

Thanks for the kind words!

Replicated helps developers ship an on-prem version of their product, like GitHub Enterprise.

WorkOS helps developers add features to make their app enterprise-ready. We provide an API to integrate with cloud services like Okta, Azure AD, G Suite, and more.

Thanks for the really simple explanation. Cheers.

Very minor, really, but did you consider tiers something like Developer/Startup/Corporate, rather than Free/Developer/Corporate?

I just think surely every user (of yours) is a de facto developer, and really if that's all they are they only need the 'Free' tier until they start selling something (i.e. it's a business of some kind) and need the support.

Other words: (for free) MVP, Prototype, Concept; (for middle tier) Business, Starter.

But it looks nice, bookmarked as a 'solution I'd like to have the problem for' ;)

Naming is one of those hard problems. :P

We're primarily targeted at developers but I found there's a lot of other people who care about enterprise features. For example, WorkOS allows a Head of Product to focus entirely on new end-user features and not build SAML config screens.

WorkOS is surprisingly popular with the VP Sales. They have no idea what SAML or SCIM means, but they know it's blocking big deals. WorkOS helps them unlock that revenue.

One issue with Enterprise Software that I've experienced is that all subcontractors are scrutinised and have to be listed in contracts, clients has to be notified/approve changes etc.

I would love to pay you money but run this somehow under AWS (Marketplace?) so that I don't have to request signatures from all our clients.

The issue, AFAICT, is all about who has access to personal data and where that data is hosted (jurisdiction wise).

Would love to chat with you about your needs here. Shoot me an email? mg@workos.com

> "You can quickly add features including SSO/SAML, Director Sync (SCIM), Audit Logs, and more."

This is great. Congrats.

I work in a regulated industry (Life sciences/pharma) and all of these are challenges we've had to tackle as one-offs for our SaaS, so I could appreciate this bundled/bootstrapped approach.

Just want to clarify - is this different from Monday.com? I saw a bunch of billboards on 101 advertising Monday as your new Work OS.

Monday.com is the worst product I have ever had the experience of working with.

Spreadsheet with 200 rows and 20 columns? Your browser will be laggy as all hell thanks to their wonderful UI.

Try to tell support? The entire page jitters up and down as you type every single character in the support box on Chrome.

Reload the page? Well now the page isn't laggy at all, but literally it is not rendering rows that _are definitely there_.

I really wanted to like it -- beautiful user interface -- but it's an absolutely terrible product. And it was ~15 people on my team reporting the same exact behavior as we tried it.

I would consider recommending Monday.com to my worst enemy.

lol yeah totally different. someone sent me a pic of those last week

though maybe they should become a customer? ;)

I'm just in the process of adding SSO to our iOS app and scratching my head trying to figure where to start....

This is a great place to start. (Plus it's free.)


What you're looking for is Firebase Authentication & customs tokens to link with your current auth system.

What did you use to build your documentation site?

Thank you!

Very impressed with how the documentation looks. Similar to ReadMe.io, but a little bit more simple. Would love to know as well!

(Answered in the parent comment.)

The hardest part of these docs was actually just writing the docs. So hard to come up with simple language for super complicated topics. And so much more still to do!

Slightly off-topic complaint: I really wish these features weren't considered "Enterprise" by so many people. Do you have a company that uses third party tools and has employees that leave? Congrats, you're an "enterprise" and need the "enterprise" plan.

I dream of the day that these features (SSO, Sync/SCIM, auditing) are considered table stakes.

I hope WorkOS takes off and drives that.

P.S. RIP Nylus

I used to share that sentiment but now having worked on the other side and been involved in too many pricing discussion, segmenting is _hard_. Generous free and credit card plans are often subsidized by enterprise contracts and you gotta have some features to make people want to pay for those enterprise plans. SSO/SCIM/Audit logs are great for that because big companies _really_ care while most SMBs don‘t have an IdP and SME are usually fine forgoing it if they can save a buck or two.

I wish people would stop using 'OS' when naming things, when it's not an Operating System.

So there used to be a platform that gave you all the things you needed to build an app...

It handled stuff like authentication, user management, provisioning, security, compliance, etc. It had a fantastic developer experience and was beloved by developers and at the same time loved by IT. It allowed developers to focus exclusively on product features, and it seamlessly took care of administrative needs of corporate IT.

It was called Microsoft Windows. :)

But in today's era, everything has moved to the cloud and that's made the situation fragmented. There's over a dozen IdP and even more directory systems and logging systems. There's no source of truth! In order to build an app for enterprise, you have to write all of this boilerplate integration code. And right now every company does it themselves in-house.

The goal for WorkOS is to handle all the complicated undifferentiated complexity that every workplace app needs. It runs "under the hood" and lets you focus on building unique product features. It's a standard set of interfaces and features shared across applications.

That's the role of the operating system and that's why we call it an OS. :)

So make all of these features paid then?

> P.S. RIP Nylus

You mean Nylas?

Yes :) sorry.

I used to work for Acompli (now Outlook Mobile) and we hated when people spelled it Accompli. Now I’m that guy

I've had the same thought/idea myself. There's so much more this can branch into if you want.

It looks like this is very targeted towards the SMB space. I'm wondering if you could adjust your pricing and features to help modernize & consolidate some of the overlap at larger businesses in general.

Yep we can help with those needs too and have custom pricing for large enterprise deployments. (If you need that, get in touch.)

Looks nice indeed @grinich ! Excuse the naive question but : what's the difference between workOS and software such as amplitude or mixpanel for audit trail logs ?

From what I understand, you have to declare events as you would do with analytics software. And your docs doesn't say how you make the audit trail available to the customers. If I have to do the proxy myself, then I really do not see the difference with an analytics software.

A slightly offtopic question. Besides older systems/older systems integration is there any reason to have SAML based SSO?

It always seemed to me that if you do not have to support SAML for some older systems the get to go solution is to use a OAuth2 based solution like OpenId Connect.

I think you answered your own question. If the client/partner/customer supports SAML, now you do, too.

It looks like RBAC isn't out yet, any timeline on that? This seems like a very useful product!

Hopefully a beta in a few months. It will integrate closely with the Directory/SCIM services so we want to get that part right first.

Note: Not related to Workplace OS: https://en.wikipedia.org/wiki/Workplace_OS

Since this is enterprise tool, what's your security posture like? Are you compliant/certified with framework's like ISO27001?

We're currently in the middle of our SOC-2 Type 2 observation period and should have that certification in Q2.

The company is barely 1 year old and the process of certification can be a bit slow. Other attestations including ISO/IEC 27001, 27017, and 27018 will come later.

We also have a lot of internal practices and policy for how we secure WorkOS while still allowing our engineering team to ship code incredibly fast. It involves separation of duties, hardware security keys (YubiKey), and lots of automation with alerting.

Hopefully we can write something public about it later this year. Many of the ideas came from Stripe's security team. (Thanks Angie! <3)

Will you be supporting HIPAA/PIPEDA as well? I'm just teeing up all of this work for a healthcare SaaS offering, non-trivial. We're presently deployed as a "per-customer" model as some require enterprise options, others not so much. Would be great to have a tool that fills those gaps simply when/as required.

Looks great, I'll definitely be going through it in more detail after work.

Yep - everything in WorkOS already pipes into our Audit Log so it's quite close.

Would love to learn more about your app. Send me a note and we can chat? mg@workos.com

This is extremely impressive. The value prop, the product, all of it. It resonates.

I was at a startup 5 or so years ago, and now am at a very large company. The world of pain you enter as a small shop when the Large Co. takes you through their third-party compliance and enterprise IT requirements are mind boggling. WorkOS seems to be that critical and much overdue on-ramp between startups and the FT500.

How does this compare / contrast to Auth0?

Similar and different in some ways. Our SSO is free, which makes it a lot more accessible to startups and companies just beginning to go up-market.

We also provide a more generic abstraction than Auth0. They essentially "take over" your auth screens and show Auth0 UI. If you use WorkOS, it's not visible to your end-users and you can customize the sign-in experience how ever you want.

You can do this with the Auth0 APIs as well, no? By hitting the `/authorize` endpoint for saml-typed Auth0 connections? In that case Auth0 then acts as a SAML-to-OpenID Connect translation layer.

there is a couple ways to do and handle this. It seems like the best practices change every 6 months. There is a similar way to do this with azure AD also. I'm curious how workos differs. Seeing this field evolve over the last 2-3 years has been interesting.

Sounds very cool. For the purposes of pricing, what are "enterprise users"?

I wish I would have found this 3 month ago ...

Oof sorry you had to go through it! What did you end up building?

We just build our own SCIM endpoint and are now trying to integrate it into OKTA. I'll never get that time back that I spend reading the SCIM spec. Could have used it to build something that adds value to our customers.

How would this solution have helped you? You'd have to integrate WorkOS in your app instead of standardised SCIM?

Yep but our directory APIs are a lot simpler than SCIM. Plus we normalize user attributes across non-SCIM directories like G Suite and Azure.

WorkOS also has webhooks, which makes integrating a breeze: https://docs.workos.com/directory-sync/webhooks

Realy nice and clean website, I love the simplicity. It's a small thing but I would avoid black CTA in the project. Using colors could increase interaction with design ;) Maybe you would like to also introduce your tool to our audience on Owwly (https://owwly.com)? I think you can find there some potential users.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact