WorkOS is “Plaid for enterprise IT systems.”
I learned about these enterprise requirements the hard way. Previously, I founded Nylas where we built an email app called Nylas Mail. We couldn’t monetize that app and shut it down (RIP) and the main reason was that we couldn’t sell it to enterprise because it was missing features.
Here’s a short Twitter thread with more info about WorkOS: https://twitter.com/grinich/status/1239943470271188992
Best place to start is with the docs: http://docs.workos.com/
Would love to get your feedback, questions, and ideas. Thanks! :)
One of the biggest pain points I've experienced with SAML is that people come to me asking for help, but only understanding their IdP; the only IdP I know how to use is Okta, and I don't have access to their IdP to test with.
I'd love it if WorkOS could give me documentation that I can give to my customers about how they can set up Okta/Azure ADFS/whatever with my product. I can edit those docs to account for idiosyncratic stuff my product does (e.g. requiring a particular SAML user attribute or format for user IDs).
Aside: the support burden of SAML is a big part of why the sso.tax exists. Nobody on the SP or IdP end knows how to set this stuff up!
One thing to help with the SAML support is WorkOS.js. It's essentially an embeddable configuration flow, so you don't need to build the UI to collect x.509 certs, generate the ACS URL, etc. Similar architecture to "Plaid Link" so users never leave your app.
Docs here: https://docs.workos.com/sso/embed-workosjs
But no amount of inline docs in WorkOS.js's UI is going to get around the high-level guidance docs, both for your customers ("where do I even start") and your customers' customers ("how do I fit my IdP peg into your SP round hole").
WorkOS.js is for the IT admin to configure their SSO/SAML integration.
With both of these things, you can make SAML fully self-serve and include it in your base tier, which drives adoption and retention in bigger companies.
Replicated helps developers ship an on-prem version of their product, like GitHub Enterprise.
WorkOS helps developers add features to make their app enterprise-ready. We provide an API to integrate with cloud services like Okta, Azure AD, G Suite, and more.
I just think surely every user (of yours) is a de facto developer, and really if that's all they are they only need the 'Free' tier until they start selling something (i.e. it's a business of some kind) and need the support.
Other words: (for free) MVP, Prototype, Concept; (for middle tier) Business, Starter.
But it looks nice, bookmarked as a 'solution I'd like to have the problem for' ;)
We're primarily targeted at developers but I found there's a lot of other people who care about enterprise features. For example, WorkOS allows a Head of Product to focus entirely on new end-user features and not build SAML config screens.
WorkOS is surprisingly popular with the VP Sales. They have no idea what SAML or SCIM means, but they know it's blocking big deals. WorkOS helps them unlock that revenue.
I would love to pay you money but run this somehow under AWS (Marketplace?) so that I don't have to request signatures from all our clients.
The issue, AFAICT, is all about who has access to personal data and where that data is hosted (jurisdiction wise).
This is great. Congrats.
I work in a regulated industry (Life sciences/pharma) and all of these are challenges we've had to tackle as one-offs for our SaaS, so I could appreciate this bundled/bootstrapped approach.
Spreadsheet with 200 rows and 20 columns? Your browser will be laggy as all hell thanks to their wonderful UI.
Try to tell support? The entire page jitters up and down as you type every single character in the support box on Chrome.
Reload the page? Well now the page isn't laggy at all, but literally it is not rendering rows that _are definitely there_.
I really wanted to like it -- beautiful user interface -- but it's an absolutely terrible product. And it was ~15 people on my team reporting the same exact behavior as we tried it.
I would consider recommending Monday.com to my worst enemy.
though maybe they should become a customer? ;)
The hardest part of these docs was actually just writing the docs. So hard to come up with simple language for super complicated topics. And so much more still to do!
I dream of the day that these features (SSO, Sync/SCIM, auditing) are considered table stakes.
I hope WorkOS takes off and drives that.
P.S. RIP Nylus
It handled stuff like authentication, user management, provisioning, security, compliance, etc. It had a fantastic developer experience and was beloved by developers and at the same time loved by IT. It allowed developers to focus exclusively on product features, and it seamlessly took care of administrative needs of corporate IT.
It was called Microsoft Windows. :)
But in today's era, everything has moved to the cloud and that's made the situation fragmented. There's over a dozen IdP and even more directory systems and logging systems. There's no source of truth! In order to build an app for enterprise, you have to write all of this boilerplate integration code. And right now every company does it themselves in-house.
The goal for WorkOS is to handle all the complicated undifferentiated complexity that every workplace app needs. It runs "under the hood" and lets you focus on building unique product features. It's a standard set of interfaces and features shared across applications.
That's the role of the operating system and that's why we call it an OS. :)
You mean Nylas?
I used to work for Acompli (now Outlook Mobile) and we hated when people spelled it Accompli. Now I’m that guy
It looks like this is very targeted towards the SMB space. I'm wondering if you could adjust your pricing and features to help modernize & consolidate some of the overlap at larger businesses in general.
From what I understand, you have to declare events as you would do with analytics software. And your docs doesn't say how you make the audit trail available to the customers. If I have to do the proxy myself, then I really do not see the difference with an analytics software.
It always seemed to me that if you do not have to support SAML for some older systems the get to go solution is to use a OAuth2 based solution like OpenId Connect.
The company is barely 1 year old and the process of certification can be a bit slow. Other attestations including ISO/IEC 27001, 27017, and 27018 will come later.
We also have a lot of internal practices and policy for how we secure WorkOS while still allowing our engineering team to ship code incredibly fast. It involves separation of duties, hardware security keys (YubiKey), and lots of automation with alerting.
Hopefully we can write something public about it later this year. Many of the ideas came from Stripe's security team. (Thanks Angie! <3)
Looks great, I'll definitely be going through it in more detail after work.
Would love to learn more about your app. Send me a note and we can chat? email@example.com
I was at a startup 5 or so years ago, and now am at a very large company. The world of pain you enter as a small shop when the Large Co. takes you through their third-party compliance and enterprise IT requirements are mind boggling. WorkOS seems to be that critical and much overdue on-ramp between startups and the FT500.
We also provide a more generic abstraction than Auth0. They essentially "take over" your auth screens and show Auth0 UI. If you use WorkOS, it's not visible to your end-users and you can customize the sign-in experience how ever you want.
WorkOS also has webhooks, which makes integrating a breeze: https://docs.workos.com/directory-sync/webhooks