Hmm audit compliance? Google gives you a log of who logged in where, doesn't it?
And with "proper RBAC" you mean that you can put somebody into the "Developer" role, hence he gets AWS, GCP, Datadog, right?
I don't know how extensive Google's logging is - heck, didn't even know they offered Enterprise SSO until a few days ago (every organization I know uses either Okta or M365/AD) :)
Proper RBAC is as granular as necessary, but no more
Proper RBAC also links everything needed by a certain role together
Merely knowing who logged-in where and when, though, is not enough - you also need to know what they did while there (and that they did not do anything they were not supposed to be able to do (which links back to proper RBAC'ing))
CIS, HIPAA, FISMA, SOX, STIG and all the other alphabet soup compliance rules, frameworks, etc are a lot more extensive than just "who logged in where" :)
'Auditing user accounts in SaaS applications' is a pretty good summary of what the current version is about. The 'SSO-Tax' has become a synonym for the extra charges of SaaS vendors in which they usually bundle 3rd party SSO, SCIM and SAML.
What other tooling would you want it to integrate with?
Great to see that we were not alone with the struggles! Let me know if you are up for a quick chat. Would love to learn more about your situation and how OpenOwl could help fix it. If you are up for it, my contact is in the bio
In future versions it will be possible to do the same with, for example, your Google SSO sign-in and 2FA enabled. The reason for the limitation is that we simply wanted to get it out into the world and see if anybody is as excited about it as we are.
For reference, the azure client, opens a browser for the login, which redirects to a dns address that equates to "localhost" on a port that will effectively get the final auth tokens to the local instance, which then persists and shuts down the service. Should be able to do very similar.