[HN Gopher] Show HN: WorkOS - APIs for enterprise features like ...
___________________________________________________________________
Show HN: WorkOS - APIs for enterprise features like SSO/SAML
Author : grinich
Score : 113 points
Date : 2020-03-17 17:24 UTC (5 hours ago)
(HTM) web link (workos.com)
(TXT) w3m dump (workos.com)
| mdeeks wrote:
| Slightly off-topic complaint: I really wish these features
| weren't considered "Enterprise" by so many people. Do you have a
| company that uses third party tools and has employees that leave?
| Congrats, you're an "enterprise" and need the "enterprise" plan.
|
| I dream of the day that these features (SSO, Sync/SCIM, auditing)
| are considered table stakes.
|
| I hope WorkOS takes off and drives that.
|
| P.S. RIP Nylus
| realityking wrote:
| I used to share that sentiment but now having worked on the
| other side and been involved in too many pricing discussion,
| segmenting is _hard_. Generous free and credit card plans are
| often subsidized by enterprise contracts and you gotta have
| some features to make people want to pay for those enterprise
| plans. SSO/SCIM/Audit logs are great for that because big
| companies _really_ care while most SMBs don't have an IdP and
| SME are usually fine forgoing it if they can save a buck or
| two.
| xellisx wrote:
| I wish people would stop using 'OS' when naming things, when
| it's not an Operating System.
| grinich wrote:
| So there used to be a platform that gave you all the things
| you needed to build an app...
|
| It handled stuff like authentication, user management,
| provisioning, security, compliance, etc. It had a fantastic
| developer experience and was beloved by developers and at the
| _same time_ loved by IT. It allowed developers to focus
| exclusively on product features, and it seamlessly took care
| of administrative needs of corporate IT.
|
| It was called Microsoft Windows. :)
|
| But in today's era, everything has moved to the cloud and
| that's made the situation fragmented. There's over a dozen
| IdP and even more directory systems and logging systems.
| There's no source of truth! In order to build an app for
| enterprise, you have to write all of this boilerplate
| integration code. And right now every company does it
| themselves in-house.
|
| The goal for WorkOS is to handle all the complicated
| undifferentiated complexity that every workplace app needs.
| It runs "under the hood" and lets you focus on building
| unique product features. It's a standard set of interfaces
| and features shared across applications.
|
| That's the role of the operating system and that's why we
| call it an OS. :)
| grinich wrote:
| Hi HN! I'm the founder of WorkOS (https://workos.com) We provide
| a developer API for making your app enterprise-ready. You can
| quickly add features including SSO/SAML, Director Sync (SCIM),
| Audit Logs, and more.
|
| WorkOS is "Plaid for enterprise IT systems."
|
| I learned about these enterprise requirements the hard way.
| Previously, I founded Nylas where we built an email app called
| Nylas Mail. We couldn't monetize that app and shut it down (RIP)
| and the main reason was that we couldn't sell it to enterprise
| because it was missing features.
|
| Here's a short Twitter thread with more info about WorkOS:
| https://twitter.com/grinich/status/1239943470271188992
|
| Best place to start is with the docs: http://docs.workos.com/
|
| Would love to get your feedback, questions, and ideas. Thanks! :)
| OJFord wrote:
| Very minor, really, but did you consider tiers something like
| Developer/Startup/Corporate, rather than
| Free/Developer/Corporate?
|
| I just think surely every user (of yours) is a de facto
| developer, and really if that's all they are they only need the
| 'Free' tier until they start selling something (i.e. it's a
| business of some kind) and need the support.
|
| Other words: (for free) MVP, Prototype, Concept; (for middle
| tier) Business, Starter.
|
| But it looks nice, bookmarked as a 'solution I'd like to have
| the problem for' ;)
| grinich wrote:
| Naming is one of those hard problems. :P
|
| We're primarily targeted at developers but I found there's a
| lot of other people who care about enterprise features. For
| example, WorkOS allows a Head of Product to focus entirely on
| new end-user features and not build SAML config screens.
|
| WorkOS is surprisingly popular with the VP Sales. They have
| no idea what SAML or SCIM means, but they know it's blocking
| big deals. WorkOS helps them unlock that revenue.
| oron wrote:
| I'm just in the process of adding SSO to our iOS app and
| scratching my head trying to figure where to start....
| grinich wrote:
| This is a great place to start. (Plus it's free.)
|
| https://docs.workos.com/sso/overview
| ucarion wrote:
| I fully appreciate how difficult this is to do, but I think it
| would be immensely useful if WorkOS provided the docs that I
| (the SAML SP, your customer) provide to my customers who are
| setting up SAML (as an IdP) on their end.
|
| One of the biggest pain points I've experienced with SAML is
| that people come to me asking for help, but only understanding
| their IdP; the only IdP I know how to use is Okta, and I don't
| have access to their IdP to test with.
|
| I'd love it if WorkOS could give me documentation that I can
| give to my customers about how they can set up Okta/Azure
| ADFS/whatever with my product. I can edit those docs to account
| for idiosyncratic stuff my product does (e.g. requiring a
| particular SAML user attribute or format for user IDs).
|
| Aside: the support burden of SAML is a big part of why the
| sso.tax exists. Nobody on the SP or IdP end knows how to set
| this stuff up!
| grinich wrote:
| Yep we're already looking at doing this with docs. :)
|
| One thing to help with the SAML support is WorkOS.js. It's
| essentially an embeddable configuration flow, so you don't
| need to build the UI to collect x.509 certs, generate the ACS
| URL, etc. Similar architecture to "Plaid Link" so users never
| leave your app.
|
| Docs here: https://docs.workos.com/sso/embed-workosjs
| ucarion wrote:
| Yeah this is really cool! To your point about WorkOS.js --
| how would a customer know where to find their SAML
| metadata? Some of this can be done inline in WorkOS.js, of
| course.
|
| But no amount of inline docs in WorkOS.js's UI is going to
| get around the high-level guidance docs, both for your
| customers ("where do I even start") and your customers'
| customers ("how do I fit my IdP peg into your SP round
| hole").
| grinich wrote:
| Ah yeah I'm talking about two different things. The docs
| for getting SAML config would be on a separate public
| site.
|
| WorkOS.js is for the IT admin to configure their SSO/SAML
| integration.
|
| With both of these things, you can make SAML fully self-
| serve and include it in your base tier, which drives
| adoption and retention in bigger companies.
| cordite wrote:
| What did you use to build your documentation site?
| grinich wrote:
| It's custom, built on Next.js and MDX.
|
| https://github.com/zeit/next.js/
|
| https://github.com/mdx-js/mdx
| cordite wrote:
| Thank you!
| HEHENE wrote:
| Very impressed with how the documentation looks. Similar to
| ReadMe.io, but a little bit more simple. Would love to know
| as well!
| grinich wrote:
| (Answered in the parent comment.)
|
| The hardest part of these docs was actually just _writing_
| the docs. So hard to come up with simple language for super
| complicated topics. And so much more still to do!
| bigbossman wrote:
| Just want to clarify - is this different from Monday.com? I saw
| a bunch of billboards on 101 advertising Monday as your new
| Work OS.
| grinich wrote:
| lol yeah totally different. someone sent me a pic of those
| last week
|
| though maybe they should become a customer? ;)
| aktive0 wrote:
| Since this is enterprise tool, what's your security posture like?
| Are you compliant/certified with framework's like ISO27001?
| grinich wrote:
| We're currently in the middle of our SOC-2 Type 2 observation
| period and should have that certification in Q2.
|
| The company is barely 1 year old and the process of
| certification can be a bit slow. Other attestations including
| ISO/IEC 27001, 27017, and 27018 will come later.
|
| We also have a lot of internal practices and policy for how we
| secure WorkOS while still allowing our engineering team to ship
| code incredibly fast. It involves separation of duties,
| hardware security keys (YubiKey), and lots of automation with
| alerting.
|
| Hopefully we can write something public about it later this
| year. Many of the ideas came from Stripe's security team.
| (Thanks Angie! <3)
| j4ah4n wrote:
| Will you be supporting HIPAA/PIPEDA as well? I'm just teeing
| up all of this work for a healthcare SaaS offering, non-
| trivial. We're presently deployed as a "per-customer" model
| as some require enterprise options, others not so much. Would
| be great to have a tool that fills those gaps simply when/as
| required.
|
| Looks great, I'll definitely be going through it in more
| detail after work.
| grinich wrote:
| Yep - everything in WorkOS already pipes into our Audit Log
| so it's quite close.
|
| Would love to learn more about your app. Send me a note and
| we can chat? mg@workos.com
| stereobit wrote:
| I wish I would have found this 3 month ago ...
| grinich wrote:
| Oof sorry you had to go through it! What did you end up
| building?
| dmarlow wrote:
| I've had the same thought/idea myself. There's so much more this
| can branch into if you want.
|
| It looks like this is very targeted towards the SMB space. I'm
| wondering if you could adjust your pricing and features to help
| modernize & consolidate some of the overlap at larger businesses
| in general.
| leetrout wrote:
| How does this compare / contrast to Auth0?
| grinich wrote:
| Similar and different in some ways. Our SSO is free, which
| makes it a lot more accessible to startups and companies just
| beginning to go up-market.
|
| We also provide a more generic abstraction than Auth0. They
| essentially "take over" your auth screens and show Auth0 UI. If
| you use WorkOS, it's not visible to your end-users and you can
| customize the sign-in experience how ever you want.
| ucarion wrote:
| You can do this with the Auth0 APIs as well, no? By hitting
| the `/authorize` endpoint for saml-typed Auth0 connections?
| In that case Auth0 then acts as a SAML-to-OpenID Connect
| translation layer.
| hashamali wrote:
| It looks like RBAC isn't out yet, any timeline on that? This
| seems like a very useful product!
| grinich wrote:
| Hopefully a beta in a few months. It will integrate closely
| with the Directory/SCIM services so we want to get that part
| right first.
| [deleted]
___________________________________________________________________
(page generated 2020-03-17 23:00 UTC)