[HN Gopher] Show HN: WorkOS - APIs for enterprise features like ... ___________________________________________________________________ Show HN: WorkOS - APIs for enterprise features like SSO/SAML Author : grinich Score : 113 points Date : 2020-03-17 17:24 UTC (5 hours ago) (HTM) web link (workos.com) (TXT) w3m dump (workos.com) | mdeeks wrote: | Slightly off-topic complaint: I really wish these features | weren't considered "Enterprise" by so many people. Do you have a | company that uses third party tools and has employees that leave? | Congrats, you're an "enterprise" and need the "enterprise" plan. | | I dream of the day that these features (SSO, Sync/SCIM, auditing) | are considered table stakes. | | I hope WorkOS takes off and drives that. | | P.S. RIP Nylus | realityking wrote: | I used to share that sentiment but now having worked on the | other side and been involved in too many pricing discussion, | segmenting is _hard_. Generous free and credit card plans are | often subsidized by enterprise contracts and you gotta have | some features to make people want to pay for those enterprise | plans. SSO/SCIM/Audit logs are great for that because big | companies _really_ care while most SMBs don't have an IdP and | SME are usually fine forgoing it if they can save a buck or | two. | xellisx wrote: | I wish people would stop using 'OS' when naming things, when | it's not an Operating System. | grinich wrote: | So there used to be a platform that gave you all the things | you needed to build an app... | | It handled stuff like authentication, user management, | provisioning, security, compliance, etc. It had a fantastic | developer experience and was beloved by developers and at the | _same time_ loved by IT. It allowed developers to focus | exclusively on product features, and it seamlessly took care | of administrative needs of corporate IT. | | It was called Microsoft Windows. :) | | But in today's era, everything has moved to the cloud and | that's made the situation fragmented. There's over a dozen | IdP and even more directory systems and logging systems. | There's no source of truth! In order to build an app for | enterprise, you have to write all of this boilerplate | integration code. And right now every company does it | themselves in-house. | | The goal for WorkOS is to handle all the complicated | undifferentiated complexity that every workplace app needs. | It runs "under the hood" and lets you focus on building | unique product features. It's a standard set of interfaces | and features shared across applications. | | That's the role of the operating system and that's why we | call it an OS. :) | grinich wrote: | Hi HN! I'm the founder of WorkOS (https://workos.com) We provide | a developer API for making your app enterprise-ready. You can | quickly add features including SSO/SAML, Director Sync (SCIM), | Audit Logs, and more. | | WorkOS is "Plaid for enterprise IT systems." | | I learned about these enterprise requirements the hard way. | Previously, I founded Nylas where we built an email app called | Nylas Mail. We couldn't monetize that app and shut it down (RIP) | and the main reason was that we couldn't sell it to enterprise | because it was missing features. | | Here's a short Twitter thread with more info about WorkOS: | https://twitter.com/grinich/status/1239943470271188992 | | Best place to start is with the docs: http://docs.workos.com/ | | Would love to get your feedback, questions, and ideas. Thanks! :) | OJFord wrote: | Very minor, really, but did you consider tiers something like | Developer/Startup/Corporate, rather than | Free/Developer/Corporate? | | I just think surely every user (of yours) is a de facto | developer, and really if that's all they are they only need the | 'Free' tier until they start selling something (i.e. it's a | business of some kind) and need the support. | | Other words: (for free) MVP, Prototype, Concept; (for middle | tier) Business, Starter. | | But it looks nice, bookmarked as a 'solution I'd like to have | the problem for' ;) | grinich wrote: | Naming is one of those hard problems. :P | | We're primarily targeted at developers but I found there's a | lot of other people who care about enterprise features. For | example, WorkOS allows a Head of Product to focus entirely on | new end-user features and not build SAML config screens. | | WorkOS is surprisingly popular with the VP Sales. They have | no idea what SAML or SCIM means, but they know it's blocking | big deals. WorkOS helps them unlock that revenue. | oron wrote: | I'm just in the process of adding SSO to our iOS app and | scratching my head trying to figure where to start.... | grinich wrote: | This is a great place to start. (Plus it's free.) | | https://docs.workos.com/sso/overview | ucarion wrote: | I fully appreciate how difficult this is to do, but I think it | would be immensely useful if WorkOS provided the docs that I | (the SAML SP, your customer) provide to my customers who are | setting up SAML (as an IdP) on their end. | | One of the biggest pain points I've experienced with SAML is | that people come to me asking for help, but only understanding | their IdP; the only IdP I know how to use is Okta, and I don't | have access to their IdP to test with. | | I'd love it if WorkOS could give me documentation that I can | give to my customers about how they can set up Okta/Azure | ADFS/whatever with my product. I can edit those docs to account | for idiosyncratic stuff my product does (e.g. requiring a | particular SAML user attribute or format for user IDs). | | Aside: the support burden of SAML is a big part of why the | sso.tax exists. Nobody on the SP or IdP end knows how to set | this stuff up! | grinich wrote: | Yep we're already looking at doing this with docs. :) | | One thing to help with the SAML support is WorkOS.js. It's | essentially an embeddable configuration flow, so you don't | need to build the UI to collect x.509 certs, generate the ACS | URL, etc. Similar architecture to "Plaid Link" so users never | leave your app. | | Docs here: https://docs.workos.com/sso/embed-workosjs | ucarion wrote: | Yeah this is really cool! To your point about WorkOS.js -- | how would a customer know where to find their SAML | metadata? Some of this can be done inline in WorkOS.js, of | course. | | But no amount of inline docs in WorkOS.js's UI is going to | get around the high-level guidance docs, both for your | customers ("where do I even start") and your customers' | customers ("how do I fit my IdP peg into your SP round | hole"). | grinich wrote: | Ah yeah I'm talking about two different things. The docs | for getting SAML config would be on a separate public | site. | | WorkOS.js is for the IT admin to configure their SSO/SAML | integration. | | With both of these things, you can make SAML fully self- | serve and include it in your base tier, which drives | adoption and retention in bigger companies. | cordite wrote: | What did you use to build your documentation site? | grinich wrote: | It's custom, built on Next.js and MDX. | | https://github.com/zeit/next.js/ | | https://github.com/mdx-js/mdx | cordite wrote: | Thank you! | HEHENE wrote: | Very impressed with how the documentation looks. Similar to | ReadMe.io, but a little bit more simple. Would love to know | as well! | grinich wrote: | (Answered in the parent comment.) | | The hardest part of these docs was actually just _writing_ | the docs. So hard to come up with simple language for super | complicated topics. And so much more still to do! | bigbossman wrote: | Just want to clarify - is this different from Monday.com? I saw | a bunch of billboards on 101 advertising Monday as your new | Work OS. | grinich wrote: | lol yeah totally different. someone sent me a pic of those | last week | | though maybe they should become a customer? ;) | aktive0 wrote: | Since this is enterprise tool, what's your security posture like? | Are you compliant/certified with framework's like ISO27001? | grinich wrote: | We're currently in the middle of our SOC-2 Type 2 observation | period and should have that certification in Q2. | | The company is barely 1 year old and the process of | certification can be a bit slow. Other attestations including | ISO/IEC 27001, 27017, and 27018 will come later. | | We also have a lot of internal practices and policy for how we | secure WorkOS while still allowing our engineering team to ship | code incredibly fast. It involves separation of duties, | hardware security keys (YubiKey), and lots of automation with | alerting. | | Hopefully we can write something public about it later this | year. Many of the ideas came from Stripe's security team. | (Thanks Angie! <3) | j4ah4n wrote: | Will you be supporting HIPAA/PIPEDA as well? I'm just teeing | up all of this work for a healthcare SaaS offering, non- | trivial. We're presently deployed as a "per-customer" model | as some require enterprise options, others not so much. Would | be great to have a tool that fills those gaps simply when/as | required. | | Looks great, I'll definitely be going through it in more | detail after work. | grinich wrote: | Yep - everything in WorkOS already pipes into our Audit Log | so it's quite close. | | Would love to learn more about your app. Send me a note and | we can chat? mg@workos.com | stereobit wrote: | I wish I would have found this 3 month ago ... | grinich wrote: | Oof sorry you had to go through it! What did you end up | building? | dmarlow wrote: | I've had the same thought/idea myself. There's so much more this | can branch into if you want. | | It looks like this is very targeted towards the SMB space. I'm | wondering if you could adjust your pricing and features to help | modernize & consolidate some of the overlap at larger businesses | in general. | leetrout wrote: | How does this compare / contrast to Auth0? | grinich wrote: | Similar and different in some ways. Our SSO is free, which | makes it a lot more accessible to startups and companies just | beginning to go up-market. | | We also provide a more generic abstraction than Auth0. They | essentially "take over" your auth screens and show Auth0 UI. If | you use WorkOS, it's not visible to your end-users and you can | customize the sign-in experience how ever you want. | ucarion wrote: | You can do this with the Auth0 APIs as well, no? By hitting | the `/authorize` endpoint for saml-typed Auth0 connections? | In that case Auth0 then acts as a SAML-to-OpenID Connect | translation layer. | hashamali wrote: | It looks like RBAC isn't out yet, any timeline on that? This | seems like a very useful product! | grinich wrote: | Hopefully a beta in a few months. It will integrate closely | with the Directory/SCIM services so we want to get that part | right first. | [deleted] ___________________________________________________________________ (page generated 2020-03-17 23:00 UTC)