[HN Gopher] ZeroTier Business SSO
___________________________________________________________________
ZeroTier Business SSO
Author : tiernano
Score : 52 points
Date : 2022-06-09 19:33 UTC (3 hours ago)
(HTM) web link (www.zerotier.com)
(TXT) w3m dump (www.zerotier.com)
| viraptor wrote:
| I love it. I've been an extremely happy home user (server,
| laptops, phones) for years and I want to pay them something, but
| the minimum plan was a barrier for that in the past. But they get
| my $5 immediately.
| onphonenow wrote:
| I almost launched a zerotier alternative for business SSO only.
| I'm very excited by this. Quick question.
|
| Our use case is simple as are many businesses.
|
| We have users that authenticate using Google lets say. We want to
| give them remote desktop access from their home. They ARE NOT
| techies.
|
| Ideally we could give them an SSO login (it sounds like this will
| make that possible). And then authorize them to connect to nodes
| Y and Q. We don't need "networks" at this level, just user A
| authorized to connect to node Y or node group 5 etc.
|
| if we have users and user groups and nodes and node groups you
| can then basically do whatever a business is used to doing (this
| breakout is common in many smaller businesses using Active
| Directory, Google etc).
|
| This seems boring but the competition is pretty poor. Sonicwall
| and friends with VPN setups are time consuming and pretty complex
| to manage and deploy. Anydesk and friends have just horrible
| business practices (try cancelling).
|
| Cloudflare is getting there sort of with WARP, but it's also
| awkward and they keep moving their product positioning around.
|
| Note - we happen to use some mikrotik for fun as well as
| sonicwall supported by our third party MSP - we've started to see
| zerotier show up on mikrotik which has been fun.
| anderiv wrote:
| FWIW, Tailscale's ACL functionality[0] enables exactly this.
|
| [0] https://tailscale.com/kb/1018/acls/
| lacrosse_tannin wrote:
| zerotier rules engine can do node x can connect to node y, or
| nodes in group x can all talk to node y, but not each other,
| etc...
| api wrote:
| ZeroTier founder here --
|
| We've been hard at work on this for a very long time, and we're
| obviously quite happy today! This is a must-have or really-want
| for a huge number of business customers.
|
| That being said, we don't and are not going to _require_ SSO
| sign-in. You 'll always be able to just authorize a device. (On
| SSO networks that's done by setting them to SSO-exempt.) You can
| also self-host network controllers like always, and we're
| planning on making that easier in the future not harder. We're
| all about not forcing you into ecosystems (SSO can do that) and
| about decentralization.
|
| As for other stuff coming in the near-mid future: version 2.0 is
| not dead. We obviously got massively derailed (mostly good but
| very distracting things) and under-estimated the scope and time,
| but it's still moving forward. We have not announced this
| elsewhere yet, but it's a near-total port to Rust. This is to get
| into a more modern language but also to use a safe language for
| security reasons. This has added time to the job but we're of the
| opinion that security-related software not written in a safe
| language is going to be considered a bad thing in the near future
| (if not already).
|
| V2 also has some significant cryptography improvements that bring
| us more to parity with more modern constructions like the noise
| framework. This part has been going slow too because we've been
| moving carefully and soliciting a lot of peer review both
| informal and formally hired. Cryptography isn't something you
| just toss out the door and YOLO. :)
|
| Last but not least we are planning on some kind of transition
| from the BSL back to an OSI-compliant licensing scheme, but want
| to think this through rather than flail around.
|
| People at this site have really been fans and have helped us a
| lot over the years, and we're grateful. Thanks!
| gesman wrote:
| I absolutely loved ZeroTier for last 4 yrs.
|
| Until 2 weeks ago when my Windows machines absolutely stopped
| seeing each other and communicating with each other.
|
| I made a post on ZeroTier discussion group 2 weeks ago with
| zero replies so far: https://discuss.zerotier.com/t/windows-
| machines-lost-access-...
|
| If i can get some help - would be amazing.
| schmidp wrote:
| not a lot of detail in your post.
|
| have you worked through:
| https://docs.zerotier.com/zerotier/troubleshooting/ ?
| grrrzant wrote:
| Pretty much this ^^ You've given no detail that
| differentiates your issue from all the other general
| troubleshooting advice out there already, nor do you say
| what you've tried to debug it.
| schmidp wrote:
| Always great to hear if a project adopts rust. ZeroTier, in my
| experience, has been one of those applications that just work.
|
| Keep up the great work!
| sandstrom wrote:
| I recently tested zero tier for a company use case (mobile
| development, giving a dev phone access to a dev computer, or
| allowing sharing between dev computers; basically sharing
| something with a colleague).
|
| Also tested Tail Scale.
|
| Some feedback (only writing this to help you improve):
|
| 1. Your UI is horrible. Hire 1-2 front-end/designers and copy
| everything that tail scale does right.
|
| 2. You should add a concept of users with e.g. GitHub as SSO-
| provider, like tail scale does. Maybe that's what you're
| releasing now?
|
| 3. Your docs are very bad compared to tail scale, and you
| should have much more docs on common scenarios and use cases.
| For example, mine wasn't mentioned but is fairly common. You
| are losing a lot of business here.
|
| 4. iOS VPN auto connect functionality is good.
|
| 5. You should add some type of global dns, such that we could
| map all devices/users like this: macbook1.jane.my-company.net
| (resolve via your network; you host the dns, we provide our
| domain). Basically what Consul does.
|
| 6. If user is authed (see 1 above), auth of devices should be
| optional.
|
| 7. Your language for network rules is too complicated.
|
| 8. My impression was that your network software is better than
| TailScale, but in every other way they beat you (docs, UI,
| usability, features).
|
| 9. iOS app is ugly and have obvious bugs, like you can't enter
| text in fields in lower case without hassle.
|
| Couldn't actually get my use-case to work on tailscale either.
| They stuff they're missing is in the works though. Will revisit
| you both in 6 months.
|
| I'm rooting for you, but you must understand that it's not only
| about software, all the packaging around it is also important
| (and you are severely lacking in this area).
| linsomniac wrote:
| >1. Your UI is horrible. Hire 1-2 front-end/designers and
| copy everything that tail scale does right.
|
| I don't think that's entirely fair to say "horrible". It does
| everything I've needed of it quite well. The design
| sensibilities are just... I'm not sure what the right word
| is, but maybe "ugly" is good enough. I remember when I first
| looked at it I thought "this is going to be horrible", but
| once I started using it the functionality was pretty good.
|
| For example, I'd call it better than DefinedNetworks from a
| usability standpoint, because you aren't clicking in and out
| of a bunch of things, but DN is definitely easier on the
| eyes.
| api wrote:
| The SSO release today adds a concept of users. That's what
| it's all about.
|
| You are 1000% right about UI/UX. It was good for networking
| software years ago but the ecosystem has generally improved
| since then.
|
| If anyone who is reading wants to help:
|
| https://jobs.lever.co/zerotier/90436aee-8e55-406d-9053-a0c26.
| ..
|
| Location is set to Cincinnati because we want to nucleate
| more engineers in this region but the position is open to
| anyone in the USA. We'll hire anywhere if someone is really
| good. We're remote-first.
|
| Edit:
|
| > 7. Your language for network rules is too complicated.
|
| It's too low-level. We are researching a higher-level way to
| edit rules in terms of intent rather than the current pf-
| esque rules language that requires you to deeply understand
| TCP/IP and such.
|
| That being said it is very powerful and you can do extremely
| neat stuff with it. It's in some ways more powerful than what
| you get with enterprise data center SDN products.
| linsomniac wrote:
| >That being said it is very powerful and you can do
| extremely neat stuff with it. It's in some ways more
| powerful than what you get with enterprise data center SDN
| products.
|
| I think that's true, but I have basically 0 confidence that
| I can implement even simple rules using it, let alone
| anything more complicated.
|
| The thing that was the real show stopper for me and made me
| switch to Nebula was that there doesn't seem to be a way to
| self-host a backup controller so that our network can
| continue to function even if ZeroTier.com is having
| problems. Unless, that is, I go entirely self-hosted and
| give up the web management UI, which I think is part of the
| compelling offer of ZeroTier.
| grumblez wrote:
| Hi. ZT team member here.
|
| Networks members will continue to be able to communicate
| with the controller down as long as they were online
| before the controller went down. Not a full solution, I
| know.
|
| Otherwise, it's a difficult problem to solve. The only
| way we could let you run a network controller as a back
| up right now would be to give you the private key for the
| controller, which would allow you to change everybody
| else's network on that controller, too. Not the best of
| ideas giving that info away!
| eqvinox wrote:
| Another one for the SSO wall of shame [https://sso.tax/] :(
|
| (Arguments for this being a bad thing are listed there)
| lacrosse_tannin wrote:
| sso costs time/money to implement, support, maintain,...
| Spivak wrote:
| And it also a high-value feature for people who have money to
| spend.
|
| And if you use Auth0/Okta to implement your SSO (on the SaaS
| side) shits expensive as fuuuck and cost is per integration.
| sandstrom wrote:
| Great page, I'm also annoyed by this. SSO tax is a great name
| btw.
|
| They should have a hall of fame at the bottom though,
| showcasing SaaS-providers doing it right.
| api wrote:
| I agree. We do have plans to support free "social SSO" in the
| future with certain providers.
|
| <rant>
|
| ... now if people would only pay for software without some
| lever like this we'd make SSO included.
|
| I was just ranting on this topic earlier today:
|
| https://news.ycombinator.com/item?id=31676011#31680304
|
| SSO is a fairly decent "are you a business or an individual"
| lever, which is why the SSO tax exists. Otherwise businesses
| will not pay anything and then complain when you disappear.
|
| As I always say: people will pay $10 every day for a latte and
| a donut at Starbucks but you have to twist their arms to get
| them to pay much less than that for software they get tons of
| value from.
|
| </rant>
| ROFISH wrote:
| The problem is mostly tax being across all vendors.
|
| Sure, you can do it, but then it's $5/seat for thing A,
| $3/seat for thing B, $4/seat for thing C, and you can end up
| paying $50/seat for all the random software associated.
|
| Yeah, for high value employees that's nothing. But for a
| warehouse worker to login and checkoff a compliance form once
| a month? It's not worth it, give them a shared login.
|
| And then once shared logins happen, it'll just become habit
| for a bunch of small stuff that snowballs.
|
| So that's why the first thing I look at for software is that
| if it has a per-seat cost, I'm going elsewhere because I want
| all my staff, not just the high-value staff, to be able to
| access and get what they need done.
| ignoramous wrote:
| > _As I always say: people will pay $10 every day for a latte
| and a donut at Starbucks but you have to twist their arms to
| get them to pay much less than that for software they get
| tons of value from._
|
| I guess there's a lesson or two in market positioning and
| distribution in there somewhere.
|
| See also: _SimSWE 4: Wants, needs, and chasm-crossing_ ,
| https://apenwarr.ca/log/20211024 (2021).
| newfonewhodis wrote:
| > people will pay $10 every day for a latte and a donut at
| Starbucks
|
| I know you are using this for effect, but I literally do not
| know anyone who goes to Starbucks anywhere close to daily.
| iampims wrote:
| I live next to a Starbucks, and see tons of familiar faces
| everyday.
| Spivak wrote:
| $10/mo is infinity dollars -- I'm not committing to that,
| especially because the cost to leaving is high.
|
| $10 for lunch, even regularly, is still a one time expense.
|
| It's capx vs. opex
| [deleted]
| eqvinox wrote:
| > SSO is a fairly decent "are you a business or an
| individual" lever.
|
| Arguably, a "are you a business rich enough to afford better
| security concepts" lever. So the smaller companies are left
| stranded :(
|
| I understand your point, but at the same time I'd rather go
| for other levers. Maybe charging extra for SSO on _support
| plans_ , while making SSO features themselves freely
| available (without support)?
|
| [Ed.: I see you reworded your post a bit:]
|
| > I agree. We do have plans to support free "social SSO" in
| the future with certain providers.
|
| I guess that could cover most realistic small-business use
| cases. Or rather, if you can afford a "complicated" SSO
| solution, you can actually afford a SSO surcharge on services
| too. Sounds like a better lever?
| ay wrote:
| FWIW - all of the prices listed on sso.tax look to me like
| reasonable amounts for anything that can call itself a
| business in the western Europe or the US.
|
| One can view it as the SSO-enabled offering being a
| product, and the SSO-less option being a demo. Which, let's
| be fair, it really is.
|
| So, would you advocate the removal of the SSO-less trial
| discount ?
| keonix wrote:
| > western Europe or the US.
|
| Why would we care about anyone not in the richest
| countries. It's not like they need security by default to
| not become another botnet and DDoS Europe or US
| businesses.
|
| I would like to see you justify paying sso.tax to
| business owner in countries where sysadmin is payed less
| than those services ask in a month
| ahnberg wrote:
| The issue isn't so much that one single separate service
| is priced in a certain way. When you add up dozens and
| dozens of services for various split needs for the
| business, and each one of them has a $/user/month thing
| and then to build decent security into it all, you double
| or triple that amount per service. It adds up, very
| quickly.
|
| For the good of the Internet, the security of the global
| entirety of things, it is very very wise if everyone
| makes an attempt to make the defaults sane and secure,
| including things like this. It surely is a differentiator
| between "individual" and "business", but it shouldn't
| have to be. I agree wholehartedly with the sso.tax site
| that it's just one way for business to attempt to make
| revenue out of a basic need that any modern company would
| have.
|
| Make the profit of real value added services for
| enterprises, automation, integrations, support, advanced
| features that gives insights or saves money or whatever;
| but don't be sneaky with the security aspect, is
| basically what I'm saying.
|
| Compare it with streaming services. No one can argue
| against Netflix being particularly expensive. Anyone can
| afford it. It's just one latte per month. But when you
| not only want to consume what is on Netflix, you have to
| get another service, and another, and another, and
| another. Very very soon the aggregated cost starts to be
| very noticeable for a lot of people. And piracy makes a
| comeback.
| eqvinox wrote:
| Yes, I would advocate the removal of the SSO-less trial
| discount. Rationale: most of these "trials" are otherwise
| fully capable and lend themselves very well to becoming
| long-term ways of doing things. "Nothing is more
| definitive than the temporary."
|
| Or, to view it from a different angle - SSO is not a/the
| feature that should be removed to make it the "trial".
|
| And from yet another angle: you could consider removing
| (or not offering) SSO similar to selling a car without
| seat belts (ignoring aspects of legality). It's not a
| problem until it is. But if you want the seat belts to be
| effective, you need to always have and use them from
| minute zero.
| lordofmoria wrote:
| I used to be with the SSO-wall-of-shame crowd...until I had to
| maintain and support SSO within a production app.
| G-suite/Social SSO? Fine. Not a problem. SAML? Good luck
| automating that and not having to reset certs / tweak things
| per-client. That's why it costs money.
|
| Another problem I have with the "SSO should be free, because
| it's security-related" argument is that it's a misunderstanding
| of why it costs money. It's not because companies want to gate
| security features. It's because when you're trying to create a
| pricing model for an otherwise free product, going from "I'm ok
| with manually inviting/deactivating users" to "I now need SSO,
| because this product has enough adoption within the company to
| merit it" happens to be an almost a perfect way to delineate
| between casual freemium users and business users who should be
| paying. That, combined with my initial point, is why I dropped
| out of the SSO tax crowd.
| unwind wrote:
| Meta: title is odd, probably after HN filtered out the
| exclamation point.
| dang wrote:
| Yes. Shortened manually now (from "ZeroTier Business SSO is
| here And so is our new pricing")
___________________________________________________________________
(page generated 2022-06-09 23:00 UTC)