[HN Gopher] ZeroTier Business SSO ___________________________________________________________________ ZeroTier Business SSO Author : tiernano Score : 52 points Date : 2022-06-09 19:33 UTC (3 hours ago) (HTM) web link (www.zerotier.com) (TXT) w3m dump (www.zerotier.com) | viraptor wrote: | I love it. I've been an extremely happy home user (server, | laptops, phones) for years and I want to pay them something, but | the minimum plan was a barrier for that in the past. But they get | my $5 immediately. | onphonenow wrote: | I almost launched a zerotier alternative for business SSO only. | I'm very excited by this. Quick question. | | Our use case is simple as are many businesses. | | We have users that authenticate using Google lets say. We want to | give them remote desktop access from their home. They ARE NOT | techies. | | Ideally we could give them an SSO login (it sounds like this will | make that possible). And then authorize them to connect to nodes | Y and Q. We don't need "networks" at this level, just user A | authorized to connect to node Y or node group 5 etc. | | if we have users and user groups and nodes and node groups you | can then basically do whatever a business is used to doing (this | breakout is common in many smaller businesses using Active | Directory, Google etc). | | This seems boring but the competition is pretty poor. Sonicwall | and friends with VPN setups are time consuming and pretty complex | to manage and deploy. Anydesk and friends have just horrible | business practices (try cancelling). | | Cloudflare is getting there sort of with WARP, but it's also | awkward and they keep moving their product positioning around. | | Note - we happen to use some mikrotik for fun as well as | sonicwall supported by our third party MSP - we've started to see | zerotier show up on mikrotik which has been fun. | anderiv wrote: | FWIW, Tailscale's ACL functionality[0] enables exactly this. | | [0] https://tailscale.com/kb/1018/acls/ | lacrosse_tannin wrote: | zerotier rules engine can do node x can connect to node y, or | nodes in group x can all talk to node y, but not each other, | etc... | api wrote: | ZeroTier founder here -- | | We've been hard at work on this for a very long time, and we're | obviously quite happy today! This is a must-have or really-want | for a huge number of business customers. | | That being said, we don't and are not going to _require_ SSO | sign-in. You 'll always be able to just authorize a device. (On | SSO networks that's done by setting them to SSO-exempt.) You can | also self-host network controllers like always, and we're | planning on making that easier in the future not harder. We're | all about not forcing you into ecosystems (SSO can do that) and | about decentralization. | | As for other stuff coming in the near-mid future: version 2.0 is | not dead. We obviously got massively derailed (mostly good but | very distracting things) and under-estimated the scope and time, | but it's still moving forward. We have not announced this | elsewhere yet, but it's a near-total port to Rust. This is to get | into a more modern language but also to use a safe language for | security reasons. This has added time to the job but we're of the | opinion that security-related software not written in a safe | language is going to be considered a bad thing in the near future | (if not already). | | V2 also has some significant cryptography improvements that bring | us more to parity with more modern constructions like the noise | framework. This part has been going slow too because we've been | moving carefully and soliciting a lot of peer review both | informal and formally hired. Cryptography isn't something you | just toss out the door and YOLO. :) | | Last but not least we are planning on some kind of transition | from the BSL back to an OSI-compliant licensing scheme, but want | to think this through rather than flail around. | | People at this site have really been fans and have helped us a | lot over the years, and we're grateful. Thanks! | gesman wrote: | I absolutely loved ZeroTier for last 4 yrs. | | Until 2 weeks ago when my Windows machines absolutely stopped | seeing each other and communicating with each other. | | I made a post on ZeroTier discussion group 2 weeks ago with | zero replies so far: https://discuss.zerotier.com/t/windows- | machines-lost-access-... | | If i can get some help - would be amazing. | schmidp wrote: | not a lot of detail in your post. | | have you worked through: | https://docs.zerotier.com/zerotier/troubleshooting/ ? | grrrzant wrote: | Pretty much this ^^ You've given no detail that | differentiates your issue from all the other general | troubleshooting advice out there already, nor do you say | what you've tried to debug it. | schmidp wrote: | Always great to hear if a project adopts rust. ZeroTier, in my | experience, has been one of those applications that just work. | | Keep up the great work! | sandstrom wrote: | I recently tested zero tier for a company use case (mobile | development, giving a dev phone access to a dev computer, or | allowing sharing between dev computers; basically sharing | something with a colleague). | | Also tested Tail Scale. | | Some feedback (only writing this to help you improve): | | 1. Your UI is horrible. Hire 1-2 front-end/designers and copy | everything that tail scale does right. | | 2. You should add a concept of users with e.g. GitHub as SSO- | provider, like tail scale does. Maybe that's what you're | releasing now? | | 3. Your docs are very bad compared to tail scale, and you | should have much more docs on common scenarios and use cases. | For example, mine wasn't mentioned but is fairly common. You | are losing a lot of business here. | | 4. iOS VPN auto connect functionality is good. | | 5. You should add some type of global dns, such that we could | map all devices/users like this: macbook1.jane.my-company.net | (resolve via your network; you host the dns, we provide our | domain). Basically what Consul does. | | 6. If user is authed (see 1 above), auth of devices should be | optional. | | 7. Your language for network rules is too complicated. | | 8. My impression was that your network software is better than | TailScale, but in every other way they beat you (docs, UI, | usability, features). | | 9. iOS app is ugly and have obvious bugs, like you can't enter | text in fields in lower case without hassle. | | Couldn't actually get my use-case to work on tailscale either. | They stuff they're missing is in the works though. Will revisit | you both in 6 months. | | I'm rooting for you, but you must understand that it's not only | about software, all the packaging around it is also important | (and you are severely lacking in this area). | linsomniac wrote: | >1. Your UI is horrible. Hire 1-2 front-end/designers and | copy everything that tail scale does right. | | I don't think that's entirely fair to say "horrible". It does | everything I've needed of it quite well. The design | sensibilities are just... I'm not sure what the right word | is, but maybe "ugly" is good enough. I remember when I first | looked at it I thought "this is going to be horrible", but | once I started using it the functionality was pretty good. | | For example, I'd call it better than DefinedNetworks from a | usability standpoint, because you aren't clicking in and out | of a bunch of things, but DN is definitely easier on the | eyes. | api wrote: | The SSO release today adds a concept of users. That's what | it's all about. | | You are 1000% right about UI/UX. It was good for networking | software years ago but the ecosystem has generally improved | since then. | | If anyone who is reading wants to help: | | https://jobs.lever.co/zerotier/90436aee-8e55-406d-9053-a0c26. | .. | | Location is set to Cincinnati because we want to nucleate | more engineers in this region but the position is open to | anyone in the USA. We'll hire anywhere if someone is really | good. We're remote-first. | | Edit: | | > 7. Your language for network rules is too complicated. | | It's too low-level. We are researching a higher-level way to | edit rules in terms of intent rather than the current pf- | esque rules language that requires you to deeply understand | TCP/IP and such. | | That being said it is very powerful and you can do extremely | neat stuff with it. It's in some ways more powerful than what | you get with enterprise data center SDN products. | linsomniac wrote: | >That being said it is very powerful and you can do | extremely neat stuff with it. It's in some ways more | powerful than what you get with enterprise data center SDN | products. | | I think that's true, but I have basically 0 confidence that | I can implement even simple rules using it, let alone | anything more complicated. | | The thing that was the real show stopper for me and made me | switch to Nebula was that there doesn't seem to be a way to | self-host a backup controller so that our network can | continue to function even if ZeroTier.com is having | problems. Unless, that is, I go entirely self-hosted and | give up the web management UI, which I think is part of the | compelling offer of ZeroTier. | grumblez wrote: | Hi. ZT team member here. | | Networks members will continue to be able to communicate | with the controller down as long as they were online | before the controller went down. Not a full solution, I | know. | | Otherwise, it's a difficult problem to solve. The only | way we could let you run a network controller as a back | up right now would be to give you the private key for the | controller, which would allow you to change everybody | else's network on that controller, too. Not the best of | ideas giving that info away! | eqvinox wrote: | Another one for the SSO wall of shame [https://sso.tax/] :( | | (Arguments for this being a bad thing are listed there) | lacrosse_tannin wrote: | sso costs time/money to implement, support, maintain,... | Spivak wrote: | And it also a high-value feature for people who have money to | spend. | | And if you use Auth0/Okta to implement your SSO (on the SaaS | side) shits expensive as fuuuck and cost is per integration. | sandstrom wrote: | Great page, I'm also annoyed by this. SSO tax is a great name | btw. | | They should have a hall of fame at the bottom though, | showcasing SaaS-providers doing it right. | api wrote: | I agree. We do have plans to support free "social SSO" in the | future with certain providers. | | <rant> | | ... now if people would only pay for software without some | lever like this we'd make SSO included. | | I was just ranting on this topic earlier today: | | https://news.ycombinator.com/item?id=31676011#31680304 | | SSO is a fairly decent "are you a business or an individual" | lever, which is why the SSO tax exists. Otherwise businesses | will not pay anything and then complain when you disappear. | | As I always say: people will pay $10 every day for a latte and | a donut at Starbucks but you have to twist their arms to get | them to pay much less than that for software they get tons of | value from. | | </rant> | ROFISH wrote: | The problem is mostly tax being across all vendors. | | Sure, you can do it, but then it's $5/seat for thing A, | $3/seat for thing B, $4/seat for thing C, and you can end up | paying $50/seat for all the random software associated. | | Yeah, for high value employees that's nothing. But for a | warehouse worker to login and checkoff a compliance form once | a month? It's not worth it, give them a shared login. | | And then once shared logins happen, it'll just become habit | for a bunch of small stuff that snowballs. | | So that's why the first thing I look at for software is that | if it has a per-seat cost, I'm going elsewhere because I want | all my staff, not just the high-value staff, to be able to | access and get what they need done. | ignoramous wrote: | > _As I always say: people will pay $10 every day for a latte | and a donut at Starbucks but you have to twist their arms to | get them to pay much less than that for software they get | tons of value from._ | | I guess there's a lesson or two in market positioning and | distribution in there somewhere. | | See also: _SimSWE 4: Wants, needs, and chasm-crossing_ , | https://apenwarr.ca/log/20211024 (2021). | newfonewhodis wrote: | > people will pay $10 every day for a latte and a donut at | Starbucks | | I know you are using this for effect, but I literally do not | know anyone who goes to Starbucks anywhere close to daily. | iampims wrote: | I live next to a Starbucks, and see tons of familiar faces | everyday. | Spivak wrote: | $10/mo is infinity dollars -- I'm not committing to that, | especially because the cost to leaving is high. | | $10 for lunch, even regularly, is still a one time expense. | | It's capx vs. opex | [deleted] | eqvinox wrote: | > SSO is a fairly decent "are you a business or an | individual" lever. | | Arguably, a "are you a business rich enough to afford better | security concepts" lever. So the smaller companies are left | stranded :( | | I understand your point, but at the same time I'd rather go | for other levers. Maybe charging extra for SSO on _support | plans_ , while making SSO features themselves freely | available (without support)? | | [Ed.: I see you reworded your post a bit:] | | > I agree. We do have plans to support free "social SSO" in | the future with certain providers. | | I guess that could cover most realistic small-business use | cases. Or rather, if you can afford a "complicated" SSO | solution, you can actually afford a SSO surcharge on services | too. Sounds like a better lever? | ay wrote: | FWIW - all of the prices listed on sso.tax look to me like | reasonable amounts for anything that can call itself a | business in the western Europe or the US. | | One can view it as the SSO-enabled offering being a | product, and the SSO-less option being a demo. Which, let's | be fair, it really is. | | So, would you advocate the removal of the SSO-less trial | discount ? | keonix wrote: | > western Europe or the US. | | Why would we care about anyone not in the richest | countries. It's not like they need security by default to | not become another botnet and DDoS Europe or US | businesses. | | I would like to see you justify paying sso.tax to | business owner in countries where sysadmin is payed less | than those services ask in a month | ahnberg wrote: | The issue isn't so much that one single separate service | is priced in a certain way. When you add up dozens and | dozens of services for various split needs for the | business, and each one of them has a $/user/month thing | and then to build decent security into it all, you double | or triple that amount per service. It adds up, very | quickly. | | For the good of the Internet, the security of the global | entirety of things, it is very very wise if everyone | makes an attempt to make the defaults sane and secure, | including things like this. It surely is a differentiator | between "individual" and "business", but it shouldn't | have to be. I agree wholehartedly with the sso.tax site | that it's just one way for business to attempt to make | revenue out of a basic need that any modern company would | have. | | Make the profit of real value added services for | enterprises, automation, integrations, support, advanced | features that gives insights or saves money or whatever; | but don't be sneaky with the security aspect, is | basically what I'm saying. | | Compare it with streaming services. No one can argue | against Netflix being particularly expensive. Anyone can | afford it. It's just one latte per month. But when you | not only want to consume what is on Netflix, you have to | get another service, and another, and another, and | another. Very very soon the aggregated cost starts to be | very noticeable for a lot of people. And piracy makes a | comeback. | eqvinox wrote: | Yes, I would advocate the removal of the SSO-less trial | discount. Rationale: most of these "trials" are otherwise | fully capable and lend themselves very well to becoming | long-term ways of doing things. "Nothing is more | definitive than the temporary." | | Or, to view it from a different angle - SSO is not a/the | feature that should be removed to make it the "trial". | | And from yet another angle: you could consider removing | (or not offering) SSO similar to selling a car without | seat belts (ignoring aspects of legality). It's not a | problem until it is. But if you want the seat belts to be | effective, you need to always have and use them from | minute zero. | lordofmoria wrote: | I used to be with the SSO-wall-of-shame crowd...until I had to | maintain and support SSO within a production app. | G-suite/Social SSO? Fine. Not a problem. SAML? Good luck | automating that and not having to reset certs / tweak things | per-client. That's why it costs money. | | Another problem I have with the "SSO should be free, because | it's security-related" argument is that it's a misunderstanding | of why it costs money. It's not because companies want to gate | security features. It's because when you're trying to create a | pricing model for an otherwise free product, going from "I'm ok | with manually inviting/deactivating users" to "I now need SSO, | because this product has enough adoption within the company to | merit it" happens to be an almost a perfect way to delineate | between casual freemium users and business users who should be | paying. That, combined with my initial point, is why I dropped | out of the SSO tax crowd. | unwind wrote: | Meta: title is odd, probably after HN filtered out the | exclamation point. | dang wrote: | Yes. Shortened manually now (from "ZeroTier Business SSO is | here And so is our new pricing") ___________________________________________________________________ (page generated 2022-06-09 23:00 UTC)