What's realistic for SSO integration costs on legacy business apps?
Posted by New-Reception46@reddit | sysadmin | View on Reddit | 16 comments
Got quotes to add SSO support to 5 internal applications, numbers are all over the place and trying to figure out what's reasonable.
Background: These are custom built apps from 2010-2015 era. Time tracking system, project management tool, a couple department specific apps. All still in use, all work fine but none have any SSO capability.
Quotes we're seeing:
One consulting firm: $45k total for all 5 apps (3-4 months)
Another: $15k per application (so $75k total)
Both say each app needs custom SAML/OIDC implementation work since they were built before we had any identity standards.
My boss asked why our devs can't just do it. Problem is:
They're busy with other work
This isn't their area - last time we tried in house IAM integration it dragged on for 6 months and had bugs
We'd still need to pull them off revenue generating work
Feels like we're stuck between either pay consulting fees that seem high or Leave these apps outside our SSO setup and manage access manually.
For those who've integrated older custom apps with their IdP, what did costs/timelines actually look like? Are we getting reasonable quotes or should we keep shopping around?
thortgot@reddit
SAML support isnt complicated to do.
If your existing dev team cant build it I would question what they can do.
I wouldnt use an external firm to bolt on auth. That's going to lead to all future auth issues being sent their way.
Hire someone who understands it and deploy it.
morphAB@reddit
u/thortgot hey! Your "hire someone who understands it" point makes a lot of sense.
I work at Cerbos (we do authorization) and wanted to ask you something based on above, related to legacy apps and authorization. Tried to dm but settings don't allow it, would you be open to a quick chat? Feel free to message me if so :)
jimicus@reddit
I don't think OP is saying they aren't physically capable of doing it.
I think OP is saying they are, but they have other priorities that have them tied up for the forseeable future. And their existing projects have a definite impact on the bottom line that's way in excess of their salary, so pulling taking them away from such projects will require a business case that costs less than simply paying a consultant to do this.
thortgot@reddit
SAML support doesnt take months to implement. Getting an internal resource who understands auth is the best path forward.
tankerkiller125real@reddit
I'd argue OIDC with SCIM is the easy route here, basically every language, and every framework has some sort of OIDC library/support, and SCIM is a trivial protocol to understand and implement.
raip@reddit
For a fresh system - absolutely. For a legacy system that likely already has it's own authorization and authentication model, SAML is likely the way to go as you're only stripping out the authentication model and hooking it up to the user + authorization model in place.
CheesecakePerfect156@reddit
Oauth2 proxy
Ralecoachj857@reddit
Yeah, SSO integration on legacy apps can get pricey and unpredictable, our internal devs also weren’t the best fit. We ended up leaving some apps outside SSO but used Orchid Security to track all accounts, enforce offboarding, and audit access. It didn’t reduce integration cost, but it made managing manual access way safer and auditors were happy.
AppIdentityGuy@reddit
If the apps are web based and on prem you could look at Entraid Application proxy or GSA Private access in the short term
JwCS8pjrh3QBWfL@reddit
I would agree that App Proxy is probably the crutch to lean on here while the devs free up some time to get a proper auth layer built into the app.
AppIdentityGuy@reddit
Private access is better for non web apps.
Greedy_Chocolate_681@reddit
Look up WorkOS, it's a pretty easy bolt-on SSO connector. And if your inhouse team can't do their part with the WorkOS people, then either the app is a total trainwreck teardown or they need to get some reskilling under their belt.
orion3311@reddit
Take the quotes, and use them as budget to get your devs upgraded with an AI copilot, then ensure 1-2 devs can own the identity part of the apps. There's tons of examples out there and while I'm not a dev I dont think its super hard to implement in most cases. Try to incorporate SCIM while you're at it.
bert1589@reddit
This is a bit of a loaded question really. Who is your "lead" developer and what do they think? Are all of your apps written on the same language / stack?
The timelines seen reasonable, and without knowing how many people the firms have workign on it, it's hard to say. In my experience, whether it be dev, marketing, etc, 90% of agencies have too much fluff and contradicting interests that you won't hit your timeline or your budget. Personally, I prefer in-house devs, or individual contractors who can work for you directly as a dev.
Source: I run a small bootstrapped SaaS that I founded (wrote the code for the first 4-5 years) and have a small team of all FTE including devs.
Infninfn@reddit
I would say that those are reasonable costs instead of the much larger cost, both effort and time-wise, of going through new dev cycles to build them. 'Course, there are probably security and maintenance concerns for systems that old but apparently your leadership isn't bothered by it.
I would ask them to present examples of their previous work and if possible, a POC. The vendor with the experience of having done this for apps using your code stack would be the one to go with, regardless of price. That way they would still be doing a better job than your devs, particularly if they weren't the original ones who built the apps and aren't familiar with the code stack.
nwmcsween@reddit
What level of SSO? SSO integrated into the application as in groups seen from within the application itself or just SSO to get through the front door? If the latter there are many tools that can be used, oauth-proxy, ingress controllers, heck I think most firewalls offer something.