fastest way to kill an enterprise SaaS deal: make IT feel nervous during auth review
Posted by Lol_Panda2004@reddit | sysadmin | View on Reddit | 160 comments
i sit in on procurement/security reviews for a mid-sized company and honestly a shocking number of SaaS products lose trust in the first 10 minutes.
usually it’s stuff like:
- “SSO is only on enterprise”
- MFA = SMS only
- no self-serve SAML setup
- audit logs are basically CSV exports
- session timeout isn’t configurable
- status page hasn’t been touched in months
- security answers sound AI-generated and weirdly vague
- “SOC 2 compliant” instead of just showing the Type II report exists
the funny part is most founders think pricing or features are why deals stall. half the time it’s just IT realizing they’re about to babysit your auth system forever. Okay so how many SaaS founders here discovered this way later than expected??
Illustrious-Egg8857@reddit
Interesting thread, seeing a lot of ppl skeptical of GRC/AI report slop. (not trying to sell anything), but I built an open-source AWS evidence layer where every finding traces back to the exact API call that produced it, SHA-256 hashed, so an auditor can verify it themselves rather than just trusting the report. Still early but curious if that addresses the traceability problem people are describing here
Kraeftluder@reddit
We've got all of this on a cheat sheet and send it to potential vendors with "If you don't check every box on this list with your production release right now, then you're welcome to check back with us when it does".
It makes life a lot easier.
ai_hedge_fund@reddit
… any chance you would share…?
Kraeftluder@reddit
No as it's a document that easily identifies me and my organization with a big cross on its forehead. It's also not translated to English.
It's basically just an excel sheet with pretty logical things like:
- TLS1.2 & 1.3 on all communications
- SSO with support for OIDC (if your site does Liberty, Shibboleth, WSFed or SAML you can add them as you see fit)
- The Operating System may be updated without preemptively contacting your support department (f you KPN and your voicemailserver that couldn't be rebooted)
Pick and send what you want, depending of course on if it's SaaS or an onPrem solution because that last example might not really work that well for SaaS.
Prestigious_Rabbit30@reddit
We have a non-functional requirements (NFR) specification document that should accompany all tenders for software/SaaS, etc.
It includes, over and above standard security and authentication-related questions or policies that they need to align with, questions about hosting territories, back-ups, "mean"-times, disaster recovery, number of simultaneous connections, encryption of data (at rest; in transit), where data is stored, how we download all the data if the contract expires, GDPR/HIPAA compliance, etc.
Any item that they are not able to comply with what we require either needs to be clearly indicated, and then there should either be a workaround, or a timeline of when it will be implemented, or the company (we) needs to indicate that we accept the risk of this not being there (depending, of course, on what the item is), etc.
Kraeftluder@reddit
Yeah we do a lot of tenders too.
ai_hedge_fund@reddit
Understood - thank you for taking the time to share what you can!
BeginningOwl2235@reddit
I ran into this the hard way on the vendor side. We kept tweaking pricing and features while deals died in “security review” purgatory. What changed things was treating auth like a first-class product surface, not a checkbox.
What worked: we made SSO available on every paid plan, added self-serve SAML with a dead-simple “paste your metadata, test, flip” flow, and shipped real audit logs with immutable events and admin search, not CSV dumps. We also wrote a short, human-readable “how we do auth” doc and had our eng lead join early calls so answers didn’t sound canned.
I used Okta’s own docs and Stripe’s security pages as models, and we watched how people on here talk about auth risk. Google Alerts and Mention were fine, but Pulse for Reddit kept surfacing threads like this where IT vents about auth pain, which gave us way better input than any NPS survey.
juicycanvas@reddit
hi would you be so kind enough to share a simple how-to doc on this part " self-serve SAML with a dead-simple “paste your metadata, test, flip” flow" ? thanks!
continueops_com@reddit
Same side of the table — I do these reviews for regulated buyers. The second meeting is where most vendors lose us. Auditor asks for the SOC 2 Type 2 covering the actual product, vendor pulls up a Type 1 from 2024 with the scope cut down to just their public marketing site.
Like.. honestly how?! Customers are paying large invoices here and the report doesn't cover the product itself.
Other repeat offenders:
Vendor tells you they're DORA-compliant. Cool, where's your sub-processor list with country of processing? Faces go blank!
Audit log export is a CSV. No API, no retention SLA, no schema doc. Timestamps in the vendor's local TZ.
Tenant isolation diagram is one box labelled multi-tenant, with a footnote saying RLS is applied where applicable... applicable needs context, theres more mapping of controls in a apple pie than here.
A few more I've seen recently — DPA turning up as a 2-page PDF with the customer name field still left as a placeholder, audit log retention turning out to mean 7 days, sub-processor list ending at AWS.
Relative_Test5911@reddit
As soon as SAML is an optional extra I am out.
dghah@reddit
Re iDP SSO integration which should be entry level table-stakes in 2026: Name and shame on https://ssotax.org/ -- my employer screens new vendors and platforms and if they hide SSO integration behind a special or "enterprise" higher price tier we stop moving forward with them at that point and look at their competitors.
abofh@reddit
This. $call is already burning a few hundred dollars of time. Tell me your list price. If I want to haggle, I'll call.
Barbarian_818@reddit
Frankly, I decided many years ago that "submit request for pricing" really meant "lets us know who you are so we can decide how much we can rip you off for".
Tetha@reddit
I fully agree and SSO is honestly our preferred user management. We have a tier list of IDPs and base an initial setup fee on those. Entra ID OIDC is also the first one to be fully self-service on that list (significant chunk of SSO customers). Other well-known providers are also usually an hour of setup fee, which is often waived. We also don't charge maintenance afterwards.
We do this, because... well I've had to deal with in-house built PHP-based SAML providers. Of which the original maintainers left the company years ago. That kinda shit is going to cost the customer money, and not a little bit. If you want SSO, use one of the big providers.
WeleaseBwianThrow@reddit
This here is exactly the wrong attitude. SAML is a standard, if you're compliant with that standard as a Service Provider you're complaint.
Expose the configuration options, give me a Metadata endpoint. It's not hard. If your clients can't manage it then sure, do a managed setup.
If you implement it properly in your SaaS and document what claims youre expecting it's zero effort to configure.
Ansible32@reddit
The pricing is based on the assumption that the customer is a moron and will do it wrong. Which, from my experience is true of the typical customer.
WeleaseBwianThrow@reddit
SAML is ridiculously simple to configure, but none of this precludes you just giving the configuration options on a self serve basis and having a price for those who are unable to configure it themselves.
As long as both sides are compliant and offer either a Metadata file or endpoint it's basically plug and play
Suggesting it requires handholding to the point that you couldn't possibly offer it as a self serve option means that either your implementation on the SP side is pointlessly obtuse or you're being disingenuous.
EnragedMoose@reddit
Why should it be default?
DJzrule@reddit
I’ve been developing a platform for the last couple of years that I’m getting ready to make GA and one of the pillars I built it on was IdP integration on all license levels, including the free community edition. Including RBAC and end to end auditing at no extra charge because why up charge security and basic functionality?
ajf8729@reddit
Is that a new site? I’m used to seeing https://sso.tax
Kraeftluder@reddit
If you would've read quite literally the first line on the page you would've found a link that would've brought you here: https://ssotax.org/why
Fallingdamage@reddit
I got a quote for $1400 to set up SSO for a vendors' service we use.
And then they wanted a $500/mo 'maintenance fee' to keep it active. I dont often spontaneously start laughing in meetings. Got a few dirty looks from my managers on that one.
rybl@reddit
Unfortunately hiding SSO behind an enterprise tier is so common that this seems hard to do.
snorkel42@reddit
Someone tag Basecamp on this.
Ganjanium@reddit
No SSO or at minimum decent MFA and it’s a no deal
Keepitcruel@reddit
Serious question about audit logs being csv direct download. What would be smarter and more appreciated? I worked with a company that offered that for “security reasons”, but I am curious about alternatives for future products.
fdeyso@reddit
99.9999% of the time i don’t need a csv download, i just want to quickly look at something in the gui, don’t want to wait until it generates the last 2 hours logs.
fdeyso@reddit
We had one that lied that they have “modern scim like provisioning” everyone assumed SAML, they meant asking for a csv every month.
TuxAndrew@reddit
No self-serve SAML setup is by far the most annoying aspect of most vendors we deal with these days.
TSwiftDivorceLawyer@reddit
What is it that they do then? Have I only ever had self-serve so I don't know of an alternative?
PCLOAD_LETTER@reddit
Alt is the product technically supports SAML but its abysmally documented. IT will need to get on a call with the lowest level tech person at the vendor and teach them how to setup SSO on their own product.
Thurl_Ravenscroft_MD@reddit
Ugh my chest hurts. Rarely have I identified so much with a comment.
Not_A_Van@reddit
I actually had to walk engineers through their own JS code to implement it properly and explain how certain things worked and the way they implemented it was wrong
ShutUpAndDoTheLift@reddit
I'm now convinced this will happen with any vendor now after years of vendor work.
Wq vendor I'm convinced didn't build their own product Nextlabs vendor gave up trying to do a Greenfield airgap install and Immuta documentation looks like it was written in one context window by gpt3 and no one caught during v26 testing that the trino integration was reporting successful policy passes and literally doing nothing since release. Applura worked for over 500 hours to install a non working green field poc. Investigation shows that they started out on a good foot by installing in the wrong location.
SimplifyAndAddCoffee@reddit
New, from Anthropic: leaving fixing your slopware to the customer's IT dept.
Interesting-Yellow-4@reddit
This has been my life in recent years
zero0n3@reddit
The alternative is not having it at all. It’s “self serve SAML on enterprise” and “SSO not available on plans lower than enterprise”
ImmediateConfusion30@reddit
When it’s not with a premium option attached to it on that enterprise plan 😭
iNteg@reddit
The other issue is oh send us the SSO metadata, and we'll do the config part on our end.
So what if our environment changes? I can't go in and swap shit out? cool. let me email you and then when your ticket hits your queue to do our work our SSO will randomly stop working and i get a nastygram call.
Arkios@reddit
This is the usual pain and suffering we experience. It usually takes 3x as long to setup because the person on the vendor side seems to have never setup SSO before, so you have a bunch of back and forth that takes ages.
Certificate renewal is the other headache.
scriptmonkey420@reddit
The sad part is, if you've done it once it's not hard to remember or even fucking Google it. SAML is an open standard. Sure it's old and archaic, but it's not like it's some shitty proprietary protocol. OIDC is easier to deal with though.
ShutUpAndDoTheLift@reddit
I've set up sso 10x in the last 3 months and still fuck out up on the first try every... Single. Fucking time
goshin2568@reddit
No, the alternative is the vendor configures the SP side, which means 1) initial setup requires either a zoom call or a (usually multi-day) back and forth email exchange, and 2) any configuration changes require putting in a ticket with the vendor instead of just logging into an admin portal and making the change.
Kraeftluder@reddit
You send them your XML file and certificate and they send you theirs.
scriptmonkey420@reddit
I wish it was like that where I work, but there is SO MANY different teams that own applications that it's inevitable that there will be some SaaS app that the vendor needs to do themselves and the app team can't do well even with an admin account.
TSwiftDivorceLawyer@reddit
I remember this now. Unemployed for one year and I forgot my entire job.
Kraeftluder@reddit
Don't worry about it. You just didn't connect the dots immediately. Maybe you've got other things on your mind that are more pressing like being unemployed.
Rooting for you!
ChevronEncoder@reddit
You have to send them the SAML credentials and they will put them in their system and turn it on at their own whim.
TheRealLazloFalconi@reddit
And then they do a system update and forget to update the SAML auth process, so your company is down for a day while they try to pin it on you.
TuxAndrew@reddit
Followed up with "It's not working, we don't know why please schedule a meeting with us so we can troubleshoot."
ChevronEncoder@reddit
You forgot the thinly-veiled remark making it sound like it's your fault. "Please check with your IT administrator that it is setup correctly."
TuxAndrew@reddit
Oh, I didn't forget that. They're usually tagged along on the email, checks notes, it's me.
Ninjabeaver212@reddit
We have a few SaaS solutions that the vendor has to configure the SP side via a ticket. It's extra annoying when certificates or secrets expire and you need to renew them. Pluralsight is the most recent one I can think of. But they also require an enterprise plan to even have SSO. Pluralsight is really shitty obviously from a business standpoint.
Arudinne@reddit
We have some bullshit AI call coaching app or sales team uses where the options to setup SAML were to give them the secret via email or via a teams meeting.
Then SSO ended up getting turned because some way management wanted to organize things didn't work with SSO. Really sucks for the users because logging in with SSO was a lot less confusing.
Oh and the APP has to be installed in the user context, which I fucking hate.
Fallingdamage@reddit
We had a vendor quote us $1400 for SSO integration with a $500/mo 'maintenance fee' for SSO through Azure.
Like.. wtaf. On the flip side we have vendors that just offer it like its nothing and have it setup in just a few minutes with help from my side of things. Other companies try to sell it as a premium feature.
What the hell are you doing to maintain SSO for $500/month.
Also - SOC documents. Just send us your reports. Dont tell us. Just send it.
For MFA, I do generally see vendors making something other than SMS available, which is usually just slightly more complicated than SSO - so I dont know why SSO is the premium feature.
Sad_Expert2@reddit
Isn't SSO cheaper for them than rolling their own auth, keeping it secure, and also taking on liability for any breaches in that system?
You'd think they'd be falling over themselves to offload almost all of it to the customer.
Ansible32@reddit
If it's just Entra / Google maybe but if you actually want to support most SSO solutions it's a huge headache.
maevian@reddit
But when you just give the option of entra you serve like 80% of companies if not more.
Also why would you still use SAML? Most apps are easily configured with OAuth, especially when combined with graph.
For small internal apps, I tend to use a separate oath proxy container.
Ansible32@reddit
I think that's also overestimating how competent most orgs are at self-serve SAML configuration, even if it's just Entra.
maevian@reddit
I understand SAML is difficult , but even a t1 helpdesk guy can set up an OIDC app registration in entras
TuxAndrew@reddit
Because end users and C-suites don’t know what the actual fuck SSO support entail.
ShutUpAndDoTheLift@reddit
OIDC only. Get bent.
I'm kidding.
But only a little
MortadellaKing@reddit
Or the ones that say they support SAML but when I go to enable, it just has a button for Entra ID or Google. We use ADFS and cisco duo.
fast4shoot@reddit
Why do y'all love SAML so much? As a developer, I totally despise SAML. OAuth always feels like a much more sane option to me.
TuxAndrew@reddit
I have no issues with OAuth it’s great too.
teethingrooster@reddit
I’d go even further and say if downloads, wikis, or forums run by the products are account locked to where I can’t look something up quickly I’d drop them as a candidate
Accurate-Ad6361@reddit
It's actually worse than you think. Hardly any framework currently provides a decent authentication module, many of them are outdated and Microsoft Entra is not a hot a topic. The open source community is profoundly detached from these issues. It sounds easy, but actually the underlying problem is a creep on side of the frameworks.
Example ruby on rails: auth devise for Rails = hardly updated, maintainer gone for month, any channel requires an additional hardly updated sub module
The reality is, Office365, Google Workspace and LDAPs are the three standards and hardly any language has a complete implementation to auth against all three.
sofixa11@reddit
OIDC is the SSO standard (which is supported by Google Workspace, EntraID, Okta, etc), and there are libraries/frameworks in all semi relevant languages for handling it.
electrobento@reddit
OIDC is certainly not the SSO standard. SAML is still king, for better or worse.
sofixa11@reddit
Nope, OIDC has been the standard for years now. I work at a software vendor and I see the demand for both, and almost nobody is using SAML nowadays. OIDC is simpler to configure and debug.
electrobento@reddit
Nope. I am an IAM engineer who sets up hundreds of integrations a year. Vendors that only support SAML are the vast majority.
sofixa11@reddit
In what space? Industrial appliances running Windows XP?
Because you'd be hard pressed to find a SaaS that only does SAML and not OIDC. Hell, most banks I work with are OIDC-first, that's how mainstream it is as a protocol.
electrobento@reddit
I work in large fintech. We have many hundreds of SaaS SSO integrations for the whole gamut of use cases. I’m not sure what you’re into, but SAML is very much so the most common singular option.
Accurate-Ad6361@reddit
Have you looked at them? Most are either incomplete or half baked. I fully agree that Open ID is there, but it’s a puzzle. Not even Wordpress right now has a decent external auth solution.
tecedu@reddit
eee as someone who's written webapps in python for 3/4 of those listed, its pretty straight forward tbh apart from claims and the profile data consistency. But its still doable easily
Accurate-Ad6361@reddit
I think we Python people have a much more stable eco system than most others. Dependency hell is a real thing across the other web languages.
montarion@reddit
super small scale so maybe that changes things.. but what's wrong with Entra? I've 3 or 4 SaaS products to use that as SSO.
uzlonewolf@reddit
I took that line as "none of the frameworks are even talking about implementing it," not that there was something wrong with it.
oxidizingremnant@reddit
Most frameworks don’t have auth built in anymore because they generally depend on middleware to handle the authentication and building the authorization claims (JWT). There’s all sorts of different identity providers that do the lifting that the frameworks aren’t building, and that’s the point: you want a strong, validated authentication solution instead of doing it yourself. Also the IDPs generally provide SDKs to use in most frameworks.
“Don’t roll your own auth” is the new “don’t roll your own crypto”
There are a number of paid (Entra B2B/B2C, Auth0, Stytch, Ping, Onetrust) and open source (Keycloak, Authentik) options, so the calculus becomes “which option supports our business use case?” For example, a lot of commercial IDP will charge extra for enterprise SSO connections. It’s not as costly as the SSO tax site shows, but it’s also not always free either.
harrythefurrysquid@reddit
It's pretty bloody expensive in my experience.
My startup went with Auth0, and their initial business plan was something like £100 a month and included 3 Enterprise SSO connections. Beyond that, you needed an Enterprise plan with Auth0 which is literally orders of magnitude more expensive.
We bit the bullet. It probably doesn't sound like that much money, but that could easily be 20% of your infra budget in the early days.
And then lots of people here want you to build elaborate self-serve layers on top of that, which is another relatively costly exercise you're going to have to recover somehow.
Brandhor@reddit
that's a problem with rails I guess but other languages/frameworks usually have up to date libraries
personally I think the biggest problem right now that nobody is even looking at is email mfa, if you are using 365 or google workspace great but if you are using anything else you are out of luck because pop3/imap/smtp don't support any kind of mfa
they do support oauth2 but the reality is that all email clients only supports oauth2 when using 365 or google workspace so it's kinda useless
jimicus@reddit
That explains the underlying issue. But it’s not really OP’s problem. That’s for the vendor to figure out.
Accurate-Ad6361@reddit
Keep in mind that in today’s world the majority of new companies do not employ centralized auth other than office365 / workspace at the beginning. Hence the wild majority of users want click > login. As much as it frustrates you, it’s a big customer topic and not a majority of customers topic. With the gaping pile of shit open source has in some aspects become its frustrating, I know.
PoetryImmediate8187@reddit
A lot of the time the SSO tax is actually being charged by WorkOS, Clark, etc and the vendor is passing it through to the customer.
Workos charges >$100/mo per SSO connection and more if you want audit logs for customers, etc.
This immediately blows up my ability to charge $499/mo for a tier that includes SSO.
montarion@reddit
so.. build your product/service/empire using something else, preferable a something that understands security is non-negotiable?
PoetryImmediate8187@reddit
Why don't you just start an auth company that offers free enterprise features?
How hard could auth be?
harrythefurrysquid@reddit
Speaking as someone who's been on the SaaS side of this:
Often by the time you get to this point you're too locked into a solution. Or you bought something that was an independent auth SaaS and got hoovered up by Okta or a competitor.
It's also relatively hard to justify spending the time on a fully automated SSO setup process when you're landing at most a few corporate deals a month and manual setup takes minutes. You might argue this is self-reinforcing, and you might even be right, but my experience as an engineer is that corporate contracts can take 18 months to come good and manual SSO setup is never the blocker.
12Superman26@reddit
Whats the Problem with SSO Being behind a higher tier? I only know Software where its not in the free tier.
RikiWardOG@reddit
Because pay walling such a base level security feature that takes just about nothing to implement is a straight up grift and cash grab. There's tons of companies that don't charge extra for sso and then there's others that charge thousands and thousands just for sso. That's absolute BS and they do it because they know they can get away with it because lots of times vendors have an almost monopoly
sofixa11@reddit
Alternatively, it's something which costs them money to implement properly and securely, so they charge appropriately.
uzlonewolf@reddit
Storage for storing passwords also costs money, as does the CPU cycles to hash and validate them upon log-in, so I take it you would also be okay with everyone charging more to enable passwords?
electrobento@reddit
Many things cost money.
SSO is a minimum requirement for secure operations without a boatload of paperwork every auditing cycle.
RikiWardOG@reddit
you're delusional if you think charging 5-10k for SSO is appropriate
RangerNS@reddit
In my personal home lab, total human user count: 1, service account count: 10(?), password and account management is very nearly already too much for me to want to worry about.
Any multi user software should be able to connect to some kind of external authentication source. I might even accept LDAP and not SSO, but SSO is very close to table stakes.
As an administrator I might even be willing to map my groups to your groups. Better would be just seeing all my groups, and configuring RBAC on them. A way to filter down to a subset of my groups would be nice, but not critical.
If I've got to do anything to individual user accounts on your side, that is a big nope.
torbar203@reddit
If it's a difference between free tier and paid for tier, that's fine.
But if it's a difference between "you have our enterprise plan, but you really need our enterprise plus plus plan, and then you can add the SAML integration for another X a month per user", which is the BS I typically see, then that's a problem(and half the time they don't tell you it's a paid for addon until way too late in the process)
12Superman26@reddit
Ah okay. Yeah, that makes sense.
Avas_Accumulator@reddit
Yes.
That's my whole comment. One SaaS vendor sounded shocked when I said that (enforced) SSO was a hard requirement before we let any user in.
noOneCaresOnTheWeb@reddit
I love when all of their public demos and PowerPoints have confidential/secret watermarks everywhere.
Brilliant-Race8606@reddit
As someone who’s held a clearance, my favorite is when they show that when pitching to people who actually go into secret spaces. Buddy, if it were actually secret I couldn’t be bored as shit on my phone as you drone on about things that I never asked for and barely touch on the stuff I did
ancientstephanie@reddit
If I can't evaluate a product properly with a credit card and a throwaway email address, including SSO on the lowest SMB tier, then we're done.
Treat me right when I'm a nobody, or I'm not giving your salespeople a chance to pitch the product.
Brilliant-Race8606@reddit
The gatekeeping of their internal training, assuming it’s not a live class, also pisses me off. I’m trying to implement your product and now I need to contact my account representative for the privilege of watching a video or doing a virtual simulation lab? What if I want to learn more about how to use it so I can maybe implement it in the future instead of being forced into a sales meeting with a dude who says I’ll have to get back to you on that every five minutes?
maevian@reddit
For me it’s simple, I don’t deploy new software if it doesn’t have OIDC or SAML for SSO with entra.
RegimeCPA@reddit
Gating the SOC 2 and SSO behind an enterprise license is so insane but I see it all the time.
ocabj@reddit
This frustrates me to no end. I don't understand how any service does not have a log stream facility.
An API to pull logs is mildly acceptable.
NorthernVenomFang@reddit
An API for logs is also mildly infuriating... If I have mess with curl or write a python script to get logs you failed as a dev.
Is it really that hard to send to syslog/window event logging.
jks@reddit
Ok, the API is that the csv files are on an ftp server.
orion3311@reddit
Who are we kidding? Management is going to buy it anyway.
TheRealLazloFalconi@reddit
Right? The decision was made before IT ever got involved.
NorthernVenomFang@reddit
Is it ever done any other way? We are always the last ones to get brought in on things.
themastermatt@reddit
Hey u/orion3311 i know that this didnt go through the normal procurement process and the security team already said no, but the COO overruled them and weve already got it going for half the users but people are forgetting their passwords - can you ess ess ooh this thing or whatever it is you call it? We can circle back and look at remediating findings later. OK? Great! Thanks! Bye!
WendoNZ@reddit
Now you're just trying to make our eyes twitch!
PloofElune@reddit
Yup. Someone has already hedged their year end bonus on a "successful" deployment.
RikiWardOG@reddit
Hey this tool we haven't discussed at all with IT has gone all the way through our approval process and been purchased with a 3 year contract, can you set it up by end of week? OK cool, thx.... we've all been there lol
NorthernVenomFang@reddit
The "SOC 2 Complaint" always gets me.
I work for the K12 school division. When PoweSchool got breached they where "SOC 2 Compaint", that sure helped them alot when an 19 year old managed to get an access token off a contractors laptop.
So I have a little giggle everytime I see another saas product that claims SOC2.
matthewmspace@reddit
SSO should be in every business-tied plan by now.
zurnout@reddit
I agree but I also work at a saas and kind of get it. It’s a tax on the headache of setting it up. 3/4 customers IT teams don’t understand SAML and it can take weeks of calendar time to teach them how Entra works and get it configured.
matthewmspace@reddit
It’s not that hard. If a salesperson/support rep says it’s hard, then it’s because they’re doing it exclusively over email back and forth instead of a one hour conference call with screen sharing.
slugshead@reddit
SCIM locked behind the full org licenses annoys me every time.
WendoNZ@reddit
Ha, a lot of the time you're lucky to get SCIM at all.... but i'm not bitter.
Sure, they still support SSO, just not the part of it that makes it actually useful to god damn manage, but I'm not bitter.
(I might actually be quite bitter)
TsoiViktor@reddit
That one's another big pain in the ass. I'd love to have SCIM for everything or at least most things, but that never happens.
bgradid@reddit
I'm loving Slack's incomplete SCIM functionality unless you go to enterprise grid
really makin' me accelerate my slack exit plans there
ThecaptainWTF9@reddit
If you want to make us pay for SSO, I don’t want anything to do with it. That just screams greed to me, let me charge you for trying to be more secure, us being more secure, means their platform is more secure. Yet we have to pay for that 🤷♂️
finallygrownup@reddit
No self serve SAML is a personal pet peeve. Although SMS MFA is not far behind.
MalletNGrease@reddit
I present to you: Email only MFA.
thortgot@reddit
Frankly I prefer email MFA to SMS MFA. At least I can control the email security experience there.
LUHG_HANI@reddit
I'd rather have no SMS if it's enforced. Major failure point.
TU4AR@reddit
See just make multi-phone number sms MFA.
Input six numbers you want to get the sms code. Every number only gets a single digit, you must all communicate with each other to figure out the 6 digit code. Boom hack proof. Code only last for one try.
EnragedMoose@reddit
Uh.. email only is superior to many other solutions.
DominusDraco@reddit
I had one vendor say for SSO they put a server in our environment with domain admin, to copy all the AD passwords into their environment so all users have the same password as on prem.
It was a fuck no from me.
CanYouShowMeTheError@reddit
As a security engineer I have several thoughts.
I’m okay with SSO on enterprise only usually that’s where all of the compliance controls live too so I’m pushing for that level of licensing anyway.
I’m okay with audit logs being csv exports to. While I would prefer syslog connections so I can integrate with the SIEM, I’m not terribly worried about reviewing csv files.
Where I draw the line though is SMS only MFA, no self-serve SAML, and not showing me the SOC 2 type II when I ask for it the first time. Failing any of those 3 earns an automatic denial that the platform will ever touch our environment.
TsoiViktor@reddit
I mean I get your point, but SSO being on enterprise only makes life a lot harder for IT because most of the time the decision to acquire a lower tier does not involve IT at all. Also, it depends if the SaaS in question offers a "business" tier. That tier is usually chosen by smaller businesses and they need SSO just as much.
CanYouShowMeTheError@reddit
My point was from the security perspective, generally speaking I’m pushing for the enterprise license because that’s where a lot of SaaS applications hide the compliance controls. When your company or your client companies are highly regulated and has to meet compliance standards like HIPPA or CMMC that’s going to be serious conversation. And honestly compliance concerns should be in most companies minds, because a lot of non-regulated companies still have cyber insurance compliance to meet and cyber insurance is getting equally picky about compliance standards now.
thecravenone@reddit
I used to identify these in my risk assessment with something like VENDOR claims to be SOC 2 compliant but does not provide their report, which is unusual.
Management eventually made me stop because what was really happening is software requestors weren't gathering the required information and then their requests would end up perma-rejected as the vendor had failed review.
HI-McDunnough@reddit
The thing I get almost as much as no SOC 2 report at all, is that a vendor will say they are SOC 2 certified, and give us a SOC report for AWS or Azure or whatever they use to just host their platform. But the company themselves hasn't been through any kind of examination.
I call this insufficient.
thecravenone@reddit
TBH I've started reading compliant as "we meet the requirements but have not been audited." When they actually have a report, they usually phrase it differently.
ThatITguy2015@reddit
Oh dawgy. That’s a big fail on the risk review.
MrD3a7h@reddit
Fluency Direct's "SSO" set up is the best I've ever seen.
No SAML
You set your company ID in a config file
If the local Windows user matches a user in your account, you are signed in automatically
Totally what you want with something advertised for healthcare use.
TsoiViktor@reddit
...what? lol
KandevDev@reddit
The SSO-as-enterprise-tier thing is the single fastest way for me to recommend we pass. it tells me they treat security as a feature instead of a baseline, which means everything else they ship has that same hierarchy of priorities. usually correlates strongly with "audit log" also being a paid addon.
AlertStock4954@reddit
My favourite is when they try and tell you that they’re SOC2 compliant because AWS or Azure is and send you a link to AWS/Azure’s SOC reports. Tell me you either don’t know or don’t care without telling me.
iNteg@reddit
My favorite part now isn't just the SOC2 Compliance reports, I gotta look at who certified the reports because of the whole Delve leak. We've looked at a bunch of AI Slop vendors that have the reports... from some Indian Certification Mill for a company that used Delve.
thecravenone@reddit
I've always checked who the auditor is but that's usually more of a thing of certain auditors I know I can trust and I don't need to scrutinize every word of the report.
A year or two back I had to advise that while there was nothing wrong with the report, the firm that issued it no longer exists and one partner is suing the other, who is also being investigated for fraud so like maybe consider whether you want to accept their report.
iNteg@reddit
Yeah that's what I mean, I can look at the auditor and be like yikes, and I didn't feel like i had to do that, or get the infosec team involved to look at the report deeply, and now the thrash from constant requests and scrutiny is piling up.
sir_mrej@reddit
Show me the report! Report says: SOCK TOO COMPLEGIANCE
Newt_Pulsifer@reddit
Omg I hate this "compliant by proxy" bullshit... I deal with it all the time.
Forsythe36@reddit
If a company sense this during an assessment I’d promptly lose my fucking mind.
Newt_Pulsifer@reddit
Some of our favorites: - "Seamless integration via CSV." - "Data at rest and transit is encrypted with SHA-256" - Will you notify us if you make a change that could affect our security posture? "No" - Have you completed a VPAT recently? "We don't support accessibility" - "We only use Azure servers and since they are SOC II Compliant so are we." - Do you have a dedicated information security staff or Office "Yes all developers are responsible for security"
varinator@reddit
As someone who just became responsible for implementing ISO 27001 and SOC2 in the near future in a startup that deals with clients insurance polocy data - it would help me immensely if you could give an example of a "perfect vendor", in terms of things you would look at and expect to be there in order to give your stamp of approval.
I have time to prep and educate myself before I embark on those projects so this would be a great help from someone who actually makes those decisions in real life, so i can focus on important bits rather than blindly trying to just tick the boxes.
jlmawp@reddit
Honestly OP’s list above is a pretty great start. Self-service SSO, SSO by default on all price tiers, and and Authenticator app option for MFA are all really high on my qualifications list. I also feel the “audit log as a CSV” complaint. Give customers decent and easy access to security logs.
varinator@reddit
Thanks. Security audit logs - what's tje scope here? Tenant view of who logged in when? Or full audit of every entity change recorded, with timestamp and used id?
jlmawp@reddit
Ideally every change made to the config, by who, and when. I would say the minimum I'm happy with is extensive login logs at the very least. IP Address, timestamp, access type (web, SSO, etc)
bs338@reddit
It's be nice if wide spread requirement for the UK's Cybersecurity Essentials fix this... I'm not holding my breath!
N7Valor@reddit
Lol, were these vibe-coded "SaaS"?
torbar203@reddit
I've dealt with junk like this before AI coding was as popular as it is now
SikhGamer@reddit
https://sso.tax is such a great way to avoid shitty companies.
wason92@reddit
I dont understand, are you saying where you work, management care about e what IT says? 🤔
dadbodcx@reddit
Amazing how many SAAS vendors have no 3rd party audit report or any semblance of policies and compliance. AI utility companies with no documented AI governance or even documentation of their environment.
RikiWardOG@reddit
A somewhat more niche issue we come running into is products not being able to support multitenant/domain-to-one SSO as in a sister company that uses a different IdP entirely (okta in this instance) and not being able to have them SSO to the same SaaS instance. Really just makes everything double the effort and cost more etc and make things harder for the users
sryan2k1@reddit
The bigger their customers the less they care. The people making the decisions usually don't care about anything in that list.