Hacker Neue

Preferences
aidos parent
Seems like a good place to ask: Does anyone have advice on good solutions for B2B SAAS apps?

Just our app that needs logging in to and would like to allow the usual things (password, social etc) but also allow customising the rules per email domain.

For example, if someone enters someone@example.com in to the login form they'll be shuffled off to this Azure connection for authentication. Or maybe they use our login pages, but MFA is enforced.

Things that I've tried (eg Authentik and FusionAuth) weren't well suited for per organisation controls.

mffap
Have a look at ZITADEL (https://github.com/zitadel/zitadel or https://zitadel.com/), I think that does what you want. You can create multiple tenants (called Organizations) and you can setup security / login rules per organization such as enforcing MFA. Furthermore you can configure on each tenant a separate SSO and users are directly forwarded to their identity provider. When you first enter your username (could be an email) on the login screen, the policies of the user's organization will be applied. That allows you to route users based on their email domain etc. One additional thing to mention is that ZITADEL does not only handle authentication, but also authorization with self-service. Managers of an organization can, for example, assign users of their organization roles.
aidos OP
That sounds like just what I want.

ZITADEL was already on my list to try in the next round.

Can you clarify the pricing / plan required for that feature set?

mffap
All of these features are included. Main drivers for pricing in this case, I assume will be daily active users (sum over the month) and how many third-party identity providers you have configured. Unlimited tenants, users, permissions etc. are included. We use DAU instead of MAU, since there are many different use cases and that seems work quite well. Just take the MAU and multiply by how many times per month your users will sign-in. In the enterprise tier we offer more custom quotes for higher volumes, guarantee requirements, and support SLAs.
aidos OP
And to clarify on the third party providers. Assuming every org is using Azure - that’s 1 provider per org. So 53 orgs would be an extra $1,000 / month?
mffap
Yes that's correct. Get a quote for your use case, if you are already running on higher numbers. Pricing might not fit all cases, that's why there's also an Enterprise tier.
andix
Hmm, maybe take a look at their website? https://zitadel.com/pricing
mcstempel
We built Stytch's B2B SaaS solution with this specific shortcoming in mind -- most other solutions aren't actually built with an organization-first data model (they're user-first like Auth0 but support the general concept of orgs), which makes it difficult to offer those per organization controls in an ergonomic manner.

There's some more info on our multi-tenancy data model here (https://stytch.com/docs/b2b/guides/multi-tenancy), and here's the PUT request you'd use to manage any of those org configurations: https://stytch.com/docs/b2b/api/update-organization

aidos OP
That looks really close to what I’m after! Will give it a spin.
nickzelei
I’m also interested in this. We’ve been using Auth0 for a year and our contract is up for renewal where we will be getting kicked off of the startup plan. I’m wanting to rip the bandaid off early as we’re about to launch a new platform.

I’m highly considering bringing auth in house with Keycloak. I’ve run it in the past at previous companies so am familiar with it, but it’s going to be an extra thing to maintain due to self hosting, their themeing also is not great. However this is pretty much an end all solution that doesn’t really get expensive over time as our user base grows.

Wondering if folks have any advice?

grinich
Have you tried WorkOS? It’s built for exactly this, with native support for SAML and SCIM.

https://workos.com/

I’m the founder. Would love to hear your feedback and happy to answer questions.

aidos OP
No, I haven’t tried it. It looks great but unfortunately the per connection pricing makes it not ideal for us. (We’ve had a couple of messages back and forth on here in the past about it). Most of our customers have low numbers of users, so the per subscription cost becomes a bit high.

I’ll kick the tyres in my next round of investigation though to see how it looks.

esafak
What's on your shortlist?
jwineinger
Auth0 can do this. Identifier first login, SSO domain aliases, and MFA are all supported. They have an Organizations feature as well, but I'm not certain if you'd need that from what you've described. Customization of various aspects of the authn flow can be done via Actions (and Rules, but they're deprecated).
BeryJu
Hey, for authentik this is actually something we're actively working on: https://github.com/goauthentik/authentik/pull/8330, and this will be included in our next feature release in April!

(Disclaimer, I am founder and CTO of authentik)

arekkas
We have this feature and it is called B2B SSO: https://www.ory.sh/docs/kratos/organizations
aidos OP
Interesting. Any more details available on what’s configurable? How does it work out pricing wise?
arekkas
The flow is essentially what you see in the small video on the docs page and can be set up in the Ory Network Console with a few clicks. I agree though that the docs here are a bit thin.

Pricing wise this is available on the Scale tier currently dubbed as "Enterprise SSO" although "B2B Organizations" probably would be more correct: https://www.ory.sh/pricing/

There are no limits to how many organizations you can have.

Regarding MFA - the MFA enforcement typically is the responsibility of the IDP the company owns. So for example dean@companyA.com use Okta and they enforce 2FA for their users. anna@companyB.com use OneLogin and they do not enforce MFA.

aidos OP
Thanks.

In terms of other enforcement, I meant more wrt to an organisation that _didn't_ use another IDP but still wanted to apply PW policies (for example) on their domain.

Could you create an Ory project (sorry, don't know all your terminology) to forward on to?

Something like:

Our app -> Ory -> split by domain -> Ory for specific domain -> Policies.

lmeyerov
So not OSS?
esafak
Most of the commercial solutions break financially when you have a freemium tier; orgs that don't pay below a certain size or usage. Yet the auth provider charges you the same fee for each such org.
mooreds
Hmm. (I work for FusionAuth, thanks for giving us a try!)

So you want a screen in front of the login process where someone enters their email address, and then a second screen where a variety of login options are presented?

Along with the ability to enforce MFA on a per domain basis?

Anything else you are looking to customize at the domain level, such as password rules or registration ability?

aidos OP
For the moment our needs are actually fairly light. I'm trying to remember exactly what I ran into with FusionAuth but struggling a little unfortunately.
mooreds
Gotcha. We definitely don't have fine granularity around when MFA is required (open issue here: https://github.com/FusionAuth/fusionauth-issues/issues/2285 ).

Other than that I'd suggest putting a page in front of our login pages with the domain logic, and modeling each set of emails as either an application, organization or tenant, depending on the specific features you need.

Either way, hope you find the right solution for your needs!

aidos OP
Thanks. I appreciate the info. Will give it a shot when I revisit this in a month or so.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal