Got any SaaS SSO tips?

OAuth is for B2C kids.

For B2B especially with “big-ish” customers - use SAML, period.

P.S. If anyone here uses ASP.NET (which I doubt) we built an open source component for it: https://github.com/jitbit/AspNetSaml

Not exactly. It was supposed to be used to provide access only, but to provide an access to a party you need to know the identity of the party, and so any authorization protocol necessarily includes the identity info. Hence some (many?) people decided that they do not want to deal with different protocols for authentication and authorization, and use OAuth as a pseudo-authentication protocol, too.

At least last time I was playing with public logins with ids from Google, Facebook and Twitter, I only needed OAuth library.

Yes, it is possible to use OAuth2 for authentication, but as I understand, it is easy to make a security hole unless you follow some guidelines, and this is what OpenID Connect is trying to provide. The details on how OAuth2 could be problematic for authentication could be seen on this post.

Best,

1 Like

If you’re using Rails then look at OmniAuth.

Offering too many providers can be confusing. Imagine you’re faced with a page that has email + password, Google, Facebook, Twitter, Github, Linkedin, etc. Now I need to remember which one I signed up with so I don’t accidentally create a new account.

1 Like