If you are a SaaS developer (or an ISV) then chances are you have spent substantial amount of time learning and implementing user authentication and identity management capabilities in your app. Most SaaS developers implement local user authentication and user account management functions themselves, OR they rely on such functions provided by their app framework. Local authentication means that each user is authenticated against the user password stored in their locally hosted backend webapp database. Each user of the webapp also has a user account profile stored in the same backend database. The user profile is either created by the user themselves or by the SaaS app admin manually.
There are several disadvantages of such tightly integrated local authentication and user account management functionality in a webapp.
- Non-interoperability. Users who create passwords and accounts in such apps cannot login to other apps using the same passwords. This requires users to create multiple accounts and passwords, a huge inconvenience as well as security risk due to proliferation of passwords.
- Security risks. SaaS developers are focused on the domain functionality of the webapp, and not necessarily on the security, authentication and credential management aspects of the webapp.
- Time to market. SaaS developers end up spending an inordinate amount of time and energy trying to implement non-core features and functions (non-core to their business domain) such as user account registration, authentication, credential management etc. This leads to delays in product launches and cost overruns.
Therefore, delegating the following app functions to a dedicated service makes sense.
- User account registration.
- User authentication
- User account management
This delegated functionality, in industry parlance, is sometimes referred to as, the Identity Provider. The Identity Provider function has been standardized in the industry and is now an open standard. Shibboleth/SAML2 are the leading industry standards of choice and widely adopted in the marketplace today. An Identity Provider can be linked to any existing or new webapp and can be used as a login /authentication source for the webapp. Users can maintain and manage their accounts (including passwords) on one central Identity Provider and use it to login to any number of trusted webapps.
As you can see, having a Shibboleth/SAML based outsourced Identity Provider has many advantages.
- Faster time to market. Time to market products and service are shortened since developers no longer have to spend time learning and implementing user authentication and account management functions.
- Improved security. Passwords are no longer stored inside the webapp. Such information is now delegated to the Identity Providers (IDPs). IDP’s are designed to store and manage such sensitive information in a secure manner.
- Better U/X via Single Sign-On. Users can now use one single passwords to access any number of apps.
Elastic SSO Team and Elastic SSO Enterprise are examples of such Shibboleth/SAML2 standards compliant Identity Providers that can be leveraged for delegating your app’s user authentication and identity management needs. Meanwhile, your SaaS service can be enabled for accepting SAML based authentications using Elastic SSO Service Provider. Here are some sample customer success stories where enterprise customers are using Elastic SSO for implementing a robust and streamlined eco-system of apps along with a centralized secure user single sign-on authentication system.