We’re excited to say that our SAML (also called Enterprise SSO) implementation is out of beta and now available to all our customers! This feature allows your customers to log in to your product using their existing identity provider, like Okta, Google, OneLogin, and more.
Let’s take a small step back and talk about what SAML is and why it’s important.
What is SAML?
In a multi-tenant / B2B environment, your users don’t use your product as individuals. They use it as a team / company. Every major B2B product will have some way for its users to define who’s in that company and what they have access to.
One of the most common approaches here are invitation flows.
One person at the company signs up for a product and then invites all their coworkers to join them.
This works well—until the company grows to a larger size. For example a company with 100 employees won’t want to manually invite employees to every single product that they use. What they would prefer is if there was a centralized, automated way for new employees to gain access to all the products they need access to.
This is where identity providers and SAML come in. An identity provider is a service that companies use to manage their own employees. When a company onboards a new employee, they will add that employee to their identity provider.
A SAML connection, is the connection between an identity provider and a product (also called a service provider). This allows a company to setup configurations such as, “Whenever we onboard a new employee via Okta, make sure they have access to Slack” or “Whenever I onboard a new engineering manager with JumpCloud, make sure they become an admin in our GitHub organization.”
Why is SAML important?
One of the strongest reasons for implementing SAML is that large companies and enterprises often see it as a requirement for purchasing SaaS products. With SAML, they can set up a connection once for your product, and then they can manage access to your product in one central location. They can roll you out to the entire organization in a few clicks. Without SAML, they would need to do a lot of manual work for every product they use.
Additionally, even if you’re selling to small companies, having SAML provides significant security benefits. As such, the Sso.tax describes SAML as “a core security requirement for any company with more than five employees.”
How does PropelAuth’s SAML integration work?
PropelAuth is an authentication service designed for B2B / multi-tenant products. We have organizations and roles as first class concepts in our libraries and we provide self-service UIs for your end-users to manage their own accounts and organizations.
We already provide ways for your users to invite coworkers to their organizations, both via our UIs or APIs. With our SAML integration, your users can now define their organization membership based on their identity provider. PropelAuth hosts UIs which have step-by-step instructions to walk your users through the process of setting up this SAML connection, for each identity provider:
This includes a testing flow so your users can test their SAML integration to make sure all the data you receive is correct.
The most important part of this is that SAML is now just an implementation detail. You don’t need to have a long back and forth with your customer’s IT team. You don’t need to spend a ton of time reading about SAML and all the different ways IDPs implement it. Your code should only ever need to ask questions like “Is this user in this organization.”
What if I don’t want all my customers to have access to SAML?
You can either enable SAML as an option for all your users, or you can pick and choose which customers can enable SAML. You can do this either through our dashboard or programmatically through our APIs.
At a high level, SAML is a way for products to integrate directly with identity providers. This enables companies that are purchasing software to automate who within their company has access to that software.
SAML itself can be very complicated to create from scratch, but with PropelAuth, we take care of the entire process for you. We provide your users with step-by-step instructions on how to set it up and supply you with a simple API where SAML can be implemented with a toggle of a button.