This post is adapted from our Summer Release Event (embedded below). Slides can be found at the bottom of the post! VIDEO
Last month, we held our first public event: the WorkOS Summer Release! Putting together a fully remote event as a fully remote team involved a lot of prep work, practice with virtual backgrounds, and even creating a demo app with fully functioning integrations for this event. What follows is a recap of the features we covered, new product announcements, and a summary of Michael’s CEO fireside chat with Brianne Kimmel about the future of enterprise readiness.
What Problem are we Solving? Cloud apps are everywhere, but many cloud apps are not enterprise ready. As companies move upmarket faster (and even a 100-person company can have “enterprise requirements”) features like SSO, Directory Sync, and Audit Trail are becoming more important to integrate into cloud apps earlier on in their lifecycle. What problems are we solving?
IT systems are highly fragmented, and as a result these enterprise features are very complex to build, with numerous edge cases and non-standard integrations. There are large risks to executing these integrations poorly, including but not limited to: big deals being lost, customers churning, loss of market share to an enterprise-ready competitor (like Dropbox and Box) and/or loss of trust. As important as these are, enterprise-focused features are not what engineers want to build; they’re usually not part of a cloud app’s core product and take up valuable engineering time.
A year ago, our founder Michael Grinich, gave a talk describing this process of becoming enterprise-ready as “Crossing the Enterprise Chasm.” Since then, we’ve launched a product that does this for you. At WorkOS, we provide APIs that abstract the complexity of building enterprise-ready features like SSO, directory sync, audit trail, and access control so you can focus on your unique product features and move upmarket faster. You can think of WorkOS like what Plaid or Stripe did in the payments space, but for enterprise features. SSO
Single Sign-On (SSO) is nearly always the first enterprise-ready feature a customer will request. Prior to WorkOS, building a SSO connection in-house varied greatly from Identity Provider to Identity Provider:
For an OAuth provider (like G Suite or GitHub), you need to set up unique redirect URIs and token exchange code on your backend for each system. For a SAML provider, you need to collect the IdP URI and X509 certificate to do the SAML assertion. You also need to ensure the fields coming back in the SAML response (XML) map to your database. These fields are non-standard, so you need a configuration UI for mapping. Many services have actually implemented SAML incorrectly, so you need to deal with that too. For other non-SAML providers, you need to custom-build for the protocol. "AD FS" is Microsoft's flavor of federated auth and it's a bit different. (It has a relying party trust cert.) Another is "OpenID" which is structurally similar to SAML but based on OAuth2/json instead of XML. On top of all of that, you need to build the set-up UI for this (unless your support team is going to do it manually every time). This also includes writing docs with screenshots of every provider. For best practices, you should keep a database of test accounts for every identity system and integrate this with your CI tests so you can detect regressions in the identity systems.
In economic terms, we’ve built all of this so you don’t have to, over the course of a year with a dedicated engineering team. (And we're still not finished yet.) In addition, SSO a fractal problem because there's such a long-tail of identity systems and configuration options, not to mention the cost of maintaining these integrations over time.
Our most popular product, SSO, abstracts all the complexity under the hood of building the aforementioned SAML connections. Our super simple API wraps dozens of Identity Providers, like GSuite, ADFS, OneLogin, Ping, VMware ONE, Google SAML, and Generic SAML (and adding more every day.) If you’re familiar with OAuth, you’ll be familiar with the type of abstraction we provide with WorkOS SSO. Because of the level of abstraction we provide, developers have been able to integrate SSO and begin to authenticate enterprise users in under an hour. This has saved our users hundreds of hours in development time and frees up more time for you to focus on your unique product features. SSO is also one of the key factors to growing your business, as it means your end user won’t have to remember additional passwords, and your customer’s IT team will have a greater level of trust in your enterprise readiness. For a full demo of how truly it is to integrate SSO, here’s a video from our Summer Release Event focusing on SSO: WorkOS Summer Release 2020: Single-Sign On (SSO/SAML) Admin Portal
Setting up SSO and Directory Sync connections (more below) historically requires manually emailing back and forth sensitive information like x509 certificates, ACS URLs and other Identity Provider metadata. Configurations break in unexpected ways, and simple mistakes like putting a URL in the wrong input box, typos, or wrong formats of Identity Provider metadata can break an SSO connection. To onboard your newest enterprise customer, you end up playing email tag and inevitably show outdated screenshots for documentation of how to use Okta. You also end up jumping through hoops to create test accounts at every single service ... 🤕
Our solution to this non-ideal enterprise onboarding exchange is our new Admin Portal. Within the Admin Portal, we take the complex set-up flow and allow enterprise admins to set up SSO and Directory Sync connections directly in the interface themselves, complete with constantly-updated documentation and live input boxes. Admin Portal completely removes the headache of setting up SSO and SAML connections. We’ve taken care of all the error states and weird edge cases. You’ll never need to think about it again! This saves your team months (at least!) of work and all the research into each different identity system. For a full demo of how smooth the Admin Portal makes the enterprise onboarding experience, here’s a video from our Summer Release Event focusing on the Admin Portal: WorkOS Summer Release 2020: Admin Portal Directory Sync/SCIM
Now that you have users signing-in through SSO, admins want to automatically provision and de-provision users based on their own directory system. When you’re provisioning a large team,
Just-in-time provisioning is not secure. Home-grown invite flows can be buggy and slow down product growth and activation. We built WorkOS Directory Sync to connect your app to an external list of users and keep those in sync. When you onboard your enterprise customer, you’ll receive API endpoints for both users and groups. After the initial onboarding, we provide webhooks for changes: users and groups added and deleted as well as changes in group membership. We support a range of different providers: SCIM 1.1, SCIM 2.0, Okta, Azure AD, G Suite and more. Just like SSO, when you integrate with WorkOS once, you’ll be able to easily set up connections to a range of different providers. In our summer release, we launched support for Workday and BambooHR. Rippling is coming soon along with many others. IT admins LOVE this feature because it relieves them of the need to provision single users one-at-a-time for software vendors. Importantly, de-provisioning is required for compliance. If your pricing is per-seat, Directory Sync increases the adoption curve of your app because you can immediately start charging for each user provisioned. Directory sync literally pays for itself. For a full demo of how smooth the Admin Portal makes the enterprise onboarding experience, here’s a video from our Summer Release Event focusing on the Admin Portal: WorkOS Summer Release 2020: Directory Sync Magic Link / Passwordless Authentication
Password management is a pain. Building a password system that handles salting, hashing, resetting and stringent requirements is crucial for security practices, but requires constant maintenance and upkeep with new security requirements.
So what if you didn’t need to use passwords? At our Summer Release event, we launched Magic Link: Passwordless Authentication, the easiest possible way to have users sign-in securely. No passwords required. Nothing to remember. Your end-users simply click a link to authenticate. You’ve probably seen this with Notion or Slack (slides 60 and 61 in the presentation below) Magic Link is insanely fast to integrate, safer than passwords, and you never have worry about getting hacked. For a full demo of how Magic Link enables easy Passwordless Auth, here’s a video from our Summer Release Event focusing on Magic Links: WorkOS Summer Release 2020: Magic Links Summary:
In our Summer Release event, we reviewed SSO & Directory Sync, announced support for new providers and launched Admin Portal & Magic Link. We realize that your users and IT managers want different things and your passion probably isn’t building SAML auth connectors. (If that is your passion — we are hiring!) With WorkOS, you don’t have to compromise the needs of your users in order to have enterprise ready features.
Our aim is to provide the building blocks for enterprise-ready applications, so you can unlock enterprise deals faster, focus on unique product features, and save you hundreds of hours of developing time. We help you check all of the boxes, out of the box.
Check out the slides for our full presentation here:
Have you created an account yet? Sign up here for your free trial!