contents
Blogs / Integrating Single Sign-On As A Startup: My Experience and Tips
July 03, 2024 • Matthew Duong • Startups • 4 min read
Recently in my day job, we received a request from one of our enterprise customers to integrate Single Sign-On (SSO) into our product. The customer was already utilizing Microsoft Azure Active Directory (Entra ID) as their identity provider. For those new to integrating SAML-based SSO, the process can be quite complex. As fate would have it - I used to work at Microsoft where I worked specifically on Azure AD in the Identity team! In this article, I provide an overview of SSO and share recommendations for startups considering its integration.
Single Sign-On (SSO) is a user authentication process that allows individuals to access multiple applications with one set of login credentials. A good analogy is your gym membership card. With one swipe you can access the gym, pool and other services without having to swipe again for each amenity. Tying this back to our customer - each of their employees has a single username password / mfa combination with Microsoft. Without an SSO integration, they would need separate login credentials and MFA for Truewind and any other service the accounting firm provides. This makes it extremely challenging to manage access for the 20+ apps and services required by the hundreds of employees who join and leave the company. With SSO they can provision a single set of credentials and a new employee has access to everything, and they can similarly revoke a single set of credentials when an employee leaves the company.
To understand how SSO works let’s first get an overview of the architectural components.
This is how the above components interact to complete the SSO login flow:
The initial integration is straightforward. You can follow the official guide here: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on
The challenge is determining how your existing password users will transition to the SSO flow. For many enterprise customers, the sales / onboarding process usually involves:
The complexity of transitioning to SSO largely depends on your existing authentication model. Most initial identity setups tie the login method, such as a password, directly to the user identity. This often results in data models keyed off the login identifier. To update your model effectively, you must decouple the login method from the underlying identity, typically represented by an email address.
Next, you need to disable password logins and enforce that all sign-ins and sign-ups within the domain authenticate exclusively through SSO. Integrating all domain-joined identities to automatically join the organization and copying existing permission models adds another layer of complexity. This ensures the transition maintains the same access controls and user permissions, making the entire process challenging but essential for a smooth SSO integration.
Here's a common schema design for a single authentication method system that most people would typically create.
The data model needs to be able to separate the user entity from the auth method as well as define the active authentication method in the enterprise case. Here's how the schema looks after such a change.
Should you integrate SSO into your product? It depends on your customer base. For enterprise customers, integrating with an Identity Provider can enhance user experience and help attract enterprise clients. Initially, passwords may suffice to test your value proposition but as you try to close larger clients you'll eventually hit the hard requirement for SSO support.
My recommendation is to integrate SSO based on customer demand, such as signing a major client or increasing revenue. Early on, prioritize testing your core value proposition over SSO implementation. If you are planning future SSO integration, decouple authentication methods from user identities to ensure a smooth transition.
If you want to see some more of my written content outside of this blog check out my recent articles .