> Last but not least, cost. I’ll just come out and say it: IMHO, what most vendors charge for being IdP is outrageous. Charging by MAU in an IdP? Really? We all know that the marginal cost for me to have a user in your system is essentially 0. You really gonna charge me 10 cents a month for a row in your database?
I've been looking into adding OAuth2/OIDC IdP integrations to an app I'm making. The pricing for most auth-as-a-service is indeed outrageous, and I don't need (or want) JWT. oauth4webapi [1] fits the bill here, is free and certified. Took less than an afternoon to have sign in with Google and another IdP. There's obviously more work to be done, but it's not rocket science.
Don't know if there's an equivalent for SAML. But I've certainly considered going into the auth SaaS business a few times. Seems like there's good money to be made.
[1] https://github.com/panva/oauth4webapi (TypeScript)
> the marginal cost for me to have a user in your system is essentially 0
This argument essentially reduces to the notion that most Web apps should be free. The marginal cost of a Salesforce/Canva/Outlook/Office/Github/Discord/any scaled SaaS user is a tiny epsilon. If that were not true, there would not be a viable software business there; that epsilon keeps everyone paid who keeps everything running.
> You really gonna charge me 10 cents a month for a row in your database?
Apologies for the analogy, but the 10 cents is not for the storage, but for knowing which row is yours.
It's fine to want to DIY, no shade to that at all. But not every application is a fit for DIY solutions for whatever reason.
Author here. I didn't actually post this so I was a bit surprised to find it in my daily browsing!
You make a valid point. And I understand there is clearly a large amount of hand waving and fallacy in my "for a row in your database" statement. I tend to write pretty flippantly. In reality, life is always more nuanced.
In reality, the crux of my opinion is more about how most of modern SaaS are so overly obsessed with pricing on user-based models, even when they don't actually make sense. There is obviously cost to host/run/maintain any piece of software, but it especially hurts with infrastructure-like companies. It's up for argument, but I think IdPs and MAUs fit in that category.
Building a company that doesn't charge on a per-seat basis with an IdP that does really makes it difficult to maintain a reasonable profit margin. For example, if I'm billing on a usage-based model (that's not user-based) and provide unlimited user access so that there is more usage, I could lose money just by having a 1,000-person company sign up. Even if all they did was sign in once a month to kick the tires. It kind of forces anyone downstream to also be user-based, which feels unfortunate.
My personal opinion is that there is a big emerging market for new companies to do what the big players already do, but charging less on flat-fee models. What's that famous quote? "Your margin is my opportunity" or whatever...
[edit: added more clarity to my pricing example]
Okta / Auth0 pricing is negotiable… we used to pay per customer connection now we pay a flat fee
I have setup Keycloak a bunch of times. I don't know if I would say it is a good solution (that would be ditching SAML), but it doesn't require you to pay outrages fees.
Why do you say "that would be ditching SAML"? Keycloak supports SAML.
While Keycloak is free, the time it takes to implement a solution is not. And that can be considerable if you want a production ready deployment that's highly available, monitored, and well-understood by whoever is supporting it. And hosting has a cost (instance + dB for a simple low-traffic "dev" setup, but for HA and redundancy you have more work to do).
For some companies the choice is simple: a 3rd party service is quicker, easier and while it's expensive over years, the monthly cost is doable. But we're using it because we have an investor who pays for hiring and AWS, but nothing else. Have you tried using AWS Cognito? Full body shudder. It's simple until it's not.
Keycloak has a learning curve but at least it makes sense. It took me a while but I'm at the point where the entire thing is automatic using terraform and helm, from deployment, & configuration to theme and full "IAM" stuff (users, roles, clients, IDPs etc). It took a while but since I was getting paid and we had no way to simply pay for a quick alternative, I just crunched through it. That model doesn't suit every company though.
Finally, I'll add that AFTER getting Keycloak fully set up, hooking the product into it looked pretty much like the "one step forward, two steps back" that the original post chronicled as he implemented SSO.
I mean ditch SAML. We use Keycloak as a SAML to OpenId translator, essentially, so if we could get JWT tokens from our IdPs directly, we wouldn't need Keycloak.