Hi HN! I’m the founder of WorkOS (https://workos.com)
We provide a developer API for making your app enterprise-ready. You can quickly add features including SSO/SAML, Director Sync (SCIM), Audit Logs, and more.
WorkOS is “Plaid for enterprise IT systems.”
I learned about these enterprise requirements the hard way. Previously, I founded Nylas where we built an email app called Nylas Mail. We couldn’t monetize that app and shut it down (RIP) and the main reason was that we couldn’t sell it to enterprise because it was missing features.
I fully appreciate how difficult this is to do, but I think it would be immensely useful if WorkOS provided the docs that I (the SAML SP, your customer) provide to my customers who are setting up SAML (as an IdP) on their end.
One of the biggest pain points I've experienced with SAML is that people come to me asking for help, but only understanding their IdP; the only IdP I know how to use is Okta, and I don't have access to their IdP to test with.
I'd love it if WorkOS could give me documentation that I can give to my customers about how they can set up Okta/Azure ADFS/whatever with my product. I can edit those docs to account for idiosyncratic stuff my product does (e.g. requiring a particular SAML user attribute or format for user IDs).
Aside: the support burden of SAML is a big part of why the sso.tax exists. Nobody on the SP or IdP end knows how to set this stuff up!
Yep we're already looking at doing this with docs. :)
One thing to help with the SAML support is WorkOS.js. It's essentially an embeddable configuration flow, so you don't need to build the UI to collect x.509 certs, generate the ACS URL, etc. Similar architecture to "Plaid Link" so users never leave your app.
Yeah this is really cool! To your point about WorkOS.js -- how would a customer know where to find their SAML metadata? Some of this can be done inline in WorkOS.js, of course.
But no amount of inline docs in WorkOS.js's UI is going to get around the high-level guidance docs, both for your customers ("where do I even start") and your customers' customers ("how do I fit my IdP peg into your SP round hole").
Ah yeah I'm talking about two different things. The docs for getting SAML config would be on a separate public site.
WorkOS.js is for the IT admin to configure their SSO/SAML integration.
With both of these things, you can make SAML fully self-serve and include it in your base tier, which drives adoption and retention in bigger companies.
Congrats on the launch, Michael. Been experiencing the same - after conducting demos of our application, we've been told that we aren't enterprise-ready and so we've gone away to figure out what that looks like. I've got extensive experience in the enterprise space having worked in banking tech for a few years so happy to help. Currently, we're building an AI performance management platform for enterprises and so could leverage WorkOS to accelerate our go-to-market. How do you compare to Replicated (https://www.replicated.com/)?
Replicated helps developers ship an on-prem version of their product, like GitHub Enterprise.
WorkOS helps developers add features to make their app enterprise-ready. We provide an API to integrate with cloud services like Okta, Azure AD, G Suite, and more.
Very minor, really, but did you consider tiers something like Developer/Startup/Corporate, rather than Free/Developer/Corporate?
I just think surely every user (of yours) is a de facto developer, and really if that's all they are they only need the 'Free' tier until they start selling something (i.e. it's a business of some kind) and need the support.
We're primarily targeted at developers but I found there's a lot of other people who care about enterprise features. For example, WorkOS allows a Head of Product to focus entirely on new end-user features and not build SAML config screens.
WorkOS is surprisingly popular with the VP Sales. They have no idea what SAML or SCIM means, but they know it's blocking big deals. WorkOS helps them unlock that revenue.
One issue with Enterprise Software that I've experienced is that all subcontractors are scrutinised and have to be listed in contracts, clients has to be notified/approve changes etc.
I would love to pay you money but run this somehow under AWS (Marketplace?) so that I don't have to request signatures from all our clients.
The issue, AFAICT, is all about who has access to personal data and where that data is hosted (jurisdiction wise).
> "You can quickly add features including SSO/SAML, Director Sync (SCIM), Audit Logs, and more."
This is great. Congrats.
I work in a regulated industry (Life sciences/pharma) and all of these are challenges we've had to tackle as one-offs for our SaaS, so I could appreciate this bundled/bootstrapped approach.
Monday.com is the worst product I have ever had the experience of working with.
Spreadsheet with 200 rows and 20 columns? Your browser will be laggy as all hell thanks to their wonderful UI.
Try to tell support? The entire page jitters up and down as you type every single character in the support box on Chrome.
Reload the page? Well now the page isn't laggy at all, but literally it is not rendering rows that _are definitely there_.
I really wanted to like it -- beautiful user interface -- but it's an absolutely terrible product. And it was ~15 people on my team reporting the same exact behavior as we tried it.
I would consider recommending Monday.com to my worst enemy.
The hardest part of these docs was actually just writing the docs. So hard to come up with simple language for super complicated topics. And so much more still to do!
Slightly off-topic complaint: I really wish these features weren't considered "Enterprise" by so many people. Do you have a company that uses third party tools and has employees that leave? Congrats, you're an "enterprise" and need the "enterprise" plan.
I dream of the day that these features (SSO, Sync/SCIM, auditing) are considered table stakes.
I used to share that sentiment but now having worked on the other side and been involved in too many pricing discussion, segmenting is _hard_. Generous free and credit card plans are often subsidized by enterprise contracts and you gotta have some features to make people want to pay for those enterprise plans. SSO/SCIM/Audit logs are great for that because big companies _really_ care while most SMBs don‘t have an IdP and SME are usually fine forgoing it if they can save a buck or two.
So there used to be a platform that gave you all the things you needed to build an app...
It handled stuff like authentication, user management, provisioning, security, compliance, etc. It had a fantastic developer experience and was beloved by developers and at the same time loved by IT. It allowed developers to focus exclusively on product features, and it seamlessly took care of administrative needs of corporate IT.
It was called Microsoft Windows. :)
But in today's era, everything has moved to the cloud and that's made the situation fragmented. There's over a dozen IdP and even more directory systems and logging systems. There's no source of truth! In order to build an app for enterprise, you have to write all of this boilerplate integration code. And right now every company does it themselves in-house.
The goal for WorkOS is to handle all the complicated undifferentiated complexity that every workplace app needs. It runs "under the hood" and lets you focus on building unique product features. It's a standard set of interfaces and features shared across applications.
That's the role of the operating system and that's why we call it an OS. :)
I've had the same thought/idea myself. There's so much more this can branch into if you want.
It looks like this is very targeted towards the SMB space. I'm wondering if you could adjust your pricing and features to help modernize & consolidate some of the overlap at larger businesses in general.
Looks nice indeed @grinich ! Excuse the naive question but : what's the difference between workOS and software such as amplitude or mixpanel for audit trail logs ?
From what I understand, you have to declare events as you would do with analytics software. And your docs doesn't say how you make the audit trail available to the customers. If I have to do the proxy myself, then I really do not see the difference with an analytics software.
A slightly offtopic question. Besides older systems/older systems integration is there any reason to have SAML based SSO?
It always seemed to me that if you do not have to support SAML for some older systems the get to go solution is to use a OAuth2 based solution like OpenId Connect.
We're currently in the middle of our SOC-2 Type 2 observation period and should have that certification in Q2.
The company is barely 1 year old and the process of certification can be a bit slow. Other attestations including ISO/IEC 27001, 27017, and 27018 will come later.
We also have a lot of internal practices and policy for how we secure WorkOS while still allowing our engineering team to ship code incredibly fast. It involves separation of duties, hardware security keys (YubiKey), and lots of automation with alerting.
Hopefully we can write something public about it later this year. Many of the ideas came from Stripe's security team. (Thanks Angie! <3)
Will you be supporting HIPAA/PIPEDA as well? I'm just teeing up all of this work for a healthcare SaaS offering, non-trivial. We're presently deployed as a "per-customer" model as some require enterprise options, others not so much. Would be great to have a tool that fills those gaps simply when/as required.
Looks great, I'll definitely be going through it in more detail after work.
This is extremely impressive. The value prop, the product, all of it. It resonates.
I was at a startup 5 or so years ago, and now am at a very large company. The world of pain you enter as a small shop when the Large Co. takes you through their third-party compliance and enterprise IT requirements are mind boggling. WorkOS seems to be that critical and much overdue on-ramp between startups and the FT500.
Similar and different in some ways. Our SSO is free, which makes it a lot more accessible to startups and companies just beginning to go up-market.
We also provide a more generic abstraction than Auth0. They essentially "take over" your auth screens and show Auth0 UI. If you use WorkOS, it's not visible to your end-users and you can customize the sign-in experience how ever you want.
You can do this with the Auth0 APIs as well, no? By hitting the `/authorize` endpoint for saml-typed Auth0 connections? In that case Auth0 then acts as a SAML-to-OpenID Connect translation layer.
there is a couple ways to do and handle this. It seems like the best practices change every 6 months. There is a similar way to do this with azure AD also. I'm curious how workos differs. Seeing this field evolve over the last 2-3 years has been interesting.
We just build our own SCIM endpoint and are now trying to integrate it into OKTA. I'll never get that time back that I spend reading the SCIM spec. Could have used it to build something that adds value to our customers.
Realy nice and clean website, I love the simplicity. It's a small thing but I would avoid black CTA in the project. Using colors could increase interaction with design ;)
Maybe you would like to also introduce your tool to our audience on Owwly (https://owwly.com)? I think you can find there some potential users.
WorkOS is “Plaid for enterprise IT systems.”
I learned about these enterprise requirements the hard way. Previously, I founded Nylas where we built an email app called Nylas Mail. We couldn’t monetize that app and shut it down (RIP) and the main reason was that we couldn’t sell it to enterprise because it was missing features.
Here’s a short Twitter thread with more info about WorkOS: https://twitter.com/grinich/status/1239943470271188992
Best place to start is with the docs: http://docs.workos.com/
Would love to get your feedback, questions, and ideas. Thanks! :)