Kudos on releasing open source, and on launching an easy-to-use service.
Side thought: If this takes off as a popular quality implementation, an additional effect might might be that it's easier for vendors of other services to integrate with users of your software. Maybe there's some way you can profit from that savings or reduced sales friction. (I've had to implement several F500 SSO integrations from scratch, because they were doing bespoke/custom things, and even "SAML" doesn't necessarily interoperate, but software like yours might out of the box.)
Question: For the free hosted SSO, how well are you going to be able to secure that, so that your customers aren't compromised through you?
Question: Will the free tier SSO have uptime guarantees, since it'll be a single point of failure for all your customers? For startups that decide they'd like it hosted for them, but need an SLA, do you expect to be able to provide that at a price doable by startups? (Will a cloud provider pick up those customers using your software?)
> Question: For the free hosted SSO, how well are you going to be able to secure that, so that your customers aren't compromised through you?
Yeah, this is super important. No short answer here, it's just about doing the work and getting it right.
We're working with Oneleet for our SOC2 stuff (which we all know is largely theater) but also pretty thorough pentesting. I can email you their findings.
The reality is we're one of those companies that need to get this stuff right.
> Question: Will the free tier SSO have uptime guarantees, since it'll be a single point of failure for all your customers? For startups that decide they'd like it hosted for them, but need an SLA, do you expect to be able to provide that at a price doable by startups?
Our plan is to work out agreements on a case-by-case basis. It'd depend on exactly what you need. We take guarantees pretty seriously, so we're careful about what we promise.
We're not a services business. We don't want to make money off of "premium support". There is a modest price tag if you want an SLA.
> (Will a cloud provider pick up those customers using your software?)
> SOC2 stuff (which we all know is largely theater)
SOC2 is only theatre if you (a) you already have good practice, and (b) can demonstrate that you have good practice. If your practice isn't good enough (like the whole notion of security controls is a foreign concept), and sure there's a lot of boilerplate to work through -- but the whole point of a SOC2 Type 2 report is that you only have to demonstrate once to the auditor, rather than to each customer each time.
Having to get internal security sign-off for a non-audited SaaS vendor -- really, life's just too short for that most of the time, and if there's choice of two more or less equivalent providers we go with the certified one every time.
Thanks. Regarding "Will a cloud provider pick up those customers using your software?", I was wondering whether there might be a situation in which there was a category of service customers you'd like to have, but that a cloud provider hosts your software without you otherwise involved.
I think the reality is that the category of software we're open-sourcing isn't very big. We're gonna make our money doing other things, not all of which will be open-source.
Side thought: If this takes off as a popular quality implementation, an additional effect might might be that it's easier for vendors of other services to integrate with users of your software. Maybe there's some way you can profit from that savings or reduced sales friction. (I've had to implement several F500 SSO integrations from scratch, because they were doing bespoke/custom things, and even "SAML" doesn't necessarily interoperate, but software like yours might out of the box.)
Question: For the free hosted SSO, how well are you going to be able to secure that, so that your customers aren't compromised through you?
Question: Will the free tier SSO have uptime guarantees, since it'll be a single point of failure for all your customers? For startups that decide they'd like it hosted for them, but need an SLA, do you expect to be able to provide that at a price doable by startups? (Will a cloud provider pick up those customers using your software?)