sso-wall-of-shame VS workload-discovery-on-aws

Hi! Tailscalar here. This is very topical for me! Over the past 3 weeks I've been working with internal stakeholders to remove our SSO tax - the sso tax is a pet hate of mine. A couple of weeks ago we removed it from our pricing plan after my proposal was approved, and today I released a blog on our website to announce it more widely: https://tailscale.com/blog/sso-tax-cut

I knew of https://sso.tax (which we are not listed on but I did include in my blog), but didn't know there was another website too!

I'm not the person you've asked, but I'm somebody who has been purchasing SaaS/software for businesses large and small for years. My take:

1. If SSO and other basic modern security features are locked into "Enterprise" pricing tiers then the service is at the bottom of the list (see: https://sso.tax). I'd love to say instant disqualification but too many SaaS companies have it in their head that only wealthy enterprises use SSO, despite SSO platforms being widely available and some quite cheap to acquire and start using.

2. If I need to request a quote to start any kind of service to see what the product is about then I'm not likely to pursue it. Don't make me jump through hoops when I'm just trying to see if a product can fit my needs.

3. If license terms are too complex or easy to violate that's a hard pass. Infrastructure monitoring tools are a great example. The licensing is often per "device" or per monitored metric, and some vendors are very loose with their definition of "device". (Don't use LogicMonitor with k8s unless you like throwing money in the garbage can). Hard lessons learned.

4. If the only details I can find regarding how you secure your product are claims of SOC2 and ISO27001 certification then that's a very likely pass. Those controls are great to have, necessary even, but anyone who has had to work to meet those compliance objectives knows that they're much more about organization controls than they are product security. Give me an idea about how you protect data and whatnot on a security page somewhere, not an attestation that dev and prod are separate and you have logs.

On the side of the positives, outside of not hitting the negative marks, I value ease to work with, responsive and competent support, strong pre and post-sales solutions architecture and support/training (if the product is complex enough to warrant that), and supports SSO. I bring up SSO again because it's a hard requirement for SaaS purchases everywhere I go -- no SSO, no go. Social login is not a substitute and is highly undesired.

Hope this helps.

Don’t be shy, here’s the link: https://github.com/robchahin/sso-wall-of-shame/issues.

It sounds like you're unaware of why SSO is considered a security feature at all them, but it's covered right on the site: https://sso.tax/

It's to allow centralized access management. Stuff like firing someone and revoking their access from one platform instantly, instead running around and changing permissions in every tool manually. Or ensuring people in department A can't be invited to some platform for people in department B in order to limit information access.

SSO tax is predicated on the idea that the moment you outgrow the informal arrangements and liberal access, you're really a business. Seems pretty fair?

Last time I had to implement Okta integration for DocuSign at my employer it was absurdly expensive. If Google does this right then I’d be ever so happy.

DocuSign on the SSO Tax site: https://sso.tax/

There’s a strong, widespread objection to hiding security features behind a paywall: https://sso.tax/

If 2fa is the only way you can differentiate in order to force enterprises to pay, it’s better to have a fee for security than to die because you can’t make money… but broadly, as a security company, you should aim for maximum security for every user.

I totally understand. I'm aware of the SSO tax. It's just honestly a complex feature, with a significant maintenance and support burden, and I leaned making it EE so that it'd be worth all the effort to implement and maintain (i.e. I want it to be a new-positive feature for revenue). But if I could get help from other contributors, I'd be fine with SSO being a CE feature too.

Need to put them up for the SSO Wall of shame. https://sso.tax/

Workload Discovery on AWS has recently released a new version - would that work for you?

It's interpreted line-by-line so that each line represents one state of the diagram. There are commands to delete nodes: when I delete a node I just remove it from its parent but leave it in the top-level state. That has the neat effect that if I re-add it, I get the node with all its descendents and connections restored in one step, which I can use to pre-diagram things I talk about often.

After calculating the drawing state by applying all the commands from the start to the current selection, the next step is to limit this to the visible pieces. I make a copy of the drawing state, starting from the currently zoomed node and following all children. Then I add all connections, if all the 'to' ends of the connections are visible.

Next, I do layout. Starting with the visible tree, annotate all nodes with positions of the box (if any), the icon, and the label. The diagrams I'm drawing are similar to those produced by AWS Perspective: https://aws.amazon.com/solutions/implementations/aws-perspec... , so if a node has no children I draw it as a large icon with a label below, if it has children, it is a box with a small icon to the top left, a centred label at the top. Each node can choose one of a small number of layouts that I can do automatically with just a list of children: 'ring' (a circle of nodes), 'row', 'column', or 'snake' (the default: alternate rtl-ltr rows to evenly fill the space; this will be a grid if that fits or could end up like 4-3-4-3 if it doesn't). In ring & snake, boxes are always 4:3; in row and column they are stretched to fit.

Next, I do animation. I keep around the previous layed-out state, and use window.requestAnimationFrame to calculate the position of boxes between the start and end state. A box that is in both start and end states is moved, if it is only in start or end I fade it in or out as need be. This lets me animate between _any_ two states of the drawing, so I can talk about one bit of the diagram, then jump back and forth by clicking in the command window, and it smoothly animates between them. I found animating for just 0.5s worked best for interactivity; it's nice to see a slower move but it feels laggy when typing.

I calculate arrow positions after calculating the final position of boxes and icons. I chose to use circular arcs, because you will never get an awkward situation where an arc lies directly along the edge of a box; straight things are always boxes, curvy things are always arrows. SVG wants two endpoints and a centre to draw these. So, I start with an arc between the centres of the two boxes, choose a radius twice as long as the distance between these points; then I calculate the intersection of the arc with the boxes, and use those two intersection points as the start/end of the arc. (this isn't that difficult, the formula for the arc is in the svg spec, and it's checking 4 straight lines, choose the intersection point closest to the other box). Like the boxes, the arrows fade in and out if they are not needed in one of the start or end states.

All of this then just replaces the content of the svg. It's surprisingly smooth.

One last detail is icons. I'm using the icons from mingrammer (https://github.com/mingrammer/diagrams/tree/master/resources), which gives me about 1600(!). Finding an icon _while you type_ is awkward and initially I had to drop to the shell to find the file I was going to refer to. I tried giving the drawing tool a mode that would let me visually pick the icon, but 1600 is too many. So I changed it to use a fuzzy search to find an appropriate icon: it looks for the icon where the sequence of characters appear in the shortest substring of the icon path: eg for 'ec2' it constructs the regex `.(e.?c.*?2)`, scoring the matching substring 'ec2' better than 'elastic2', and the shorter containing string 'aws/compute/ec2' better than eg 'aws/compute/ec2-rounded'. (I have a further round of preferences so that the top level aws iconset is preferred to eg the ibm one, which has terrible icons). This gives you an icon for almost anything you type, and encourages a more playful approach to picking the icon than the exact-match approach.

There's a bit more to it, I also accept some markdown which fades from the diagram to slides with bullet points, then back to the diagram if the current command is a diagramming command. But the description above is most of it. I could probably have done this better with eg d3 to do the drawing but I am not a front end developer at all and the whole thing was more of a hack over a couple of weekends. I should clean it up a bit, but it works.

I serve up pre-prepared pages with this js attached from github pages, I can walk through eg the flow of data clicking the down arrow to change the selection which causes it to animate to the next state which has the next arrow... and so on.

AWS has a solution called AWS Perspective that will do exactly this. The solution itself is free and open source, you only pay for the resources it creates. You can also export the diagrams to draw.io if you want to edit them manually. Also, it will show you how much your solution(s) and each of its components is costing you.

Check out - https://aws.amazon.com/solutions/implementations/aws-perspective/