Here are the key themes from the Hacker News discussion:
SAML vs. OpenID Connect (OIDC) Functionality and Age
A central point of contention is the comparison between SAML and OIDC, particularly regarding their functionality and historical relevance. While some users initially suggested OIDC as a predecessor to SAML, others corrected this, emphasizing SAML's significantly older age. The debate then shifted to what specific capabilities SAML offers that OIDC might not, or at least not in the same standardized manner.
"SAML is older than OpenID Connect by ~13 years." - SahAssar
"OIDC does not in any way offer the same functionality as SCIM and SAML. SAML is approximately OIDC + SCIM + Legacy Cruft" - jpc0
"What is the extra stuff that is provided compared to OIDC? I was implementing some of this stuff recently, and for my use case (who is this user? Do they have permission to use this application? Which parts of the application are they allowed to use?) OIDC seemed to cover everything, so I'm pretty curious if I missed some functionality that SAML provides." - OkayPhysicist
"SAML allows you to send additional attributes with the identity payload, like group memberships. This is not inherently authorisation, but can be used to automatically map users to teams/groups/roles in your application. SAML is a very complicated standard, and very painful to implement. OIDC is much simpler, but lacks some of the capabilities." - T-Winsnes
SCIM and Provisioning/Deprovisioning Capabilities
The discussion highlights the role of SCIM (System for Cross-domain Identity Management) as a distinct but often discussed component alongside SAML and OIDC. SCIM is presented as the standard mechanism for user provisioning and deprovisioning, which is a separate concern from the authentication (who you are) and some authorization (what you can do) aspects handled by SAML and OIDC. There's disagreement on whether SAML inherently includes SCIM-like functionality or if OIDC can facilitate similar outcomes.
"Creating the user in your application before first logon. Removing the user from your application immediately and not when their session eventually expires. Doing those things in batch. Querying that data at will to produce reports. Updating a users group membership when needed and immediately and not when you decide to do so. And then you only need an opaque userid from me and not a fat OIDC token that knows everything about my internal structure." - jpc0
"These are all features of SCIM, not of SAML. SAML only communicates user metadata on login. SCIM can be used with both SAML and OIDC." - maxwellg
"Regardless OIDC is authentication not authorisation. OIDC asserts who you are not what you are allowed to do, where SAML asserts what as well as who." - jpc0
"Both also need SCIM or something similar to offboard users" - T-Winsnes
"Provisioning/Deprovisioning is a separate concern; SCIM is one way (but just in time provisioning can also be achieved with both solutions)." - lll-o-lll
B2B vs. B2C Identity Management and Customization
A significant theme is the differentiation between Business-to-Business (B2B) and Business-to-Consumer (B2C) identity management needs. B2B scenarios are characterized by more complex authorization models, organizational structures, and the need to integrate with existing enterprise identity providers. While some argue that the core principles of identity and authorization are similar, the practical implementation, especially concerning third-party access and managing nested organizational structures, presents unique challenges for B2B. The discussion also touches on how new products aim to be more opinionated for B2B use cases, potentially abstracting away complexity compared to more flexible solutions.
"The comparison will certainly seem wrong months / years into the future as our companies evolve!)... focus on serving B2B applications... steer developers into a 'pit of success' by abstracting away a lot of details that most people don't need to worry about." - noleary (cofounder of Tesseral)
"From our experience at Zitadel, weâve found that mid-market and enterprise customers often also look for industry standards like SAML and OpenID Connect to integrate their services... Tesseral is taking a more focused approach with SDK and API integrations for web apps, which makes a lot of sense for many teams starting out." - ffo (Zitadel)
"Consumer and B2B auth are different mostly because they have different identity and authorization models... Businesses have actual control over their employee's identities because they own domains and emails get routed to wherever they point their domain at... Business authorization models work exactly the same way for admins... It's kind of insane to give everybody access to everybody's data so businesses create ontologies of roles/groups/scopes so that each employee only gets just as much admin powers as they require." - weitendorf
"Except you got people from the parent company wanting access to certain stuff, and then there's the third-party auditor that needs access and so on." - magicalhippo
"Might require different authentication providers. Take the case of the accountant in the parent company. Either you create a user for that accountant in each of the child companies and manage access individually for each company, or you have a single user which has access to different child companies through separate permissions or something like that." - magicalhippo
Criticism of Overlapping Solutions and "Reinventing the Wheel"
There's a recurring sentiment that the identity management space is crowded with solutions, leading to a sense of "reinventing the wheel." Some users express frustration with new products entering the market without a thorough understanding of existing, mature open-source options. The preference for certain programming languages (like TypeScript) is also questioned, especially for mission-critical backend systems.
"Iâm puzzled as to why this area is constantly seeing reinventing the wheels? I can name a few very mature (20 years in teh making) open source projects that pretty much lets you self host everything you might possibly need to handle all sorts of authentication schemes" - joseonjok
"It seems like if its not written in Javascript people have aversion to it and this 'keep everything typescript' really makes no sense to me especially when you deal with the missio n critical nature of backends." - joseonjok
"I know it is bad form to level accusations at other commenters, but I have to ask: have the LLMs infested this thread? What is with all the content-free 'how does it compare to [X]' comments in here?" - Analemma_
"From our experience at Zitadel, weâve found that mid-market and enterprise customers often also look for industry standards like SAML and OpenID Connect to integrate their services, so weâve made those a core part of our offeringâincluding providing fully compliant SAML and OpenID Connect endpoints." - ffo (Zitadel, responding to comparisons)
Website Stability and User Experience Issues
A practical concern raised during the discussion pertains to the stability and accessibility of the product's website. An "Application error" and issues with content loading were reported, leading to criticism about the impression it sets for a new product, especially one dealing with security-sensitive areas. The original poster acknowledged these issues and stated they were being addressed after a recent website overhaul.
"https://tesseral.com/ Application error: a client-side exception has occurred while loading tesseral.com (see the browser console for more information)." - koakuma-chan
"Next.js doing that is like ASP.NET in production "in debug mode" printing stack traces, or PHP applications printing their MySQL connection errors. So sad." - rsstack
"I've been seeing this all over the internet, even on news websites that have already loaded their content. So Next doesn't allow me to read text that's already loaded in my browser because of some random JS error I don't care about." - jamil7
"oops, thanks for flagging. we'll fix this! we only recently did a complete overhaul of our website and are still patching up some details" - noleary (cofounder of Tesseral)
Self-Hosting vs. SaaS for Identity Management
The discussion touches upon the preference for self-hosting versus Software as a Service (SaaS) solutions for identity management. While some argue that businesses often prefer to self-host for control and data residency, others point out that the burden of managing authentication infrastructure (password hashing, 2FA, etc.) is significant. The availability of mature open-source solutions for self-hosting is acknowledged, but the need for managed identity providers (IdPs) that handle these complexities is also highlighted as a key requirement for many businesses, especially when dealing with existing enterprise identities.
"In most B2B cases you really donât want to self host authentication. Really." - pakl
"There are plenty of identity providers out there who will worry about hashing passwords, resetting them, 2FA, etc. Most client businesses already have identities via one of those for all their employees (read: users of your APIs or apps). Unfortunately nearly all of the open source solutions out there do exactly what you said, they start with (required) self-hosting authentication. Not helpful." - pakl
"I believe itâs important to offer people a choice. Some prefer self-hosting, while others opt for SaaSâit really depends on their specific needs. If you require data residency and complete control, self-hosting is the way to go. On the other hand, if you want a hands-off operational experience, SaaS makes more sense." - ffo