Learn what enterprise SSO is, why enterprises need it, how it works, and why you should support it in your SaaS.

Learn what OpenID Connect (OIDC) is, how it works, why you should use it, and how to implement it using WorkOS.

Enterprise Ready Conference, HIPAA compliance, frontend sessions, AuthKit branding customization

AuthKit now supports sessions for public clients, like mobile and single-page apps. Use the WorkOS React SDK to keep your users logged in for longer while keeping them safe from attacks.

Learn what sessions are and how you can implement them from scratch or using an auth provider like WorkOS.

AuthKit now supports Proof Key for Code Exchange (PKCE), the OAuth flow that enables public clients, like mobile and single-page apps, to authenticate and make API calls securely.

An in-depth look at fine-grained permissions, their benefits, challenges, use cases, and best practices for implementation.

Learn the most important differences between OAuth vs. OAuth 2.

Learn about the five major types of authentication and understand how they work.

Compare coarse-grained vs. fine-grained access control and find out which is right for you.

Learn what Fine-Grained Access Control is and how it works.

Certificate renewal flow, organization switching APIs, modeling your app docs, provider icons API

Attribute-Based Access Control (ABAC) provides a targeted, more precise way to manage who can see and use different resources and under which conditions.

Learn what authorization is, its different patterns, and best practices.

In this article, we’ll dive into what SAML X.509 certificates are, their role in your SAML Single Sign-On (SSO) connections, and best practices for managing these to ensure there is no downtime for your enterprise customers.

A glossary of terms and definitions for all things related to authentication and authorization.

For high-growth startups, time is the single most important resource. It’s so important that months of delay in shipping SSO and SCIM can result in a potential revenue loss of $7.95M compared to using a pre-built solution. The ROI difference is staggering too: 9% for a homegrown solution vs. 1,954% for a pre-built one. This article explains the methodologies used to calculate these numbers.

SCIM vs SSO: Learn the differences between SCIM and SSO and how they work together in identity and access management.

Learn what Google Zanzibar is, how to implement it, and how it compares to other authorization technologies.

RBAC for AuthKit, Fine-Grained Authorization early access, SCIM role assignment, updated Node SDK, and new Log Streams destination

SCIM provisioning is an important enterprise feature that provides user lifecycle management (ULM) and automated access control. Building this in-house means you must deal with fragmentation issues across onboarding, implementation, and triage, incurring significant engineering cost, delayed time to market, and potential security issues.

Time is invaluable for SaaS startups aiming to become Enterprise Ready quickly. Building complex (yet table stakes) features in-house, like SSO and SCIM, can significantly delay enterprise adoption. In part 1, we will dive into the hidden challenges you will face with a homegrown solution, highlighting just how demanding and time-consuming the process can be.

AuthKit now supports RBAC as part of its core authorization capabilities. RBAC is a common authorization scheme where each user is assigned one or more roles, and each role is assigned a set of permissions that defines which resources and actions the user can access in your application.

When building authorization for enterprise customers, supporting IdP role mapping is a challenging yet important task. This allows organizations to manage their roles and permissions through a single source of truth, the IdP, rather than dealing with unique permissions schemes for each SaaS tool.

Learn all about RBAC, how it works, its benefits, and when to use it.

SCIM plays an important role when selling to larger enterprises with IT teams that need to manage access for thousands of users. This post explains why you should prioritize implementing SCIM and the use cases it unlocks: improved security, automated provisioning and access management, and simplified billing.

Authorization often takes a backseat to authentication, but it becomes critical as applications scale and and require finer access control. This blog series covers the transition from basic role-based access control (RBAC) to more advanced fine-grained authorization (FGA), offering practical guidance for engineers implementing these systems.

Developer Week recap, Apple OAuth, User Management with SCIM, IdP role assignment, the Remix example app, and more

Identity linking consolidates duplicate accounts with their own authentication credentials into a single account. While this seems straightforward, it involves a number of considerations around email and domain verification. WorkOS handles these complexities and provides secure identity linking by default.

When we launched User Management along with a free tier of up to 1 million MAUs, we faced several challenges using Heroku: the lack of an SLA, limited rollout functionality, and inadequate data locality options. To address these, we migrated to Kubernetes on EKS, developing a custom platform called Terrace to streamline deployment, secret management, and automated load balancing.

Developers favor webhooks for their ease of implementation and similarity to web endpoints. However, it's crucial to balance simplicity and data integrity, like choosing between TCP for reliability and UDP for speed. For SaaS vendors, offering more alternatives to webhooks will give developers the flexibility to meet diverse application needs.

Route-level authentication specifies which pages require authentication, keeping relevant logic together. Middleware-level authentication follows a Zero Trust model and simplifies group route authentication. The choice depends on your application architecture, but an additional authorization layer is needed for complete security.

Can you really adopt Next.js App Router incrementally? At WorkOS, we learned that you can’t really migrate a complex app page by page without a hit to the UX. Instead, we worked out a migration guide that allowed us to test our entire app with App Router while still serving the Pages Router to users—before making the final switch.

A comparison of single-tenant vs multi-tenant architecture: How they work, their pros and cons, and tips to decide which one suits your SaaS best.

Compare OAuth vs SSO to learn what they are and which you should use in your SaaS.

Discover the best three alternatives to SAML SSO: OAuth 2.0, OpenID Connect, and WS-Fed. Understand what each protocol offers and find out which one is the best fit for your needs.

Send your own AuthKit emails, PKCE support for SSO, Events API for filtering orgs, soft deletion support in User Management

Learn how to build a SCIM server for your app with WorkOS.

Learn what an IDaaS is, how it works and why it makes sense to use one.

Authentication (AuthN) is the process of verifying the identity of users or systems before granting access to resources, essential for ensuring security in applications. This blog explores various AuthN methods like passwords, multi-factor authentication, and biometrics, and discusses the trade-offs of building in-house or using third-party providers..

Learn what SaaS authentication is, explore popular SaaS authentication methods, and find out how to choose and implement the right one.

Relationship-Based Access Control (ReBAC) is an authorization model that grants access based on user-resource relationships, offering a more dynamic approach compared to RBAC and ABAC. This blog breaks down how ReBAC works, its benefits and implementation challenges, and when it's the best fit for your app.

Multi-tenancy is a software architecture where multiple users share a single application instance while keeping their data separate, making it cost-efficient and easier to manage. This blog explains multi-tenancy, its advantages and disadvantages, and offers best practices for implementation.

Learn what identity provisioning is, how it works, its benefits, and the protocols that enable it.

GitHub secret scanning partnership, API endpoints for user auth methods and IdP identifiers, and Perplexity Enterprise Pro for all customers

Our roundup of the best 5 open source SSO providers and how to choose the right one.

Perplexity is giving all WorkOS customers 3 free months of Perplexity Enterprise Pro.

Learn about the 4 main types of access control, how they work and how to choose the right one for your company.

Today, we are excited to announce the acquisition of Warrant, the Fine Grained Authorization (FGA) service for developers. This is a major step in WorkOS’ vision to become the world’s best platform for identity, authentication, and authorization.

We compare ADFS vs SSO, and discuss what they are, their benefits, drawbacks, and their roles in identity management.

Learn about deprovisioning user access with SCIM and the differences in deprovisioning strategies amongst major IdPs.

Exploring the differences between SCIM 2.0 and SCIM 1.0, and what's new in the latest version of the protocol

Developer resource for modern day user management, including 101 topics like SSO and MFA as well as more advanced concepts like identity linking, email verification, and JIT provisioning.

Sessions, Roles, Impersonation, streaming to Datadog, new JavaScript runtimes support, and Radix Themes 3.0

Compared to alternatives like screen sharing, written documentation, or shared login credentials, impersonation provides an effective and secure way for your support team to troubleshoot.

The workos-node library now supports JavaScript environments like Deno, Bun, Cloudflare Workers, Vercel, and Node, simplifying API requests across these platforms.

The new Datadog integration now lets you stream WorkOS events and generate comprehensive reports of all end-user logins, offering improved monitoring and debugging.

With Roles, defining access control levels for your users is now a breeze. When a user session is initiated, role information will appear by default.

Session management is the mechanism for securely handling interactions between a user and an application within a specific time frame. Sessions are now available to all WorkOS users for free.

OAuth vs OpenID: Learn how they work, their pros and cons, and when to use each or both.

Exploring the differences between SAML and OAuth, how they function, and how to choose which one to support.

We compare LDAP vs SSO to learn what they are, how they work, and when to use which.

Learn how to sync Active Directory users to any SaaS app using the SCIM protocol.

Test SSO, organization auth policies, profile pictures from OAuth providers, and why Hypercare migrated from Auth0

Test SSO enables developers to perform rigorous end-to-end testing for the SSO integration without having to sign up with an identity provider.

SCIM automates and secures user identity management across systems with TLS encryption and authorization mechanisms. This blog explains SCIM's functionality, security features, and the advantages of automated user provisioning to minimize administrative burden and security risks.

In this article, we're going to unpack everything you need to know about SCIM and SCIM provisioning, dive into how SCIM works, and show you how to start using SCIM for ADFS.

This guide surfaces complexities and implementation details for supporting organization modeling as part of the authentication and authorization layer for apps.

Exploring the differences between JIT and SCIM, how they function, and how to choose which one to support.

A technical deep dive on how AuthKit ensures strong user passwords.

Everything you need to know about the automated provisioning of account access.

Learn what SSO is, how its used with SSL and which other protocols are involved.

Explore the differences between SAML vs SSO, clarify common misconceptions, and learn how SAML specifically facilitates SSO.

Learn what the SCIM protocol is, what it's used for, and how to use it in your own SaaS app.

Bot Protection in AuthKit, Organization filtering in Dashboard, Filtering Google Workspace Directories, Auth0 pricing comparison, and more

High costs, low usage caps, and opaque pricing are common complaints users voice about Auth0. This post provides a detailed breakdown of the pricing models of Auth0 and WorkOS, and how WorkOS delivers more transparent and competitive pricing options for B2B SaaS companies.

Discover what a SCIM connector is, why it's useful, and explore our top 3 picks for SCIM connectors to consider for improving your system's integration and management.

Our guide will walk you through everything Directory Sync: what it is, why you should care, protocols like SCIM, Directory Sync vs JIT, and how to build it into your product.

Discover how SCIM endpoints work, see examples of 5 key operations they should handle, and find out an easier way to manage SCIM without creating your own endpoint.

Learn what JWTs are, how they work and what you can use them for.

We’ll walk you through exactly what SCIM is, what to look for when selecting a SCIM provider and our top 3 recommendations for SCIM providers to cover any use case.

Learn what a directory service is, how it works, the leading providers, and why companies use it to manage access.

Exploring the differences between LDAP and Active Directory, how they function, and how to choose which one to support.

SCIM defines two main resource types — users and groups. SCIM groups are a collection of users that have something in common and play a critical role in role-based access control.

Learn how to use Directory Sync to provision users from your SaaS app to any IdP.

A recap of 40+ releases for WorkOS customers in 2023 including 99.99% availability, Events API, AuthKit, Domain Verification API, and more.

Exploring the differences between SSO and Federation, how they function, and how to choose which one to support.

Learn about SCIM and SAML, how they work together, their security aspects, and get tips on starting with each.

Compare SAML 2.0 vs SAML 1.1 to understand their key differences and why the transition to SAML 2.0 was necessary.

In this article, you’ll learn more about what SAML is, how you can set it up, and what other options you have to provide similar functionality and support SSO for your customers.

In this article, you’ll learn more about attributes, including how the key attributes work, and how you can use custom attributes to deliver additional functionality.

In this article, we'll break down OAuth and JWT, explaining how each works, pointing out the key differences, and sharing best practices for implementing each - separately or together.

Exploring the differences between OIDC and SAML, how they function, and how to choose which one to support.

MFA is included with User Management (free up to 1 million MAUs) and can be enabled in just a few steps. However, should you choose to support MFA in-house, it is important to remember that implementation requires sizable changes to the backend and the frontend.

Enterprise Readiness in AI is accelerated due to the downstream impact of SOC 2 compliance, stringent protection of sensitive customer data in LLMs, and a focus on core product development over non-proprietary features.

User Management APIs (free up to 1 million MAUs), Domain Verification API, Dashboard SAML for all teams, and the Enterprise Readiness Guide for Product Managers

We’ll explain what Seamless SSO is, how it works, and how you can implement it — whether you’re an IT admin or a startup developer.

We’ll explain what JIT is, how it compares to other user provisioning strategies, why you should consider supporting it and how you can implement it.

AuthKit is a Radix-powered open source authentication UI built for effortless customizations. User Management is the backend platform handling email verification, account linking, bot blocking, organization modeling, and more.

‍In this article, we’ll explain why you should use an SSO provider, what you should look for when choosing an SSO provider and the best 5 SSO providers you can choose from.