cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Honored Contributor

Any B2B Communities utilizing SSO allow customers to bring their own IDP / SSO?

Talk about a loaded subject line.... Are there any other communities out there who are acting as a service provider, and allowing their end customers to bring their own SSO / IDP into the mix?

Example: We utilize OKTA and act as a SP - I'm starting to test with a few customers (companies) to let them bring their own IDP into Community. This way if Company XYZ utilizes OKTA or another solution, their end users can simply click the "Anaplan Community" tile on their end and never have to worry about the actual act of logging in/registering in our Community - It happens behind the scenes via JIT.

The reason for me asking is.... What gaps am I going to run into down the road?  Has anyone tried to set this up for 100+ customers, and if so, what's that like from a maintenance / support standpoint?  Have you seen any benefits in actually offering this to all customers, select customers, etc?

TLDR; Am I an **bleep** for attempting this? 🤣

3 Replies 3
Highlighted

BYOIDP - I think it's a really interesting idea that could remove quite a bit of friction for line-of-business users in the enterprise.

Core concerns off of the top of my head:

  • Is there enough scale in the accounts to warrant the implementation
  • Working with many corporate IT teams could be...interesting
  • Maintenance of the infrastructure may be more complex in this scheme
  • You don't "own the customer" in the same way, as your relationship with them is mediated by their employer
  • What happens if a company decides to remove the integration from their stack due to security concerns? All of those accounts get orphaned and users have to re-register?
  • Users lose access to their account history (posts, rewards, reputation) when they leave a company

Please to post back with your findings if you go forward with the plan. I'd love to hear how it goes.

Highlighted
Honored Contributor

You're a brave man. We have enough trouble just supporting our single corporate SSO 🙂

Highlighted


@BrianOblinger wrote:

....

  • What happens if a company decides to remove the integration from their stack due to security concerns? All of those accounts get orphaned and users have to re-register?
  • Users lose access to their account history (posts, rewards, reputation) when they leave a company

We're far from a solution that Stan described, only allowing multiple ways to register and log in. But to address one of your concerns: What we've done is, to allow users to connect multiple ways to log in to their account. They can use the corporate SSO and also connect with FB or Google or even use a native community log in. Therefore, an IDP is in place.