Lesson one | Introducing B2B Auth School
Lesson two | Organization tenancy: the foundation of SSO and B2B data models
Lesson three | What is single sign on?
Lesson four | SSO protocols: SAML vs. OIDC
Lesson five | What is OpenID Connect (OIDC)?
Lesson six | What is SAML and how does it work?
Lesson seven | Choosing a B2B auth provider
Entering the world of identity and authentication for B2B companies can feel a bit like taking a big slurp of acronym soup: IAM, CIAM, SSO, SAML, RBAC, ABAC, SCIM…the list goes on.
To help our customers and developer community make sense of this world, Stytch is excited to launch B2B Auth School, our in-house crash-course designed to help B2B companies’ uplevel their understanding and implementation of authentication.
In this school, we’ll cover the technologies, processes, stakeholders, regulations, and external pressures on identity and authentication, and how they inform key decisions every B2B company must face when buying (or building) the authentication stack for their product.
For our first series, we’ll focus on B2B auth technologies, specifically the world of Single Sign On or SSO.
Why start with SSO?
Many B2B decision-makers know they should care about or even invest in SSO without totally understanding what it is, and what building it entails. This is obviously not because they lack smarts or industry knowledge, but rather because SSO is highly complex, and does in fact encompass several different processes, code bases, and tools. They know their customers are asking for it, but they don’t have the time or resources to dive deep into why.
So, to help our B2B customer base, we want to devote our first installment of B2B Auth School to SSO, in the hopes we can make it easy for B2B developers and decision-makers to figure out what they need for their product, and how best to meet their customers’ demands.
But first, we want to go over the bigger picture of B2B auth, including:
- Defining identity and B2B auth
- Why B2B auth is different from B2C
- Opportunities & challenges in B2B auth today
- A sneak peak at our first topic: SSO
Let’s dive in!
Identity and B2B auth
In the digital realm, identity refers to the set of traits that uniquely identify a person, machine, group, or organization. As a B2B company, to manage all these identities for your customers, you must decide:
- What defines it?
- How and how often do we authenticate it?
- What resources does it have access to, and when?
Identities are crucial in cybersecurity because they are the bedrock of how software companies make sure the right people have access to the right resources. For B2B companies, defining and authenticating those identities looks a little different from B2C companies, specifically around who owns the identities and resources.
B2C customers are individual users, sole proprietors of their identity. But B2B SaaS customers are companies, which means their end users are not the sole proprietors of their identity, merely stewards; they are employees, consultants, or contractors – defined members within the enterprise. What different people and devices have access to at any given moment is subject to larger business imperatives, compliance requirements, and changing roles, departments and responsibilities within a company’s (i.e. your customer’s) workforce. In short, the stakes and the complexity are higher.
To help distinguish the unique auth challenges that face B2B companies, we at Stytch have defined B2B as its own category, namely: the authentication of members and their organizations, and all the technical, regulatory, and business challenges and opportunities that go along with that.
B2B auth vs. B2C: why it’s different
While the difference between a member and a user may seem like semantics, it actually has huge implications that make the challenge of authentication for B2B companies unique from B2C. Even if on the surface some of the auth solutions appear similar, B2B auth is distinct in its…
- Scale and risk: If someone gains access to the credentials of an individual customer, the results can be devastating on a personal level, but are generally limited to the scale of that single person’s account. But if someone gains access to the credentials of an employee, the scale of damage is much bigger. This is why so many of the major cybersecurity incidents over the past few years have involved employee credentials (SolarWinds, T-Mobile, Uber). In the B2B world, a breached identity could affect millions of people.
- Stakeholders: In B2B auth, there are really two levels of stakeholders that are important to keep in mind when choosing or building your solution: stakeholders within the B2B SaaS company, and stakeholders within the customer companies of the B2B SaaS company. To work well, a B2B auth solution should satisfy the requirements of a B2B customer’s IT, compliance, risk, engineering teams, and anyone else who will be using that auth flow. Those requirements exist in conjunction with the requirements B2B decision-makers have for their application, as dictated by roles like CTO, VP of Engineering, Head of Product, etc.
- Provisioning, roles, & controls: According to a recent study, the average business uses upwards of +88 applications, while for large firms the number can climb as high as 200. At the enterprise level, you can imagine 50,000 employees x two devices each x 150 applications…and you get millions of vectors for attack, not to mention a lot of administrative overhead. IT admins have to manage all of these vectors, and all of the rules that determine access. Certain resources are gated by department, others by role, others by seniority or geography, and some by a combination of all these and more. As people join or leave a company, get promoted, or change teams, their access must be kept up-to-date.
- Priorities: Historically, CIAM and SSO providers have not had to prioritize user experience (do a quick search for product reviews for Auth0 or Okta, and you’ll find a rather vibrant array of responses). This is because the people buying B2B auth solutions are typically not the same as the people who have to use them every day. A typical end user for B2B auth solutions (ie your average individual contributor) has very little power over what authentication solution their company uses. As a result, their UX comes after a long list of other priorities for providers. Fortunately, with newer auth providers in the space this is starting to change.
Challenges & opportunities: B2B auth today
In recent years, B2B auth has become even more critical to the overall success of B2B SaaS companies, due to five main broader trends in the technology market. Rather than thinking of these sequentially, it’s more accurate to think of these as parallel transformations that have mutually accelerated each other:
- Cloud migration: Moving away from on-premise solutions and towards cloud based solutions like AWS or Azure, has accentuated the need for more sophisticated IAM. Employees need to be able to access their resources from anywhere, and on any device, all while keeping everyone else out.
- SaaS economy: The increasing adoption of cloud computing has come with the rise of Software as a Service (SaaS) and API-driven services, exploding the number of providers in the B2B space. As the number of services or apps a company’s workforce uses balloons, so do the number of potential attack vectors for fraud and account takeovers.
- Dispersed workforce: Long gone are the days of ID badges and on-prem computers. The COVID-19 pandemic accelerated a widespread workplace transformation. While some companies have required workers to return to the office, the overall shift feels decisive: workers increasingly have the choice to work wherever and whenever they choose. This kind of flexibility puts additional onus on IAM systems to be able to protect those identities and company resources wherever and whenever employees need them.
- Regulation ramp-up: With the migration to the cloud and proliferation of services has come increased concern and lively debate over privacy, data, and access that’s manifested in a slew of increased regulation. Depending on geography and industry, this can be quite an extensive nexus of requirements, including things like SOC2 (Service Organization Control 2), ISO (International Organization for Standardization) 27001, HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation)…the list goes on. We’ll cover some of these in more detail later in the school, but suffice it to say B2B companies have a lot of regulatory hurdles to clear, and how they handle identity and authentication is a big part of that.
- Fraud & attack vectors: With each of these developments, hackers and bad actors have adapted their approach to take advantage of emerging vulnerabilities in workforce identity. Over 80% of cyberattacks exploit weak or insecure passwords. As employees’ identities are linked with an increasing number of devices and services, the potential risk increases as well (think Solar Winds). If your company works with 100 different apps and services and each of those vendors works with 100 different apps and services, the vulnerabilities multiply without strong, centralized IAM systems in place.
All of these factors have transformed B2B auth from a box that needs to be checked into a key product differentiator. At Stytch, we talk a lot about B2C auth as a growth lever: the easier companies make it for their customers to access their service, the more they can drive conversion. A similar, but perhaps more overlooked logic, holds for B2B companies:
The easier you make it for your customers to manage their employees’ accounts and onboarding to your application, the more likely you are to land upmarket sales and see widespread adoption.
SSO: the beating heart of B2B auth
While B2B auth includes several different technologies and protocols, in Stytch’s conversation with B2B customers no other feature comes up more than SSO. We think there are a few reasons for this:
- Reduced friction: Managing the identity and auth flows for members of multiple organizations involves a near endless number of decisions and variables. SSO helps simplify both by centralizing, bundling, and automating a lot of those decisions into a single service.
- Security and compliance: For many B2B decision-makers, SSO becomes shorthand for meeting a number of security and compliance requirements. You don’t have to understand them in depth to know they’re covered, so checking that box takes a chunk of those concerns off their plate.
- Your customers are asking for it: As B2B companies start to sell upmarket, SSO becomes table stakes. For many B2B customers, they won’t move forward with a given SaaS product without it. If you’re serious about scale, then you need to get serious about SSO.
This last driver is the main reason we want to start with SSO: because it’s important to you, our B2B customers. It’s a complex space, and involves a lot of different decisions, so it’s worth taking the time to unpack it piece by piece, so you feel empowered when it comes to choosing your B2B auth solution.
For the next several articles, we’re going to go deep on SSO: its protocols, stakeholders, benefits, risks, footguns, and even fun features.
Next up: organization tenancy!