Edit: To be clear, I am hoping that other Auth0 users have some experience / use cases here. Have you put Auth0 between a SaaS app (that supports SAML / OIDC / AD / etc.) and you enterprise directory, and if so, any specific reason you did so? To date I’ve gone the other way: if a SaaS app supports AD or G Suite login directly, I’ve done that, figuring there was “no point putting extra plumbing in the way”.
A bit of thinking out loud here:
Model: Organization that
uses an Enterprise IAM service, like AD,
uses 3rd party SaaS apps that support login solutions including AD, Auth0 / OIDC in general, SAML in general, etc.
I’m trying to figure out uses cases where I would want to put Auth0 in between the SaaS app and, say, AD, rather than having the SaaS go straight to AD. We use Auth0 for all our customer facing apps b/c it makes adding authn & authz easy for our dev teams, which is great, but why would I add a middle… person, when the SaaS supports SAML / OIDC / AD directly?
I have vague notions of being able to use Rules for Wizardry but nothing concrete at the moment.
I was hoping we would get some organic discussion on this from the community, but it looks like this is getting buried. I can ask some of our field team to chime in if you think their perspective may be of value.
Here we go. A couple of responses from our solutions team, not a full discussion, but some ideas to why some customers use Auth0 in between a service like AD and a saas app that supports that IAM service.
Any time you want some business logic in between the two (like re-mfa the user for example)
^This sounds similar to what you had mentioned with rules wizardry.
A straight forward one is to allow your employees to log into an app that customers log into. As an admin or even as a user. To avoid making the app login more complex you can centralize that capability in Auth0
This is largely what I was thinking, and in part what we are doing. We have G Suite hooked up so authorized employees can log in to our Auth0-protected customer facing webapps. We haven’t done this yet but we would likely also use Auth0 for custom-built employee-only webapps, like an internal portal, where the portal platform did not support AD / G Suite directly.
Thanks Dan! Always good to have your priors validated (or refuted!)