The CoachAccountable Blog

Master CoachAccountable and become the best dang coach you can be. Also, news.

CoachAccountable and Single Sign On

As we continue to refine and button up elements of CoachAccountable in service of our enterprise customers, we’re now getting inquiries about our SSO capabilities.  Namely: does CoachAccountable support Single Sign On?

The answer is no, not today.

SSO is understandably desirable among IT teams because it allows them to efficiently and powerfully manage the ins and outs of security provisioning for all of their company employees across a multitude of services.  The convenience for employees to simply sign in once and get access to whatever company accounts they need in order to do their job is undeniable.

Here’s why we don’t support it, including what we have in place to close the gap.

 

On Administrative Convenience

Access in CoachAccountable is highly nuanced with fine-grain user access controls, and that’s even before factoring in coach-client pairing, the mechanism by which to grant a given coach access only to those clients they are working with (or ought to have read-only access).  An SSO scheme of user provisioning isn’t going to give you that sort of control over a landscape that fluctuates as client engagements begin and end.  (Ostensibly perhaps it could using SAML, but that would amount to a lot of work just to reinvent in-app functionality.)

And if members of your team come and go at such a scale in your organization that you require automation around that sort of provisioning, permissions granting, and pairing?  Good news: the openly documented CoachAccountable API allows you to do so for whichever parts you need.

 

On User Convenience

“We want our coaches to be able to seamlessly jump from our systems to CoachAccountable.”

Indeed, no one wants to futz with another login when you’re trying to get your work done.  To support this, what we recommend is for companies to put a link to the CoachAccountable app itself right within their company intranet/app/website/whatever, a big shiny button that says “Jump to CoachAccountable”.

Such a link, coupled with CA’s ability to “Keep me logged in” on a given device that has been legitimately authenticated on, makes the transition seamless.

If someone happens to not be logged in, they’ll be bounced to the login screen, and a login helper is there if they forgot their password (no one needs to nag you or your IT team for a reset).

This idea also works beautifully for home screen app shortcuts that your users can easily install on their devices.  It’s just a shortcut: nothing to find, install, download, upgrade, or trust from any app store.  It’s also branded as your company, with your own name and app icon, and not as CoachAccountable.

All of this balances security with convenience pretty much on par with SSO.  Perhaps “keep me logged in” seems fraught for your tastes, but if you can’t trust your employees to keep their devices secured, you’ve already lost the security game and SSO won’t save you.

 

What about for coaching clients?

We were once told by a prospective enterprise customer that SSO was required, not necessarily so much for their own company, but for the client companies they work for, that THEY demand it for THEIR users.

The problem with that is it conflates the notion of who owns the account.  If Company A uses an Identity Provider (IdP) to manage authentication for their employees, they can do so for access into accounts that Company A owns: Company A’s SalesForce account, Company A’s email domain, Company A’s enterprise license of Office 365.

But when you coach clients in CoachAccountable, they are a guest in your account.  It’s your account: you add them when they’re working with you, and delete or deactivate them when they’re not.   You can’t let some other company’s IdP provision their own people into your CoachAccountable account, nor would you want to.  That’s like letting a customer have the key to your apartment with the understanding that they can let in whomever they like, and, worse yet, it’s not your place to kick them out if you want to kick them out.  If you go with a platform that promises SSO, because they promise SSO, you’ll discover this quickly.

Aren’t you conflating authentication with authorization?

If that’s a meaningful distinction for you in the context of wanting SSO, that means you probably only care about the authentication side of the issue.  And if that’s the case, if your concern is to ensure a great client experience by taking login headaches off the table, know that we’re already your ally in that aim.

Making space in one’s life to be coached is already hard enough, and if THEY get distracted from participating fully because of login issues, we already know that as a platform we’ve failed you.

So we’ve engineered CoachAccountable to thoroughly remove all the friction to their participation as mediated by CA.  Alerts and notifications keep things moving, and replying to emails and texts allows them to participate without even needing to log in.  When they need to log in, like for example to do a Worksheet, they get a magic link that jumps them right on in.

In practice, the need for your clients to manually log themselves in is rare if ever.  We can give your clients a great user experience without SSO.

 

Trustworthy Security and Current Events

Identity Providers that make SSO possible have a tremendous amount of power and responsibility as the arbiters of authentication across so many companies, users, and accounts.  So they themselves have to be trustworthy and properly secured.  If not, every bit of access that they control is compromised.

Given that is their entire reason for being, we’d like to think they’ve got their security game on lockdown, and that a breach of the very infrastructure of trust would not occur.

Last month such a breach of Okta, the self-professed “World’s #1 Identity Platform” as provider of IdP and SSO solutions, was revealed.  The breach began over two months prior to that revelation, and they tried (and failed) to keep it swept under the rug.

So no, using SSO is NOT assuredly net-positive for your company’s security posture, and hints of that awareness coming into the zeitgeist can now be seen.  Stripe, for example, is a payments platform that we know and love to process our payments, and it has this alert on its page about its own (still in beta, invite-only) support for SSO:

Talk about reading the room.

A visit to the most recent snapshot of this page from January suggests this warning was a recent addition. It was probably added in within days of the Okta breach revelation.

The Hacker News discussion about the breach contains a pertinent observation:

And this is why I would ultimately never trust a centralized company with our authentication infrastructure: because something like Okta is an infinitely more attractive target than we are. Their offering is sweet, and I’m always tempted to just give in, but this confirms me in my decision.

Do I feel that SSO is forever unfit for CoachAccountable in light of this?  No.

But for now, I’m content to forego the added complexity for a very narrow sort of win.  Instead, I prefer to channel those efforts into enhancements that actually make coaching better, even if that decision comes at the expense of failing to make select IT staffers happy.

In light of the Okta hack, I feel good of making a decision that ultimately amounts to what’s best for the security of our users, for there simply are no junior engineers at CoachAccountable to make the sort of rookie mistakes that lead to the sort of high-profile hacks that large companies routinely suffer.

Ultimately, a coaching platform is here to add value to the work coaches do and to the experience of those on the receiving end.  SSO is, apropos of anything, a fine thing to have on your list of checkboxes when vetting the fitness of various solutions under consideration.

But, in practice, it might not be that essential for your coaching platform.

 



Comments are closed.