Discussion
I swear I lose about a day per month to terrible auth flows that derail my thought process and send me someplace besides what I was trying to log into in the first place.
I know my brain is medium to extra spicy, but I can't be the only one with this struggle.
@mttaggart And can we please also spare a special place in hell for the banks, each if which insists on doing their own form of 2FA theatre?
@mttaggart when I was an automation engineer supporting the enterprise (not just security) I calculated fully-loaded FTE hours of lost time for non-SSO applications and other clunky auth.
An every day app per 1000 users is easily $10-12k in savings.
@mttaggart Also, I sometimes have to refresh internal sites a couple times before they actually load.
@mttaggart its real and unbelievably frustrating. The whole SSO thing is a bullshit timewasting industry. I get the convenience of revoking Okta and Google and Slack access in one fell swoop, but I’ve never seen it done right anywhere. Self hosted LDAP or Kerberos comes close.
@mttaggart you are not, and I add completely misaligned GDPR-aiming privacy dialogues one has to fiddle through nowadays.
@mttaggart "Single sign on" is a huge lie, I have to log in multiple times, everything takes an extra 10-30 seconds redirecting back and forth to a browser tab, and I have to jump around between a lot of apps and cloud accounts. I hate it.
@unlofl There will be someone in this thread that comments how, if this is the experience, we're "doing SSO wrong." Okay but I've never seen it done right.
@mttaggart @unlofl we're in an interesting spot: Most of our applications do it well - 0 to 1 click, no need to enter anything (Okta & AD backed stuff, some Entra stuff) - I am incredibly grateful to our SSO team for how easy they make it to onboard applications to that, they are hands down one of the biggest security enablers in the company.
And then you get into the cornercases & this is where stuff gets truly painful, in parts due to the well implemented SSO. As an example, the workflow to log into our SIEM: A decision was made to not use our standard business users but low-tier admin accounts, but still from the business client for analyst accounts. This means it's easiest to start a private window, log into Okta (cancelling the login as your business user which it always tries first), then visit the SIEM portal SSO login endpoint, enter your "email", MFA okta, then you are in. You can't first do the SIEM login to be forwarded to Okta because it fails to properly select the Low-Level Admin identity in Okta, so it just fails. And then you get logged out after, idk, 30 minutes of inactivity??
And this isn't the only such application, the moment you do anything complicated SSO makes things so much harder 
@mttaggart I wouldn't argue against the position that "every IT department screws everything up" but this still feels a lot worse than average
@mttaggart @unlofl and apps that only support sp initiatted, like if im authed in the apps page WHY DO I HAVE TO PUT IN MY EMAIL!?!?
Install bonfire.cafe
Get the full app experience
