[Epic] SAML/SSO

[mxkxf]

Summary

Allow users to be provisioned using customer SAML providers via a SSO service.

Motivation

It's great that AppSmith offers Google OAuth login however if you do not use Google to authenticate with then this adds another layer of user administration which is difficult to keep in sync at enterprise scale; as an IT admin I want to sign-in with services I already use.

It would be great if in AppSmith's configuration you could integrate with custom SAML IDP providers.

Test plan : https://docs.google.com/spreadsheets/d/1kZjf3oZKPP0ILf0c_Rw-5KvPUykCkzExBYSVYNBxZ2g/edit?usp=sharing Design files : https://www.figma.com/file/68AfRvev6NkcPFFUamsAq3/SSO%2FSAML?node-id=265%3A1791

[wlatic]

It'd be far better having the easier Gmail, office etc. Connectors in the enterprise and having saml, which requires far more configuration on the user end as part of open source. All saml would need is the end points.

[dncpax]

I'm not new to open source projects, having been involved in an os association. To be fair, appsmith did say from early on this was planned as a payed feature. If you search discord I'm sure you'll find this.

We may disagree, we may argue otherwise, we may try to show arguments in favor of including some feature in the self hosted version, but it's for the team to make this project sustainable - which is crucial for all of us users too. It's not written in stone what will be monetized...

In this road to meet both ends, open and sustainable, we've seen many projects sacrifice too much on the open side of things. We hope it does not happen to the projects we invest in as users, especially early on. But it certainly hasn't happened to appsmith. If anything, I've seen the team revert payed features to free (git-sync limits comes to mind, it was 4 repos, and it's now 4 per org).

Just my 2 cents.

PS - I'm also interested in this feature, and would love it to be included in the self hosted version, but am otherwise hoping for affordable pricing...

[Nikhil-Nandagopal]

@mikefrancis that's a really great point! We have been transparent about our plans like we did in this comment but I can see how it got buried under the flurry of information and we should strive to more proactively communicate this instead of having users ask us about our plans. Thank you for the feedback! We're going to work on being more upfront on what features we plan on monetizing.

[Nikhil-Nandagopal]

@wlatic our entire belief in appsmith has been that an individual developer or small team should be easily able to build their first application without any barriers and that is why we don't have any integrations that are useful for app building behind a paywall. We believe any developer out there might have a need for a Gmail connector and we should help them with that.

In regards to SAML, while the configuration is higher, we felt that it was not essential to the app-building process or even necessary for most small teams. It generally becomes a necessity once you're convinced that Appsmith can work really well for your use case and now you really need better security for wider adoption. We believe that is something organizations are willing to pay for because our community edition has convinced them that it does exactly what it promises.

[codedmind]

I already give my opinion some time ago, i'm with @mikefrancis in this. Since the begin isn't very clear the is will be only on enterprise or not, better, for me at least i only understand that will be a enterprise feature some time after we start talk about SSO. The issue is from Feb and and the comment is from Oct... for us that are here almost two years the perception is different.

[Nikhil-Nandagopal]

@dncpax we already have this feature available and piloting it with users! Please block some time with us to talk about the pricing, we're working on making it super affordable and scalable :)

[Nikhil-Nandagopal]

@codedmind thanks for the feedback! We'll work on communicating more about our plans upfront

[hiteshjoshi]

Closing this. SAML phase 1 is completed and available for enterprise. Please get in touch if you would like to test it out.

[thomas10-10]

For information budibase sefhosted support custom sso

[Nikhil-Nandagopal]

@thomas10-10 we have custom SSO support in our self hosted business edition and Google SSO support in our self hosted community edition.

[thomas10-10]

I specify, custom sso in the free selfhosted community,

[Nikhil-Nandagopal]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

[SamirSaidani]

@thomas10-10 we have custom SSO support in our self hosted business edition and Google SSO support in our self hosted community edition.

It would be more consistent to have a community-supported SSO protocol in your self hosted community edition, like LDAP, instead of Google. Usually, opensource-oriented people tend to use opensource-based protocol.

[thomas10-10]

It's exactly for this reason that buildbase attracts me more, their selfhosted version is really opensource, you feel more like contributing for this kind of solution.

[thomas10-10]

I saw that you refused a merge because it was competing with your paid version https://github.com/appsmithorg/appsmith/pull/8443 It might be interesting to derive appsmith and merge those pull requests

[mohanarpit]

@thomas10-10 @SamirSaidani Thanks for your inputs. I understand your POV. In this case, we need to ensure that the Appsmith project is sustainable. This means we need to charge for certain features. Making open source projects sustainable ensures that we can continue to build an incredible platform for everybody to build apps really quickly.

@thomas10-10 We believe in doing the right thing at all times. This is why we didn't accept a contributor PR since we wanted to charge for it. We don't believe in charging for any feature that the community contributes towards.

I hope this makes sense.

[DaSchTour]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

Well. Nice assumption. But in fact after I've seen that we would have to pay for SSO we choose a different solution and now I wouldn't even consider using appsmith anymore. It's a bit sad. I waited for that feature so long.

Maybe I also understand the reason behind using SSO different. But for me that has nothing to do with team size but with infrastructure. We use Keycloak for our application and we have a lot of microservices that use Keycloak OAuth. So I would like to be able to use these APIs with the Token I get from my Keycloak login.

[pharindoko]

@thomas10-10 I'm not sure what their thought process is but we've generally seen that smaller teams don't need custom SSO and larger teams are more than happy to pay for this feature. In fact, our pricing is very reasonable for all team sizes so if you're interested in the feature, we'd love to talk to you about it.

LOL - you never worked in an enterprise I assume ...

@DaSchTour: Which solution have you used instead ?

[serega404]

I was looking for a solution for my student creative project. I use Keycloak in order to relieve myself of the responsibility for authorization and spend time implementing more functions of my project. Unfortunately, I had to abandon appsmith, since I can't use keycloak, which most of my api works with.