Self-serve SSO
Problem
To be considered an enterprise-grade product or service, some security and compliance features such as SSO are considered table stakes. While Cockroach Labs did implement a version of SSO in early 2022, the team had to delay the implementation of the interface that would’ve made the feature self-serve to our enterprise customers.
Despite the functionality existing, the feature not being self-serve was hurting Cockroach Labs during product evaluations. When I joined the team in the second half of 2022, making SSO self-serve became my first project.
Solution
We delivered several new UIs that enabled enterprise customers to enable SSO for their organization and establish verified and secure authentication methods with the customer’s identity provider tooling.
SSO setup page
With a new page in our UI to enable SSO for an organization, customers no longer had to set up a separate call with their account management team and members of the identity team to setup SSO for their CockroachDB organization.
BYO identity tooling
Customers bring their preferred identity management tooling, so long as that toolings supported SAML2.0 and or OIDC protocols. With this support, we were able to cover 95% of enterprise customers.
Impact
35+ enterprise customers enabled SSO
More than 35+ enterprise customers set up SSO, demonstrating their long-term commitment and trust in CockroachDB for the long term.
1.5+ hours saved per customer
Making SSO self-serve through our web app saved account management teams 1.5+ hours otherwise spent on a video call setting up SSO
Approach & Insights
While CockroachDB as a database was secure-by-design, the administrative console used to manage CockroachDB clusters fell behind from a maturity standpoint. Our directive was to make CockroachDB feel like a product that could meet the compliance and security needs of all enterprise customers.
(Appearance of) compliance and security matters
It's a no brainer that enterprise customers have enterprise compliance and security needs. But appearance matters too. More specifically, not having in-product interfaces proving single sign-on was available or enabled gave customers less reason to trust and believe that CockroachDB was actually a secure and mature product.
Myriad tooling and protocols
Customers had shared that login methods were typically built on top of the SAML2.0 or OpenID connect (OIDC) protocols. Our solution, in whatever form, would have to support setting up login methods for either protocol.
Appetite
Major identity management tools had marketplaces where services like CockroachDB could build integrations for SSO. However, given our customers' wide-range of tooling and preferred protocols, building an integration per identity provider and creating all the collateral required to list our integration required a significant investment.
Defining experience gaps
In 2022, a growing interest in CockroachDB from enterprise customers led Cockroach Labs to begin investing in our security and compliance features. Part of this effort involved integrating with a 3rd party service to provide single sign-on capabilities. Though the initial project enabled customers to use their preferred identity management tool for authentication, urgent priorities manifesting meant that no user interface was built to make SSO setup self-serve for customers.
Customers and our account management team would try to setup SSO asynchronously over chat messages or emails, but inevitably they would hop on a video conferencing call to try to sort things out quickly.
These ad-hoc calls, starting from a point of frustration, were disruptive episodes for customers, our account management colleagues, and Cockroach Labs developers. Setting up SSO was a huge experience gap.
Setting up a login method
Though setting up authentication with SAML2.0 and OIDC differed in what data was required, the high level process was similar. After enabling SSO for their CockroachDB account, customers would need to pass Cockroach generated authentication data to their identity management tooling. The identity management tool would then use that data to generate a set of metadata to provide to Cockroach to establish a connection.
Because this exchange happened over video conferencing, the first step was making this exchange feel more corporal through in-product interfaces.
Prototype heuristic evaluation
The initial interface prototype, which was created during implementation of CockroachDB's SSO provider in early 2022, utilized a 6-step wizard to set-up a login method. While a wizard had it's strengths in guiding users through a process in a very directed manner, I noticed there wasn't a signifier if a user's progress could be saved or cached, in case the user exited the setup process.
Discussing this with my frontend colleague, they acknowledge that saving progress had not been scoped out and that adding such functionality would be a feature request. If a user exited the login method setup process, they would need to start over from the beginning.
While this wasn't a dealbreaker, I realized that this also meant that if a user exited the login method setup process, they'd potentially lose access to the data generated by Cockroach to provide to an identity management tool. Moreover, if a user exited at the step where they were providing the authentication data from their identity management tool to CockroachDB, not being able to save their setup process meant that all of that effort would be wasted.
Segmenting the user flow
Recognizing how our project timeline was tight, I revisited the user-flow of setting up an authentication method in search of an alternative that didn't require us to build a save progress functionality.
The steps that caught my eye were the first two. While the whole flow was presented as a single flow, I realized that it could be broken down in several distinct phases. The first two steps could be grouped as "creating" the method whereas steps three and four was more like "configuration". The last two steps were essentially "verification".
Working things out with my engineering colleagues I validated that for CockroachDB to generate the authentication data to pass to a customer's identity management tool, the key user decision that we had to capture was whether the method should use SAML2.0 or OIDC. In the wizard, that meant that our SSO provider would generate the necessary data once the user clicked 'Next' in step two of the wizard.
Following that step, the login method from the perspective of CockroachDB was 'created' and was waiting to be configured.
Developing the method detail view
Once the method was created, the next step was for the user to provide data from CockroachDB to their identity management tooling. As it was unavoidable that customers would need to have two windows or tabs open to paste the information from Cockroach to the identity tool and vice versa, I looked for analogs with my engineering partners.
Looking at our SSO providers' UIs, what we noticed was that they leveraged full-page layouts that leveraged the vertical space of a browser window. Though our customers wouldn't have to provide many pieces of data back to Cockroach to configure a method (only 2 for SAML and 3 for OIDC), those pieces of information when rendered would take up a lot of vertical height.
Leaning this example as a base, I began working through both experience and interface updates to the original prototype.
Experience wise, we condensed the original 6 step wizard into a simpler modal that asked the user to name their method (so that it could be easily identified) and the protocol this method should use.
Once the user clicked confirm, they'd be brought to a detail view for that method, on which they access the CockroachDB-generated authentication data required to register CockroachDB in their identity management tooling. Utilizing affordances like tooltips and a layout to emphasize the order of the remaining configuration steps, we managed to guide the user similar to the original prototype.
Layout testing
Testing this version of SAML SSO with both customers and our account management partners, we found for the most part that the layout and affordances we had incorporated was enough to guide them through the configuration and verification steps of the process.
Nonetheless, we did receive feedback. Some users were puzzled why the controls to access the CockroachDB generated authentication details were so far down the page, even though this data was what was needed to register CockroachDB with the customers' identity provider.
And while our user testing participants appreciated the affordances, some mentioned that while the tooltips and page layout provided some clues to how a user should go about configuring and verifying the method, being more explicit in the interface would be clearer.
Some participants suggested adding a product walkthrough, or even further down in the direction of a wizard by having parts of the method detail page collapse when the user completed that configuration step.
And of course, many participants suggested that we should also look at deeper integrations with popular identity management tools. The UIs we delivered were delivering were helpful in confirming that SSO was properly set up, but users would much rather do all of their setup from their identity management tool, rather than going back and forth between two separate interfaces.
This feedback proved invaluable, as it showed our team that there were multiple, distinct paths we could take to improve this experience for enterprise customers that we'd be serving in the future.
Delivery
By the middle of 2022, the self-serve SSO interfaces were delivered to production. Through the end of the year, I and my product and engineering colleagues would join in on any customer call where SSO was brought up, whether it was pre- or post-sales, to collect qualitative feedback for which path was best for improving our SSO experience further.
With some exceptions most customers invested in CockroachDB enough to pursue SSO were able to complete setup in 15 minutes giving our our account management team more than 1.5+ hours back per customer they supported. Over the course of about 6 months, we had over 35 enterprise customers setup SSO, up from a total of 6 total customers from before these interfaces were available.