We explain how to build a SaaS solution that delivers clear value to businesses and find benchmarks for improving it.
The number of companies developing SaaS products is constantly growing. Businesses that use SaaS to process critical data are also growing. Both categories of companies are among our customers. Thus, we know the needs of both developers and customers of SaaS solutions. However, the former do not always understand what needs to be done to make their service meet the demands of a large customer.
This text is intended for SaaS developers — those who have created an application that brings clear value to the business and want their service to be suitable for medium and large companies. After reading it, you will be able to assess how ready your product is for implementation in large businesses and see guidelines for improving it. A handy guide awaits you below.
Why is this important?
In large companies, IT and information security managers tend to pay close attention to the processes of granting access to corporate resources. Different employees and teams are only granted the access they need to do their jobs. At the same time, those responsible for access to valuable corporate data are guided by the “principle of least privilege.”
To do this, large companies use software that automates the processes of:
- issuing identifiers,
- granting access rights,
- suspension of access rights,
- revocation of access rights if an employee resigns or no longer needs access to certain data.
Your SaaS application must be integrated into these processes.
Therefore, in order to be ready for use in large companies, your service must offer role-based access management. A role is a set of access rights that a particular user receives.
An example of role distribution.
What features should your SaaS solution have?
- Services for registering and managing account settings.
- The ability to edit and create your own new roles and grant appropriate rights.
- Integration with software used in the company for access management and identification.
How to solve the problem
Centralized access management is achieved using specialized software—IAM, or Identity Manager. Your application must support the appropriate API for integration with your customers’ IAM systems. Examples of such systems:
- Active Directory Federal Service,
- Workspace ONE Access (formerly VMware Identity Manager),
- Google Workspace, etc.
To implement a role-based model, you will need to adapt the application and interface to a role-based access matrix. This means that each of your customer’s employees must have access to the functions and information they need to do their job. The interface may vary slightly for each role, adapting to their tasks and access rights.
For example, an accountant interested in accessing invoices will have access to payment documents, but not to application settings. A manager viewing high-level reports will have greater access to confidential data than an ordinary employee. An IT administrator, in turn, will have unique account management rights. A manager may not have such rights.
Adding role-based access control is not an easy task, especially for advanced SaaS applications with a large number of features. Therefore, this functionality is often included in paid subscriptions for corporate clients.
How to solve the problem
With SSO, after preliminary settings on the part of the SaaS application and the customer’s infrastructure, the user begins to use a single corporate account. At the same time, they do not transfer their credentials and passwords to the provider of each SaaS application used in the company.
In simple terms, this is how it works: a company employee accesses a SaaS application, and instead of displaying the login screen, it sends an identification request to the IdP (identity provider) used by the company. In this case, our SaaS application acts as a service provider, establishing a connection with the customer’s corporate network authentication provider (LDAP, Active Directory). The IdP role can be performed by an application running on the company’s servers or by another SaaS application.
The most popular open source application that will help you implement SSO is Keycloak. It is an identity and access management application with multiple integrations and support for standard SAML and OpenID protocols.
What features should your SaaS solution have?
- Support for standard OpenID Connect, OAuth 2.0, and SAML protocols.
- Ability to synchronize corporate user data. In this case, the SaaS application’s personal account displays not only the employee’s full name, but also their position and department.
- Support for multi-factor authentication for secure user authentication.