What I did:
1. Enable SAML integration through Google Workspace
2. Log in with SAML
3. Get a message that my users are not connected
4. Go to Account Administration and Link my user-password to my SAML provider for my org
5. Login with SAML successfully
6. Tried to log in with password - worked
a. I thought this was due to the fact that you allow Admins only to have an alternative manner, of logging in, but usually it is more explicit
b. In Datadog they don’t safeguard you - so I had to manually select to allow password authentication on myself
c. On GitHub they give you login codes for disaster recovery
d. So I was still optimistic
7. Then I added other users to SAML, they went through the similar process
8. And still were able to login using github or password
9. I said okay, maybe you also verify somehow with the SAML provider - far fetched by I was optimistic
10. I moved some of the users out of the Engineering OU
11. And still they were able to login! even without being in the correct SAML OU
From customer experience perspective, implementing SAML and marketing this an Enterprise Plan but not implementing the basic feature that is the reason for people being interested in SAML for the first place is VERY misleading - we could have used Github SSO before that, so we actually got nothing from the current SAML feature
My team is pretty small, so we were fine with Team edition, but we moved to Enterprise just for the SAML SSO feature since we are under high security scrutiny (Working on our SOC2 in our first year since founding) - so not “too glad”
However taking things into perspective, I’m sure that you will implement the correct SSO/SAML security guarantees in the near future (I hope - that issue is open for more than a year and only +2 on the votes!) - however I’m not too keen on paying for something with not much value.
The impact on my business that if someone in my Org will set up a “email-password” authentication - they will be able to login even after leaving the company if we don’t pay attention to the Pulumi roles of our engineering teams.
Thanks,
Sam