engineering July 11, 2019

Lessons Learned: Adding Single Sign-On to Stack Overflow for Teams

Hi, I’m Roberta Arcoverde, a Principal Software Developer at Stack Overflow. A few months ago I was tasked with figuring out how to enable single sign-on for Stack Overflow for Teams. We felt it was important to add SSO to the private version of Stack Overflow so the admins of our Teams could easily and…
Avatar for Roberta Arcoverde
Principal Software Developer
Hi, I’m Roberta Arcoverde, a Principal Software Developer at Stack Overflow. A few months ago I was tasked with figuring out how to enable single sign-on for Stack Overflow for Teams. We felt it was important to add SSO to the private version of Stack Overflow so the admins of our Teams could easily and securely add users to our knowledge management tool. With SSO, admins no longer have to send out individual invites to team members or spend time removing team members who might have left the company. With a centralized source for credentials, Team admins get more time back in their day. 

Now, while this change was aimed at our private product, there was a large challenge that had a big impact on the scope of work. To enable SSO for Teams, we also had to rewrite a large portion of how we authenticate users on our public Stack Overflow site. SSO requires an additional level of security, and as a result, we had to carry out one of the largest updates to the authentication code since Stack Overflow has been around. 

The first problem we had to solve was how to create unique Stack Overflow credentials from requests coming from external identity providers. Additionally, we had to build from scratch a completely new level of security for managing user sessions. SSO sessions are temporary, and Team admins can determine how long they should last. Upon expiring, users are asked to re-authenticate with their SSO credentials to access their Teams. We have no such demand on the public Stack Overflow, so that entire mechanism had to be built and integrated to the existing code that manages account sessions and credentials. 

It took a team of 3 engineers working for 3 months to make it happen, but now that it’s done, it’s been gratifying to see that this is a really desirable feature within Stack Overflow Business and Stack Overflow Enterprise. More than 40% of Stack Overflow Business use SSO and 100% of our Enterprise customers rely on it.  We are now involved in ongoing work to strengthen and improve integrations with various SSO providers, like Okta, and you can read more details of how that will work below. 

Benefits of single sign-on

If you’re not familiar, single sign-on (SSO) has become an industry standard, helping to provide quick and secure access to multiple, yet independent, applications with one set of credentials. 

We prioritized the development of SSO after several notable conversations with our customers, and added this must-have feature for the premium tiers of Stack Overflow for Teams, both Business and Enterprise.

Because of the wide-spread use of SAML 2.0, we support it as an authentication protocol for SSO, and any identity provider that supports SAML, such as Google Apps, Azure AD, OneLogin, and Okta, can be used for accessing Stack Overflow Business and Enterprise.

Integration with Okta

Okta is a leader in Identity-as-a-Software, and with the launch of SSO, we knew it was a must to configure SSO for our private instance of Stack Overflow to work seamlessly with Okta. 

We had a handful of Alpha customers that our dev team worked closely with — this was extremely helpful. We Wanted to make sure to the integration worked just as expected, and by video chatting with customers, sharing our screens and our documentation we got the information from our Alpha customers in no time. 

And the key findings from our Alpha customers? Most of our Alpha customers prefer to log in to Okta first instead of Stack Overflow’s private Q&A instance. Information on the workflow helped to inform how to build the integration. 

The integration works in two ways:

  1. When a user visits their Stack Overflow for Teams account (Business or Enterprise), they can enter their Okta credentials for authentication. 
  2. Stack Overflow Business and Enterprise are accessible from Okta. Users can login to their Okta account and have direct access to Business or Enterprise using one set of credentials. 
A special thanks to all the Alpha customers who helped us improve our documentation about configuring SSO with Okta. 

If you want to learn more about Stack Overflow for Teams and how it can help your organization speed up onboarding and improve knowledge sharing, check out our offerings here. Tags: , , , ,
Podcast logo The Stack Overflow Podcast is a weekly conversation about working in software development, learning to code, and the art and culture of computer programming.