Lessons Learned: Adding Single Sign-On to Stack Overflow for Teams

Hi, I’m Roberta Arcoverde, a Principal Software Developer at Stack Overflow. A few months ago I was tasked with figuring out how to enable single sign-on for Stack Overflow for Teams. We felt it was important to add SSO to the private version of Stack Overflow so the admins of our Teams could easily and securely add users to our knowledge management tool. With SSO, admins no longer have to send out individual invites to team members or spend time removing team members who might have left the company. With a centralized source for credentials, Team admins get more time back in their day. 

Now, while this change was aimed at our private product, there was a large challenge that had a big impact on the scope of work. To enable SSO for Teams, we also had to rewrite a large portion of how we authenticate users on our public Stack Overflow site. SSO requires an additional level of security, and as a result, we had to carry out one of the largest updates to the authentication code since Stack Overflow has been around. 

The first problem we had to solve was how to create unique Stack Overflow credentials from requests coming from external identity providers. Additionally, we had to build from scratch a completely new level of security for managing user sessions. SSO sessions are temporary, and Team admins can determine how long they should last. Upon expiring, users are asked to re-authenticate with their SSO credentials to access their Teams. We have no such demand on the public Stack Overflow, so that entire mechanism had to be built and integrated to the existing code that manages account sessions and credentials. 

It took a team of 3 engineers working for 3 months to make it happen, but now that it’s done, it’s been gratifying to see that this is a really desirable feature within Stack Overflow Business and Stack Overflow Enterprise. More than 40% of Stack Overflow Business use SSO and 100% of our Enterprise customers rely on it.  We are now involved in ongoing work to strengthen and improve integrations with various SSO providers, like Okta, and you can read more details of how that will work below. 

Benefits of single sign-on

If you’re not familiar, single sign-on (SSO) has become an industry standard, helping to provide quick and secure access to multiple, yet independent, applications with one set of credentials. 

We prioritized the development of SSO after several notable conversations with our customers, and added this must-have feature for the premium tiers of Stack Overflow for Teams, both Business and Enterprise.

Because of the wide-spread use of SAML 2.0, we support it as an authentication protocol for SSO, and any identity provider that supports SAML, such as Google Apps, Azure AD, OneLogin, and Okta, can be used for accessing Stack Overflow Business and Enterprise.

Integration with Okta

Okta is a leader in Identity-as-a-Software, and with the launch of SSO, we knew it was a must to configure SSO for our private instance of Stack Overflow to work seamlessly with Okta. 

We had a handful of Alpha customers that our dev team worked closely with — this was extremely helpful. We Wanted to make sure to the integration worked just as expected, and by video chatting with customers, sharing our screens and our documentation we got the information from our Alpha customers in no time. 

And the key findings from our Alpha customers? Most of our Alpha customers prefer to log in to Okta first instead of Stack Overflow’s private Q&A instance. Information on the workflow helped to inform how to build the integration. 

The integration works in two ways:

  1. When a user visits their Stack Overflow for Teams account (Business or Enterprise), they can enter their Okta credentials for authentication. 
  2. Stack Overflow Business and Enterprise are accessible from Okta. Users can login to their Okta account and have direct access to Business or Enterprise using one set of credentials. 
A special thanks to all the Alpha customers who helped us improve our documentation about configuring SSO with Okta. 

If you want to learn more about Stack Overflow for Teams and how it can help your organization speed up onboarding and improve knowledge sharing, check out our offerings here.

Author

Roberta Arcoverde
Principal Software Developer

Related Articles

Comments

  1. Thanks for the write up. If not asking much, it would have been great it the integration points mentioned in 1 and 2 could have been supplemented with some workflow/dataflow diagram for better understanding

    Something like –
    user -> logs in to Stack Overflow(SO) for Teams -> check authenticated -> if not -> redirect them to okta -> okta which knows what auth the enterprise is using accordingly challenges user or i do not know may autologin using their windows cred -> which then(some kinda auth tokens) is passed on to SO -> which then provides user the correct screen -> for subsequent calls there is some token present from the first call which is used till it expires and when it happens repeat from step 1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.