Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: BoxyHQ – open-source alternative to Auth0/WorkOS (boxyhq.com)
176 points by deepakprab on March 22, 2022 | hide | past | favorite | 39 comments
Hi HN, we are Deepak and Sama, co-founders of BoxyHQ (https://boxyhq.com/). BoxyHQ provides an open-source platform for developers to quickly integrate enterprise features into their software solutions. These include SAML Single Sign-On (SSO), Audit logs, with more to come :)

Every B2B startup faces a common challenge when it comes to selling into the Enterprise; they need to allocate time and resources to support all the requirements to make their offering enterprise-grade. Supporting these requirements is a significant undertaking for the engineering team, especially since they already have their hands full with the core product. We experienced this problem ourselves and that is why we built BoxyHQ, a platform to integrate enterprise features in any SaaS app with just a few lines of code.

The main difference with Auth0 and WorkOS is that BoxyHQ is being built on an open source ethos. Our focus is to be a developer-first security platform, putting developers at the centre of our holistic approach and help them close the gap between compliance and security.

Please let me know if you have any questions, you can also reach out to me at deepak@boxyhq.com




Great day for a ShowHN for an open source SSO product :)

I am excited by this.

However I got thoroughly confused on the introduction page of your docs:

https://boxyhq.com/docs/jackson/introduction

What is “Jackson” - did you rebrand at some point?

I think it’s a Pulp Fiction reference(?) but I spent more time looking that (and the name “Jules Winnfield”) up to try and understand the context then I did reading/parsing the intro!

I don’t mind a bit of humour, but this was a tad confusing…

What are your plans regarding a commercial model for your product (if you can share?)

Edit: also as a bit of feedback; because your website is quite basic at the moment and the only call to action seems to be the big “Contact Us” button, I’m left wondering what stage you’re at and whether you have anything that’s usable now that I can use in production, or if it’s still at a Beta / under-development stage?

If it’s ready to be used, perhaps add a “Get Started” button to the left of the “Contact Us” button as that serves as both a strong call to action and also clearly indicates that you consider the product is ready to use (even if your commercial offering isn’t yet).

If it’s not yet ready, perhaps change that suggested button to a “Keep Me Updated” button with an email signup?

There’s not enough here for me to consider contacting you at this stage… I would either want to try it out, or give you my email so that you can tell me when it’s ready to try out.

I glanced at the GitHub repo but I’m still not really clear if this is a work in progress or it’s ready to go…!

Just my opinion… for what it’s worth!


SAML Jackson -> Samuel L. Jackson

Pretty funny


Haha, making SSO a little less boring. :)


I worked at an SSO Vendor for years, in our early days when we were 20 people we had a whiteboard with funny SAML names.. one of my favorite was King Federate which we abbreviated as K-Fed!


Haha, love it. Hope no one was fed up! Do you recollect the other names?


Thank you tailspin2019, it definitely is an interesting day for an SSO product! :)

It is a Pulp Fiction reference but I agree it is confusing. We'll refine the intro and the CTA on the webpage, great feedback.

Our core will always be free (Apache 2.0 license) and our commercials will be based on the following models: 1) A hosted solution in the future 2) Premium features on top of our core (To ease deployment, administration and integrations with Enterprise security products) 3) Vertical specific solutions for regulated industries like Healthcare and Finance.


Thanks I was looking further at GitHub and realise that Jackson and Hermes etc are your product names.

Perhaps you could mention these product names on the marketing site so there is a bit of continuity between that and GitHub/docs?

I like the humour. My instinct would be to either “own” those product names fully and use them boldly throughout, or deemphasise them in favour of your Boxy brand… :)

Looking at the Audit Logs repo introduction, I know this is a reference I’m not getting, but I’m not going to look this one up!!

> A grade 36 Bureaucrat just like Hermes Conrad. Audit logs matters that only a true bureaucrat can handle properly.

Keep up the good work. What you’re doing looks very interesting!!


Thank you, great feedback once again. :) We definitely have some thinking and work to do with the branding of each product.


Futurama


Thanks :)


Looks like the name of one of the open source projects in the platform: https://github.com/boxyhq/jackson


Indeed, thank you.


If anyone knows an identity solution that supports bilateral and multilateral saml (federation of identity providers), automatic retrieval of metadata/certs, Oauth, Oidc, group rules, IDP discovery (routing to IDP based on identifier), wayfless, and IP Authentication I would love to hear about it. We run a B2B that sells our web based service into education (primary to through to university) and have a small team so are always interested in solutions in this space.


We (FusionAuth) cover most of this. I think we do bilateral and multilateral SAML. More details in our docs: https://fusionauth.io/docs/v1/tech/core-concepts/integration...

We do OAuth, OIDC, and idp routing based on domain or id. We track ips and have the ability (in the Enterprise tier) to add IP ACLs, but I am not sure what you mean by IP authentication.

I am not sure what you mean by wayfless, not familiar with that term.

Feel free to reach out to me for more info if you'd like to chat, my contact info is in my profile.


Hi mooreds, would love to get access to a FusionAuth account where we could set up and test your SAML identity provider (would also help us build an instructions guide for FusionAuth customers). Could you make this happen?


Hi deepakprab,

You can download and run the community version in a variety of formats. For testing you could spin up an ec2 instance if you'd like.

Download it here: https://fusionauth.io/download

If you want us to manage it, you can sign up for a basic cloud here: https://fusionauth.io/pricing

Let me know if you have questions.


Amazing, thank you. I'll definitely reach out if I have any questions.


Keycloak does a good bit of this and is open source. It's an outstanding project. It's my go-to for anything that requires login, especially for its SAML/OIDC support.


Great question, I would think Shibboleth might cover some of the topics you are looking for. I am not too experienced with the education sector, would love to chat further to get a better understanding.


I work in education, Shibboleth is indeed what we use for these types of things. You go through the shib portal and depending on your email address get redirected to your institutions SAML login and back.

Somewhat similar to using Azure or Okta B2B integration, but with support for things that don't support native SAML and older legacy platforms that we just can't kill.


I'd love to chat with you about this, but you don't have contact info listed in your HN profile. Can you send me a note?


we use boxy over at cal.com and it’s been super cool. deepak personally helped us get started


Thanks Peer. We are a natural fit for OSS projects/COSS companies that inevitably need these features once they start seeing interest from Enterprise customers.


> The main difference with Auth0 and WorkOS is that BoxyHQ is being built on an open source ethos. Our focus is to be a developer-first security platform, putting developers at the centre of our holistic approach and help them close the gap between compliance and security.

Not to detract from this project, but I'm familiar with Auth0 and WorkOS both, and I think both would say the same thing about themselves.


Yep, we even launched WorkOS via HN :) https://news.ycombinator.com/item?id=22607402


Would love to see both Auth0 and WorkOS go open-source as well! ;) Jokes aside, hi grinich. Would love to catch up sometime, my email is deepak@boxyhq.com


I don't think that either Auth0 or WorkOS is open source. I am sure they both have open source example projects. I know that I have seen Auth0 sponsor open source too.

But as far as pure open source authentication solutions, the ones I know of are:

* Keycloak

* Ory

* Identity server (.net)

But Auth0/WorkOS are definitely focused on building a developer first security platforms. Along with a lot of other companies.


Congrats on launching! I work for a competitor (FusionAuth), but there's plenty of room for more different ideas and companies.

I like the open source ethos and appreciate you being upfront with your future business plans.

Welcome!


Thanks mooreds, we are all working towards a common mission. Looking forward to expanding the market togather.


keycloak is an easy to use easy to deploy idp


Keycloak is indeed a great product and more feature complete.

We are currently focused on refining the SAML SSO integration. We abstract away SAML login as an OAuth 2.0 flow so that it plugs in seamlessly where a Google or Github login (for instance) would in your tech stack.


That's an opinion, not always true for everyone. I love Keycloak, but I've seen several large enterprises trial it and give up due to complexity at their particular scale. I've seen bigger orgs use it successfully in a simpler tech landscape.

Regardless, this is a solution for your application that doesn't require running something like Keycloak. If I was developing an application I'd be looking at this, Auth0 or WorkOS to get the features my customers are demanding. (SSO/SAML/OAUTH mostly). Keycloak does the opposite, as a business I could deploy Keyclock to be my SAML IDP, but still need my applications to support SAML.


Thanks zwayhowder, that's a great summary!


The 'privacy vault' feature sounds interesting - do you have any more details how that might work?


At a high level it lets you separate (and centralize) your PII data from your main infrastructure whilst providing configurable semantics on how the data should be encrypted underneath. Additionally you'd have granular control (and audit) on who/where/when (access control, geo, time) can access the vault. As an example you'd ship Social Security Numbers to the vault and configure access to it for a KYC application which can verify the SSNs as needed.


How does this compare to Ory?

https://ory.sh/


Ory seems like a modular Keycloak, they don't seem to support SAML as a Service Provider yet which is the one thing we do well.


How are you planning to make money?


> Our core will always be free (Apache 2.0 license) and our commercials will be based on the following models: 1) A hosted solution in the future 2) Premium features on top of our core (To ease deployment, administration and integrations with Enterprise security products) 3) Vertical specific solutions for regulated industries like Healthcare and Finance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: