Misleading and invalid use of term "single sign-on" in pricing and documentation #2173
Comments
|
Hi @bluikko! Thanks for reaching out. I'll summarize our engineers' clarification on this: LDAP login is SSO. It's not necessary for there to be only one point of login. Many SSO systems have you type your credentials into more than one system. From Wikipedia on SSO: "With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system." Also if you have an AD server and you want to setup SSO this way, one option is to use ADFS with SAML. Does this help? |
|
Regardless of what Wikipedia says centralized authentication system such as LDAP/AD is hardly SSO. I understand your point though, even if mattermost is the only system I've ever seen to advertise "SSO" in this way. |
The documentation at
docs/source/deployment/sso-ldap.md(https://docs.mattermost.com/deployment/sso-ldap.html) claims that:"Single sign-on. Users can sign-in to Mattermost with their AD/LDAP credentials."
Even worse, the "pricing" web page at https://mattermost.com/pricing/ states that E10 supports "Active Directory / LDAP single-sign-on".
But digging deeper, the E10 version does not actually support single sign-on (SSO). It seems the pricing and documentation is either prepared by someone who does not know the proper usage of the term, or worse, prospective buyers are intentionally mislead to buying E10 when it cannot deliver what is promised.
We were in the process of testing and preparing the purchase of E10 for several hundred users but all that work is now deemed as wasted after the documentation was read more in-depth.
SSO does not mean that a user can type the AD/LDAP credentials on a login page.
SSO means that, for example, when a user logs on to a workstation, the user gets a Kerberos ticket (or SAML or other such system is prepared).
What kind of SSO would it be if the user would need to type their credentials every time they want to login to some service? The hint is in the "single" part of the term.
The documentation is misleading due to the invalid use of the term "single sign-on". Luckily our admin department was still processing the purchase of E10. Should we have found out the limitation of E10 after purchase, we would have lost a rather large amount of money for a product sold on misleading promises, or would have needed to waste more time trying to get a refund.
IANAL but I believe in the US there would be sufficient grounds for a successful litigation for lost money, time, etc.
There simply is no such thing as "AD / LDAP single sign-on".
"AD / LDAP authentication" would be the correct term (not going into the technicalities between authentication and authorization in here, I would suggest "authentication" is sufficient here).
The text was updated successfully, but these errors were encountered: