Double-Sign On

  • One of my many responsibilities in a previous life was to manage third-party integrations.

    The company's flagship product was an information system. The thing is, information systems aren't very sexy, and designing websites wasn't really our expertise, so we partnered with a couple of design companies who had domain expertise in the business of our customers. On the surface, it might seem like a match made in heaven (and it did win us quite a few contracts). Going deeper, you ended up with all the headaches of coordinating people at independent companies toward a common goal. Generally, things worked pretty well, as I was the contact at Company A, and I had a single person I talked to at Company B and at Company C, so in spite of the natural barriers, it was generally pretty easy to get things done. We supported single-sign on with each of them using a fairly simple mechanism: they would pass a token to our application, and we would validate it and either log in the user, or redirect them if authentication failed.

    Enter Company D. Company D was special in that they had design expertise, but also had a competing information system. Interestingly, a potential customer wanted to use our information system, but their front-end. Whatever the reasons, the sale was made, and I was instructed to begin working with a PM and developer at Company D so that they could implement SSO into our application.

    I should mention that at this point in time, I was heavily micromanaged in my role. According to my employment contract, I reported directly to the CEO, but the VP and Director of Sales would also assign me tasks. My de facto manager at the time was the blonde the CEO was presently banging, who made a point of pestering me about every 15 minutes clearly to get the most up-to-date status reports on my work, in addition to undermining my progress on any tasks not assigned by her (That could fill several threads, so I won't go into that here).

    Needless to say, it was ... difficult to get any work done helping Company D with their end of the integration. It got to the point that schedules were slipping, and the customer was complaining about the delay. Fortunately, I was able to sneak in a couple hours to go through the process of configuring an endpoint for them. Triumphantly, I posted to the project tracking tool we, Company D, and the customer were using that things had finally been set up. About an hour later, I saw the following message posted by the CEO:

    I have removed the SSO endpoint from our webserver.

    Huh? Fortunately, the reasoning behind this abrupt decision was quickly explained, as the phone started to ring, and it was the CEO:

    :older_man: @Groaner, I deleted the SSO endpoint. What the hell were you thinking?
    :man: What?
    :older_man: If they have SSO, they can get into our application and look at our Widgets! We've spent years developing our Widgets, and now they'll be able to see how we implemented it because of what you did!
    :man: I was asked to set up SSO with them....
    :older_man: They are a competitor, @Groaner! Jesus! (more indistinct ranting and insults) Okay, bye.

    The crappy thing about esprit d'escalier is that it has a delayed reaction. The next day, we were all in a meeting about this particular customer for unrelated reasons, and I pointed out the obvious:

    :man: You know, they were sold SSO. Once they have it, they're going to be able to see everything in our application regardless, if they SSO with an admin user. That's kind of the point of having SSO in the first place.
    :older_man: (thinks for a moment, perhaps realizing his earlier paranoid stupidity) ...That's a good point. Well, we'll get a login into their system as well for testing purposes!

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.