TL;DR
Small furry conventions and similar non-profits face scaling, security, and cost problems when staff counts rise. The author evaluated commercial identity options, found per-seat fees prohibitive, and built a custom open SSO that uses OIDC/OAuth, integrates with Google Workspace, and issues short-lived assertions accepted by AWS.
What happened
The piece chronicles how a grassroots furry convention's tooling needs evolve from a simple bootstrap (store, social account, domain, email) to a point where sharing a few credentials becomes untenable as staff grow. The author surveyed commercial SSO and identity options — noting Okta's 50 free licenses offer, AWS Identity Center's SAML support and external identity provider capability, and Google Workspace's SAML integrations for non-profits — but found recurring per-seat app fees (examples: Atlassian and plugin surcharges) would make single sign-on unaffordable for many volunteer-driven events. To avoid costly per-user subscriptions and fragile shared credentials, the author built a bespoke SSO. It began as a Sign in with Google–gated links service, grew to manage Google Workspace accounts (import/update/suspend/create), produces short-lived assertions for internal services, and now supports OIDC/OAuth clients; the author reports AWS accepts IdTokens from their configuration. Work on SAML support is ongoing.
Why it matters
- Volunteer-driven events and small non-profits often can't absorb recurring per-seat SSO and service fees.
- Shared credentials and ad-hoc shadow IT increase the risk that PII will be scattered and retained improperly.
- A federated SSO can reduce credential sharing, improve access control, and simplify onboarding/offboarding.
- Open or low-cost identity options (social sign-in, Google Workspace, AWS Identity Center) can lower barriers if integrated effectively.
Key facts
- A bootstrap convention can be run with a store (example: Square), a custom domain, social media, and an email address.
- For first-year events of roughly 100–300 attendees, a small team sharing a few credentials may be feasible.
- As staff headcount approaches or exceeds ~100, the author argues single sign-on becomes necessary to scale safely.
- Okta reportedly offers 50 free licenses and 50% off additional licenses (as relayed by an Okta employee).
- AWS Identity Center supports SAML and external identity providers; it does not author identity assertions for OAuth/OIDC in the same way it does for SAML.
- The author says Google Workspace (for non-profits) supports external SAML applications and can act as an identity provider.
- Per-seat pricing examples cited include Atlassian at about $20 per person per month and an $8 per-person surcharge when using an external identity provider; these add up to substantial annual costs.
- The author's custom SSO evolved from a Sign in with Google–gated link tool into a system that manages Google Workspace accounts, issues short-lived assertions, and supports OIDC/OAuth clients.
- AWS accepts IdTokens signed by the keyset linked to the author's OpenID Connect configuration; SAML support is a work in progress.
What to watch next
- The author plans a follow-up write-up with more technical details about the custom SSO and integrations (promised in the source).
- Progress on the author's SAML implementation and wider SAML tooling for the project (noted as forthcoming by the author).
- Whether vendors change per-seat pricing models or offer more generous free tiers for non-profits is not confirmed in the source.
Quick glossary
- Single sign-on (SSO): A mechanism that lets users authenticate once and gain access to multiple independent systems without re-entering credentials for each one.
- SAML: Security Assertion Markup Language, a standard for exchanging authentication and authorization data between parties, commonly used for enterprise SSO.
- OIDC / OAuth: OpenID Connect is an identity layer on top of OAuth 2.0 that enables applications to verify user identity and obtain basic profile information.
- Identity provider (IdP): A service that authenticates users and issues assertions or tokens used by other applications or services to grant access.
- Short-lived assertion: A temporary token or credential issued after authentication that grants short-term access to a resource, reducing long-term credential exposure.
Reader FAQ
Why did the author build a custom SSO?
Because commercial options and per-seat fees made off-the-shelf SSO cost-prohibitive for volunteer-driven conventions, and shared credentials created operational and privacy risks.
Does the custom SSO integrate with major platforms like AWS and Google?
Yes. The author reports managing Google Workspace accounts and that AWS accepts IdTokens from the project's OpenID Connect configuration.
Is SAML support available from the custom SSO now?
Not confirmed in the source; the author states SAML work is planned and is being figured out.
Are there affordable alternatives to full commercial SSO?
The source highlights social sign-in (e.g., Sign in with Google), AWS Identity Center for SAML, and Google Workspace for non-profits as lower-cost options, but notes integration and app pricing remain hurdles.
Single Sign On for Furries Published Aug 15, 2025 – 19 min read – Text Only Table of contents Single Sign On for Furries So I built my own An…
Sources
- Single Sign on for Furries
- Top 5 open source SSO solutions: pros, cons, and key tips
- Top Open Source SSO Providers to Know in 2025
- Top 5 Open-Source SSO Solutions
Related posts
- Free local browser tool for designing parametric gears and exporting 3D models
- From 800 Tabs to Order: One Developer’s Multi-App Path to Sanity
- Examining Nushell: Why a Structured, Modern Shell Deserves Attention