Feb 1, 2024

Your Guide to the SSO Tax: Why It Exists, Costs, and Workarounds

Your Guide to the SSO Tax: Why It Exists, Costs, and Workarounds

Table of contents

According to a 2022 study conducted by LastPass, 80% of confirmed data breaches were a result of stolen, weak, or reused passwords. (In fact, LastPass suffered its biggest data breach later that year as a result of stolen credentials.)

If only there were a way to fix the password problem, right? Enter single sign-on (SSO).

“SSO is a must,” Mike Kail, a former VP of IT operations at Netflix, once said. “Once your employees start using Workday, Box, and other cloud services, they start littering those services with passwords — some unique, some not — and any business is only as secure as its weakest password.”

SSO allows a business’s employees to sign in to multiple applications using one set of credentials. It’s a win for everybody involved. It simplifies the login process, it reduces password-related problems for IT support, and, most importantly, it’s a significant security boost for the business — especially when layered with multi-factor authentication.

Unfortunately, SSO comes at a price, and for many SMBs, it’s too high a price to pay. We call that unduly high price the SSO tax.

What is the SSO tax?

“The SSO tax” is the unofficial name given to the extra charges or forced upgrades that software vendors demand for providing SSO functionality.

But if SSO streamlines the login process, saves your IT support valuable time, and makes your business more secure, why would you have a problem paying extra for it?

The answer is simple. SaaS vendors are overcharging for SSO to the point that it’s out of reach for non-enterprise businesses.

Take GitHub for example. The base plan, which costs $4, has all the features a startup needs. However, you have to upgrade to the Enterprise plan, which costs $21, if you want SSO. That’s a 525% price increase just for SSO — the extra enterprise features you get provide no real value.

It’s not just GitHub. Do you want HubSpot marketing but with SSO? You’ll need to pay an extra $2,800 per month to get it. Figma, Loom, Notion, Asana, and Calendly all levy the SSO tax. And that’s before you factor in the cost of your identity and access management provider.

So we don’t have a problem with paying extra for SSO. The problem is that a baseline security feature is being leveraged as a revenue-generation tool, and the cost increase does not align with the SSO maintenance cost.

Rob Chahin, the creator of The SSO Wall of Shame, the first website dedicated to shaming vendors who charge an exploitative SSO tax, put it best when he said, “While I’d like people to really consider it a bare-minimum feature for business SaaS, I’m OK with it costing a little extra to cover maintenance costs.”

The birth of a movement: #SSOForAll

According to Chahin, any business that claims to take SSO seriously should do one of three things:

  • Offer SSO for free as part of the main product.

  • Offer SSO as an optional paid extra but at a reasonable price.

  • Attach SSO to a different plan but with a reasonably small gap between the non-SSO tier and SSO tiers.

The original SSO Wall of Shame website has not been updated in more than a year. We thought it was only right that we advance the noble cause.

So, we now have SSOtax.org, an addition to Chahin’s project, featuring an updated list of vendors who belong on the Wall of Shame.

Also, in the name of fairness, we added another section: “Friends of SSO.” This is a list of vendors that take security seriously by offering SSO in all their premium plans without unreasonable upcharges. It also highlights vendors with affordable SCIM and support for free SSO providers including Google, Microsoft, and Facebook.

Why the SSO tax exists, according to the vendors

This is how the vendors justify hiding SSO behind an enterprise paywall.

1. SSO is expensive to build and maintain.

But this is true only if you’re building SSO on top of functioning software. Because that may force you to redo the whole authentication flow.

If you take security seriously, SSO should be a key requirement during the early development stage. The SAML and OpenID frameworks have grown exponentially and come with enough documentation to facilitate seamless integration.

Partnering with an identity provider in the early stages can also help you reduce the cost of building and maintaining SSO. It’s what Tenchi Security, a third-party cyber risk management provider, did.

“Here at Tenchi Security, we cater to companies of all sizes, but mostly in regulated industries. Having made the decision to use a leading CIAM solution instead of rolling our own authentication infrastructure, it was simple and inexpensive to extend SSO to all of our customers,” says Alexandre Sieira, the company’s co-founder and CTO.

However, Sieira notes that the initial SSO setup is not 100% self-service yet and requires the allocation of support personnel.

Although this is not something Tenchi Security does, he says it would make more sense if vendors offered built-in SSO across all plans and then charged for support (setting it up to work with the customer’s identity provider).

“Even though we don’t do it ourselves, I think most customers would feel much more comfortable about paying an upfront fee to cover these costs than being forced to be on a higher (recurring) and much more expensive pricing plan,” Sieira says.

2. The SSO-less version is a demo

Another argument used by SSO proponents is that the SaaS offering without SSO is a discounted trial version, while the offering with SSO is the real product.

This doesn’t make sense, because security shouldn’t be an add-on feature. It’d be like an auto manufacturer selling a car that has only 50% braking power unless the buyer opts for a “premium” package that unlocks full braking power — or a cruise ship line offering a lower price to passengers if they forgo access to a life jacket.

The real reason the SSO tax exists

Charging a premium for SSO is an easy way for vendors to increase their bottom line. These companies realized very quickly that SSO was indispensable for enterprises, due to compliance requirements.

Consequently, they could create an enterprise plan and add SSO to it, and businesses would buy it without thinking too much about it.

It’s a trick that Ben Orenstein, the co-founder and CEO of remote pair-programming app Tuple, admits to using, although it troubled his conscience.

“We did exactly this. We put SSO in our enterprise tier, charged ~2x for it, and made a bunch of money,” Orenstein wrote in a blog post. “The thing was, we always felt kind of gross about it…. [But] we held our noses and did the thing because it was highly profitable and everyone else was doing it.”

However, times have changed, and small and medium businesses are saying that they need SSO just as much as enterprises do.

“I understand the instinct product managers have to create a pricing model that matches its customer base i.e. charging more from larger companies that are ultimately more demanding and require a larger feature set,” Tenchi Security’s Sieira says. “However, gone are the days when only companies that had expensive dedicated IdPs could support SSO.”

“There are open-source options and even relatively inexpensive plans on Microsoft 365 or Google Workspace that let security-conscious startups or SMBs leverage SSO to great effect,” he concludes.

This is yet another way of saying that vendors should give customers in-built SSO, and if there’s extra work needed to integrate with whichever identity provider they’re using, then they should charge for it.

Tuple is no longer limiting SSO to its enterprise offering. Multiple other vendors have also started offering the feature for free, but they’re the outliers. For the most part, SMBs are still faced with the tough choice of paying for SSO or doing without it.

The SMB dilemma: Paying the SSO tax or going without SSO altogether

For enterprises, paying the SSO tax is a non-issue. They have the budget for it, and they have valid use cases for the extra features bundled with the enterprise plan. Startups and SMBs, on the other hand, have a tough choice to make:

  1. Pay the extra cost for an enterprise solution that serves no real value except SSO.

or

  1. Stick with the base package and forgo SSO.

It seems like an easy choice, but SSO is not just about authentication. When you have a central login point for all your applications, it also becomes super easy to track access, as well as to create and delete users. If an employee leaves the company, you can delete their account from a central point instead of going through each application separately. SSO enables secure authentication, access control, and compliance.

If you’re a startup or SMB and can’t afford an identity service provider like Okta due to the SSO tax, we have another solution for you.

An alternative solution: Google SSO + AccessOwl

Unlike with custom (SAML-based) SSO , many SaaS vendors don’t demand prohibitive prices to integrate with Google SSO. A number of them support it across all their plans at no extra cost. However, Google SSO lacks some key features when compared with other identity providers.

  • No proper role-based access control (RBAC) for automated user provisioning and deprovisioning.

  • Poor automation when it comes to account creation and deletion.

  • Limited access tracking for compliance.

That’s where AccessOwl comes in. AccessOwl fills the gaps in Google’s solution, so you can enjoy the capabilities of a fully fledged identity provider without incurring the SSO tax.

Google handles authentication; AccessOwl handles access authorization. However, instead of SAML and SCIM APIs, it processes access requests and approvals via Slack. The user logs in to Slack, selects an application, and states the reason for access — then the request is sent to the appropriate person for approval. You can set up auto-approval for low-risk applications or multi-step approval flows with several approving parties for high-risk applications.

AccessOwl also lets you easily check who has access to which application, how long they’ve had it, and why they have it. You can automatically generate reports to prove compliance.

The future of the SSO tax

Can we hope for a future where vendors don’t exploit the usefulness of SSO for profit?

While the SSO Wall of Shame has helped to create awareness and to chastise the vendors who levy the SSO tax, it has done little to eliminate the practice. Unless big industry players join the movement, the status quo is unlikely to change. Right now, it’s a case of a few individuals against corporate giants.

Still, that should not discourage you from speaking out against exploitative pricing. Ultimately, we need to be the change we want to see. Don’t allow vendors to strong-arm you into paying unreasonable markups. Call them out, and explore alternative service providers. Otherwise, you’re reinforcing the false notion that SSO is a luxury feature that can be sold for an unreasonable, luxury price.