The SSO tax is the unofficial name for the practice of software vendors significantly upcharging their customers for Single Sign-On, usually by making it part of an enterprise tier.
Opponents of this practice say that charging for SSO is like buying a car and having to pay extra for the seatbelts. Meanwhile, vendors argue that SSO is more like a sunroof: a luxury feature that belongs on their high-end model.
In reality, SSO is probably most analogous to a rearview camera; it initially seemed like a fancy add-on, but it’s now recognized as a security requirement that keeps everyone safer.
Charging extra for a safety feature strikes plenty of people – like the creators of the SSO Wall of Shame – as unfair and irresponsible, and there’s a backlash against the SSO tax rising in tandem with credential-based hacks that SSO could have helped prevent.
Still, even in the face of criticism, the practice of upcharging thousands of dollars for SSO shows no signs of slowing down. Why?
That’s the question we’re here to explore.
Three reasons companies need SSO
Let’s start with a quick refresher on why Single Sign-On is so important in the first place. SSO puts a single authentication experience – handled by an identity provider (IdP) such as Okta, Microsoft, or Google – in front of multiple applications. So instead of a worker having unique passwords for, say, GitHub, Slack, and Asana, they use the same Okta authentication process for each one.
In theory, a company can get by without SSO. But in practice, having individual employee passwords for every application quickly becomes unwieldy and security becomes lax – especially for ransomware attacks that often target vulnerable employee login credentials.
So at the very least, companies want SSO (backed up by strong authentication like MFA) in front of every application that poses a significant security risk.
There are three main reasons companies want SSO for any apps that touch sensitive data:
SSO creates one strong access point rather than many weak ones, meaning the surface area of attack for the company is reduced.
SSO makes it easier for companies to onboard and offboard employees and to implement Role-Based Access Control (RBAC), giving IT a single tool with which to manage access to applications.
SSO eliminates the need for employees to use (and forget) multiple passwords, which can improve employee experience and productivity, and reduce help desk tickets for lost passwords.
The advantages above have been true for a long time, but the stunning increase in ransomware attacks in the past few years has made these issues more urgent, and has changed SSO from a luxury to a necessity.
How the SSO tax works
Now that we’ve made the case for SSO, let’s go shopping and see how the SSO tax might affect a hypothetical company.
Let’s say we’re selling a productivity app that insults you when your GitHub contribution squares are empty (free billion dollar idea for anyone who wants it).
For starters, we need a website and a CRM. Our head of marketing wants to go with HubSpot – a well-known company with a reputable product. We look at the pricing and a “Starter” plan costs $15/month. Perfect! We are just starting, after all.
But SSO isn’t included in the Starter plan or the Professional plan. It’s exclusive to the Enterprise plan, which comes in at a whopping $1,500/month. So we’ve jumped from $15 to $1,500. And that’s the SSO tax in action. To be clear, the Enterprise tier comes with a lot of other bells and whistles besides SSO – but many of them are “nice to haves,” while SSO is a “need to have.”
The pattern repeats with other mission-critical tools. Github, Docker, and plenty of other services charge the SSO tax, and it quickly eats into our imaginary company’s budget.
You can imagine how difficult and expensive it would be for an SMB to get and maintain SSO functionality across all or even most of its apps.
To be clear, charging some extra for features isn’t inherently problematic. The problem is the proportion. HubSpot, for instance, charges more than a 5,000% increase to access SSO.
The impact of the SSO tax
When we’re talking 5,000% price increases, the results are predictable. As of now, many applications are not within many companies' SSO portals, making these companies vulnerable to attack.
Grip, a SaaS security company, polled over one hundred CISOs to prove this. They found that 80% of the SaaS applications employees use are not in their companies' SSO portals. Grip laid out several reasons why – including SSO not being supported and third party owned – but the top reason was SSO licensing cost.
Why vendors upcharge for SSO
Money. Really, that’s the main reason. But if we want to know more about the staying power of the SSO tax, it’s worth digging a little deeper into why the financial incentives outweigh the costs.
There are three primary reasons vendors charge an SSO tax (or at least justify doing so).
Building and maintenance costs
Many vendors argue that SSO is hard to build and worth charging for. Gergely Orosz, for example, writer of the popular newsletter The Pragmatic Engineer, writes that “Every company should absolutely charge more for non-standard SSO (which is most SAML-based, enterprise SSO).” For Orosz, it’s simple: “It’s additional work for the vendor. Of course customers would love to get all that for free, but it’s not how it works.”
Klaas Pieter Annema, engineering manager at Sketch, largely agrees. Based on his experience running the team maintaining SSO at Sketch, he argues that though supporting Google and Microsoft SSO is easy, “Supporting whatever wonky homebuilt some large enterprises use is a huge time [sink].” Sketch, according to Annema, had to go so far as to build a rotating support role to provide SSO.
But others disagree, or at least maintain that the cost is out of step with the work required.
When Rob Chahin announced The SSO Wall of Shame, he explained his reasoning (in a now-deleted tweet) from the perspective of an experienced developer. “Having shipped SSO,” Chahin writes, “I have no qualms about considering it a service that needs to be paid for.” The qualms come from proportion, he says. “The enormous markups I see for these vendors cannot be feasibly attributed to the SSO cost.”
For Chahin, the math doesn’t work: “If your SSO pricing is 3x your base pricing, are you telling me that 2/3 of the cost of your product is just keeping the SAML going? Doesn’t seem reasonable to me.”
Profit
The SSO tax makes vendors money - that much is obvious. But vendors aren’t going to come out and say that’s why they keep it around. Well, most of them won’t.
In a shockingly transparent post, Ben Orenstein, co-founder and CEO of remote pair programming app Tuple, reveals that it really is mostly about profit.
“If you’re a new SaaS founder and you want to maximize your revenue,” Orenstein writes, “I recommend you create an enterprise tier, put SSO in it, and charge 2-5x your normal pricing. Even with no other benefits, some customers will be forced to choose this option” (emphasis ours).
But what about those setup and maintenance costs? Orenstein covers this aspect, too, writing that “SSO costs close to nothing after a little automation, so this price increase is all profit.” He goes on to admit that doing this “always felt a little gray hat,” which is one reason why Tuple stopped charging the SSO tax.
Upselling
This reason is related to but distinct from pure profit. When vendors lock SSO access into an enterprise pricing tier, they can better segment their customers and drive potential enterprise customers into actual enterprise plans.
Patrick McKenzie, of “charge more” and Stripe fame, explains that “SSO is a segmentation lever, and a particularly powerful one because everybody in the sophisticated-and-well-monied segment is increasingly forced to purchase it.” He compares it to HIPAA-compliant services, saying “Yes, enjoy 2X on the invoice.”
Orenstein goes into this too, writing that: “On its face, SAML-based Single Sign-On (SSO) is the perfect feature to push your bigger customers into your enterprise tier.”
Picture the typical pricing page again. The standard plans list a specific cost in dollars, but the enterprise plan often simply advises you to “contact sales.” So not only is the SSO tax profitable, but vendors use it to put companies into the position of having to negotiate.
The case for not upcharging for SSO
While the argument for charging the SSO tax is clearly persuasive, there are counterarguments that have persuaded some vendors to turn down the easy money. The benefits of not upcharging for SSO might be less tangible than the alternative, but they’re still worth considering if we ever hope to change the status quo.
PR (AKA: “The right thing to do”)
Unsurprisingly, most software buyers don’t like the SSO tax. So naturally, some vendors have harnessed that resentment for marketing purposes, either by announcing they’re getting rid of the SSO tax or making a big deal about never charging for it.
The Tuple post we got into earlier, for instance, is titled “SSO Should Be Table Stakes,” and it explains why Tuple would no longer charge an SSO tax. Similarly, Scalr, a company providing a Terraform cloud alternative, published a post titled “SSO Tax: Why Scalr Is Not Charging Extra For Security.”
Even if a vendor doesn’t make their lack of an SSO tax an explicit part of their messaging, they can still benefit from not being on the Wall of Shame and from establishing a positive reputation with users.
Industry security
Richard Hartmann, Director of Community at Grafana, has tweeted that there’s an industry-level or even ethical reason to dispose of the SSO tax.
The argument written out in plain English above the list is that by making baseline security a feature with significant markup, internet infrastructure as a whole is less secure. Infrastructure security is the classic example of tragedy of the commons, and externalizing costs. - @TwitchiH View tweet
Hartmann gets at the heart of why people find the SSO tax so infuriating, and he’s not the only one who feels this way. Ed Contreras, Chief Information Security Officer at Frost Bank, for example, called the SSO tax “an atrocity.”
His reasoning is that security infrastructure is too important to be priced as a luxury. “With single sign-on,” he explains, “We’re protecting both of our companies, and I would even say indemnification clauses should get changed if I don’t get my security requirements.”
Product-led growth
Another argument against the SSO tax is that it’s antithetical to the idea of product-led growth. While a tiered pricing structure is central to PLG, the standard or freemium version of a product still needs to include the capabilities that customers depend on and fall in love with.
Locking away SSO–especially if it’s gated behind a “Contact sales” button–introduces friction and withholds a core feature from users. If the goal of your company is to design a product-led marketing engine and a self-serve buying process, an SSO tax can strangle deal flow.
Kyle Poyar, Operating Partner at OpenView, argues that companies are “missing out by not making SSO more accessible.” He writes that, as more customers demand SSO as part of baseline security, they might not even consider a vendor who locks it away. On top of that, he writes that customers with SSO also “tend to be stickier with better retention rates.”
What to do if you can’t afford the SSO tax
Hopefully, all the SaaS vendors who read this article will see the error of their ways and stop charging extra for SSO. But until that day comes, a lot of companies will simply have to make do. If that sounds like you, here’s some advice on practicing good security without breaking the bank.
Negotiate for SSO during purchase
Sure, a SaaS vendor’s pricing page might say that you only get SSO through the enterprise tier, but they might be willing to throw it in on a starter tier if it means they get your business. Some vendors will offer this option if you, in turn, offer to sign a multiyear contract. Others will simply offer it if you threaten to take your business elsewhere. Regardless, it’s not guaranteed to work, but you won’t know until you try.
Use an enterprise password manager to secure logins
The whole reason SSO is important to security is that unmanaged passwords are so vulnerable to being hacked, phished, reused, guessed, and forgotten. And an enterprise password manager (EPM) is the best way to secure passwords for apps that aren’t protected by SSO.
An EPM like 1Password will automatically create strong, unique passwords for employees and even notify them (via the Watchtower feature) if any passwords are weak, duplicated, or have appeared in a data breach.
You can also go even further by combining SSO (on the apps you can afford) with an EPM. To quote our blog on the subject:
“And with Unlock 1Password with SSO enabled, admins can extend their existing security policies to everything stored in 1Password. Now those policies apply both to SSO-enabled logins and those that SSO doesn’t cover, so things like two-factor authentication requirements can also be applied to unmanaged services.”
The SSO tax isn’t going anywhere (unless we make it)
So here’s where we are: Vendors feel “gray hat” about charging an SSO tax. Customers feel frustrated about paying it. Onlookers shame vendors for charging it. And still, the SSO tax remains.
The SSO tax is one of those interesting quirks of capitalism that show that markets do not always work in everyone’s interest. As Orenstein explains, even as his company took the rare stance of not charging the SSO tax: “Even with no other benefits, some customers will be forced to choose this option. People will get a little mad at you, but not much, because just about everyone does this.”
But remember: it wasn’t too long ago that “just about everyone” smoked on airplanes and drove around without seatbelts. That seems crazy now, but it’s also important to remember that those things didn’t change by themselves. It took a concerted effort to raise awareness and public pressure, and that’s what it will take to finally abolish the SSO tax.
To see for yourself how 1Password can bolster your security, get started with a free 14-day trial of 1Password Business. Or, reach out to request a demo of 1Password Extended Access Management.
Tweet about this post