Sign-on (SSO) solutions are designed to manage and secure access to applications. By integrating with a company’s identity provider (IdP), SSO allows users to authenticate to multiple applications via a single log-in. By reducing the number of access points and employee credentials, SSO reduces a company’s attack surface and makes it easier for IT and security teams to provision and revoke access to applications via the IdP.
However, SSO gained prominence in an era of managed devices and simpler security. Today’s employees adopt the latest SaaS and generative AI applications, work from anywhere, use their own devices, and increasingly interact with AI agents. This freedom has fueled a generational leap in productivity, but it has also widened the Access-Trust Gap. The Access-Trust Gap refers to the security risks posed by unfederated identities, unmanaged devices, applications, and AI-powered tools accessing company data without proper governance controls.
Despite SSO’s adoption, companies continue to struggle with untrusted sign-ins and an overall widening of the Access-Trust Gap. More specifically, companies of every size are struggling to manage access for the increasing sprawl of SaaS applications and AI agents. It’s clear that, while SSO still plays a role in access management, it alone cannot adequately address the complexities of managing application access for the modern workforce.
For teams considering adopting SSO or looking to supplement their existing solution, this article explores the various complexities that must be accounted for when the promise of SSO meets the reality of how businesses work today. The article will then explore solutions that can close the Access-Trust Gap by securing the apps that it leaves unseen and unmanaged. Since 1Password offers an access governance solution for app management, Trelica by 1Password, as part of the 1Password® Extended Access Management platform, this article will use it as an example.
SSO leaves many applications unmanaged
There are many good reasons that not every application is integrated into SSO, from cost to technological dependencies. Teams will likely have to put a great deal of effort into exploring the complexities of their intended app integrations and whether SSO solutions will be able or best suited to secure them.
The SSO Tax puts security out of reach
The greatest obstacle to SSO’s efficacy is its cost. SSO solutions require a subscription – usually as part of an IdP’s package – but their cost is hardly the primary concern. SSO’s chief expense comes from SaaS application vendors themselves charging vastly higher rates for the “enterprise tier” or “edition” of their product that supports SSO integration.
Vendors often force customers who need SSO integration to upgrade to their most expensive “enterprise tier,” which can cost exponentially more per user than a “good enough” basic tier that does not support SSO. This practice has been given the sadly accurate nickname: The SSO tax.
Naturally, it’s not unreasonable for vendors to charge more for added features. However, the SSO tax can make apps prohibitively expensive. Hubspot, for instance, charges a 7,828% increase on their base price for plans with SSO, and this is far from an aberration.
This practice is particularly burdensome for smaller companies with smaller IT and security budgets, who are also less likely to benefit from the other “enterprise” features that often come bundled with SSO functionality.
Cybersecurity and Infrastructure Security Agency (CISA) recently published a report detailing the barriers to SSO adoption for small and medium-sized businesses. In it, they bluntly argue that “There is an inherent incentive to convince SMBs to adopt technologies at the level of service that may not necessarily benefit the SMBs.”
CISA further points out, “In addition to a higher cost per user, this premium pricing model typically requires a minimum number of users.” Depending on a company’s size, they may be unable to secure a given application behind SSO.
The average company has hundreds of applications, and the result of the SSO tax is that it’s simply not realistic for teams to secure every one of those applications behind SSO.
For enterprises, this may mean locking only their most critical applications behind SSO and foregoing solutions that can secure and manage their other apps. For SMBs and midmarket companies, SSO often functions more like a luxury tax than a security solution – too expensive to deploy widely enough to protect all of their most-used apps.
Many applications do not support SSO
There are many apps that can’t be secured behind SSO. More specifically, SSO cannot support legacy applications that predate modern authentication standards – at least, not without a lot of work being put into integrating them.
SSO operates as a go-between across four parties:
- The user authenticates to their company’s IdP – hopefully through strong, phishing-resistant authentication.
- The IdP confirms the authenticated user identity for the SSO provider.
- The SSO provider – often the same vendor as the IdP – encodes that verified user identity into an authentication token.
- The service provider (typically the third-party SaaS application) uses the token to authenticate the user into their applications.
In short, SSO enables users to authenticate once with an identity provider (IdP) issued token in order to access multiple apps. This is an essential outline of how SSO works, although there is some variation across different solutions.
Regardless, for this process to succeed, your SSO has to be able to interface with every third-party application that your company wants to secure behind it. Unfortunately, there are many different ways that this communication can fail.
For instance, authentication tokens can be encoded through various security protocols and standards. SAML and OpenID Connect (OIDC) are two commonly used protocols today. If your SSO provider generates OpenID tokens, but an application can only read SAML tokens, the SSO can’t secure that application. There are ways to bridge SSO across different frameworks, but they’ll add complexity and cost.
That’s just one example of how any application might not work with a specific SSO provider. Chetan Honnenahalli, engineering lead at HubSpot, explains that even in cases where the SSO and the application both operate through SAML, “…different vendors employ different methods for signing the SAMLResponse token.… If the signature expectations of the Service Provider and Identity Provider don’t align, SSO transactions can fail.”
SSO can’t secure shadow IT or shadow AI
Even if every app were able to be secured behind SSO – a near impossibility – organizations would still be blind to the explosion of shadow IT, unmanaged SaaS, and AI tools that employees use every day.
These unapproved shadow IT applications present unacceptable security risks. In a 1Password survey, more than a third of workers admitted to using unapproved apps or tools during work. Meanwhile, IBM reports that 35% of breaches involve data stored or shared through unauthorized applications or cloud buckets. Furthermore, IBM reports that breaches involving shadow IT last longer and cost more for the impacted company.
Modern corporations also need to contend with the evolving risks posed by AI tools. Without proper governance, even approved AI applications can become a security liability. Teams need to ensure that these applications are being used correctly – for instance, that users are logged in through their secure enterprise ChatGPT account rather than their personal one. Unfortunately, SSO has no insight into how applications are used at a granular level.
SSO’s inability to discover shadow IT can lead to data breaches, fines for non-compliance, and overspending on redundant or unauthorized SaaS tools.
Alternatives and supplements for SaaS management
When properly configured, SSO can provide numerous security benefits for corporate SaaS environments. Even so, companies will need to consider complementary solutions to secure the applications that cannot be managed by their SSO solution, whether due to cost or integration issues.
Companies without SSO will benefit from exploring alternative solutions that better serve their needs in securing their most critical applications.
A new category of security solutions, Extended Access Management (XAM), is designed from the ground up to close the Access-Trust Gap. It complements tools like SSO, but goes far beyond their limitations to secure every sign-in, to every app, from every device
Application discovery and management
Shadow IT and app sprawl are critical IT and security concerns that SSO cannot discover or manage.
Containing their spread across an enterprise is no easy task, and efforts to control shadow IT often only drive it further into the shadows. Some companies, for example, try to route all work through enterprise browsers, virtual desktops, or other technologies that don’t allow for the use of unapproved tools. Not only do workers often find workarounds, but this effectively inhibits productivity.
To avoid this scenario, containing app sprawl and shadow IT will require teams to follow these best practices:
- Discover and inventory: Teams need to have a complete picture of all work-related SaaS apps – both managed and unmanaged – in use across their organization.
- Understand application usage: IT and security need avenues to communicate with employees about the value they’re getting from unsanctioned apps, and either bring those apps under management or present alternatives.
- Identify application risks: Teams must have a reasonable understanding of the risks posed by different apps so they can manage them accordingly.
Trelica by 1Password is a SaaS management platform that enables teams to discover all of the SaaS apps that employees use, both sanctioned and unsanctioned. The solution enables continuous app discovery through Identity Provider logs (OAuth/OIDC, SAML, SWA), financial systems, a browser extension, and over 350 direct integrations with leading SaaS vendors.
Trelica by 1Password provides teams with an inventory of all the apps employees use for work, whether they are downloaded to their computer or accessed via a browser. It also provides pre-populated app profiles that grade risks and compliance issues according to the permissions granted to each app.
This provides a simple method for reducing app sprawl and removing unused or risky licenses, without locking down employees and harming productivity.
Application spend management and optimization
IT teams are often under pressure to optimize SaaS spend and eliminate unused and redundant licenses. Unfortunately, many of the processes around application spend management can be manual and time-consuming.
Trelica by 1Password offers a complete directory of app licenses and how often individual employees use applications. IT teams of any size can reduce unnecessary costs and analyze app usage through features like: spend reports, license entitlement tracking, and utilization and savings analysis. They can even leverage integrations from procurement tools and AI models to extract metadata from PDF contracts that identify active app usage against paid licenses.
All of this allows teams to optimize their app spend by identifying and eliminating unused licenses and redundant apps. Eliminating these unused apps also helps to reduce app sprawl and contain a company’s attack surface.
SSO isn’t a complete solution for SaaS access management
The decentralized world of the modern workplace means that SSO will never be the single solution needed to manage a company’s application usage. Companies of any size need to be aware of SSO’s limitations and costs when they choose when and how to implement it.
Every app matters, every identity counts, and every sign-in must be secure. Extended Access Management secures the apps and risks that SSO leaves behind, narrowing the Access-Trust Gap and helping every company get the security they need.
Want to learn more about how 1Password Extended Access Management helps teams secure access for every application? Click here.
Tweet about this post