Contents

Deep Dives

Explaining the Backlash to the SSO Tax

Nick Moore

“The SSO tax” is the unofficial name for the practice of software vendors significantly upcharging their customers for Single Sign-On, usually by making it part of an “enterprise tier.”

Opponents of this practice maintain that charging for SSO is like buying a car and having to pay extra for the seatbelts. Meanwhile, vendors argue that SSO is more like a sunroof: a luxury feature that belongs on their high-end model.

In reality, SSO is probably most analogous to a rearview camera, in that it initially seemed like a fancy add-on, but is now recognized as a security requirement that keeps everyone safer.

Before you keep on reading, we have a quick explainer video on what exactly the SSO tax is and why it’s such an issue for organizations of all sizes. We encourage you to read the rest of the blog, but in case you’re in a hurry, here you go.

Charging extra for a safety feature strikes plenty of people–like the creators of the SSO Wall of Shame–as unfair and irresponsible, and the backlash against the SSO tax is rising in tandem with credential-based hacks that SSO could have helped prevent.

Charging extra for a safety feature strikes plenty of people–like the creators of the SSO Wall of Shame–as unfair and irresponsible, and the backlash against the SSO tax is rising in tandem with credential-based hacks that SSO could have helped prevent.

Still, even in the face of criticism, the practice shows no signs of slowing down. Why?

That’s the question we’re here to explore.

How the SSO Tax Hurts SMBs

There’s no denying that the SSO tax is most damaging to SMBs and mid-sized companies.

Large companies can afford the enterprise pricing tier that most often comes with SSO. And very young startups can get by with a password manager and a mix of private and shared credentials (though there are valid arguments that SSO is so much more secure that it should be considered necessary from day one).

But once a company’s workforce starts growing, the number of employee passwords expands exponentially, along with the security risks of going without SSO.

3 reasons SMBs need SSO

In theory, SMBs, too, can get by without SSO. But in practice, having individual employee passwords for every application quickly becomes unwieldy and security becomes lax–especially for ransomware attacks that often target vulnerable employee login credentials.

There are three main reasons SMBs want SSO for any apps that touch sensitive data:

  • SSO creates one strong access point rather than many weak ones, meaning the surface area of attack for the company is reduced.(With the caveat that SSO should be paired with other security measures like MFA.).
  • SSO makes it easier for companies to onboard and offboard employees and to implement Role-Based Access Control (RBAC), giving IT a single tool with which to manage accesss.
  • SSO eliminates the need for employees to use (and forget) multiple passwords, which can improve employee experience and productivity, and reduce help desk tickets for lost passwords.

The advantages above have been true for a long time, but the stunning increase in ransomware attacks in the past two years have made these issues more urgent and changed SSO from a luxury to a necessity.

How The SSO Tax Works

Now that we’ve made the case for SSO, let’s go shopping and see how the SSO tax might affect a hypothetical company.

Let’s say we’re selling a productivity app that insults you when your GitHub contribution squares are empty (free billion dollar idea for anyone who wants it).

For starters, we need a website and a CRM. Our head of marketing wants to go with HubSpot–-a well-known company with a reputable product. We look at the pricing and a “Starter” plan costs $23/month. Perfect! We are just starting after all.

But SSO isn’t included in the Starter plan or the Professional plan. It’s exclusive to the Enterprise plan, which comes in at a whopping $1200/month. And that’s the SSO tax in action.

The pattern repeats with other mission-critical tools. Github, Docker, and plenty of other services charge the SSO tax, and it quickly eats into our budget.

A graphic comparing the cost of Github, Docker, and Hubspot with and without SSO. In each case, the SSO tier costs more than double.

You can imagine how difficult and expensive it would be for an SMB to get and maintain SSO functionality across all or even most of its apps. Again, the issue here isn’t the premise of charging extra for features. The problem is the proportion: HubSpot, for instance, charges more than a 5,000% increase to access SSO.

The impact of the SSO tax

When we’re talking 5,000% price increases, the results are predictable. As of now, many applications are not within many companies’ SSO portals, making these companies vulnerable to attack.

Grip, a SaaS security company, polled over one hundred CISOs to prove this. They found that 80% of the SaaS applications employees use are not in their companies’ SSO portals. Grip laid out several reasons why–-including SSO not being supported and third party owned–-but the top reason was SSO licensing cost.

Why Vendors Upcharge For SSO

Money. Really, that’s the main reason. But if we want to know more about the staying power of the SSO tax, it’s worth digging a little deeper into why the financial incentives outweigh the costs.

There are three primary reasons vendors charge an SSO tax (or at least justify doing so).

Building and maintenance costs

Many vendors argue that SSO is hard to build and worth charging for. Gergely Orosz, for example, writer of the popular newsletter The Pragmatic Engineer, writes that “Every company should absolutely charge more for non-standard SSO (which is most SAML-based, enterprise SSO).” For Orosz, it’s simple: “It’s additional work for the vendor. Of course customers would love to get all that for free, but it’s not how it works.”

Klaas Pieter Annema, engineering manager at Sketch, largely agrees. Based on his experience running the team maintaining SSO at Sketch, he argues that though supporting Google and Microsoft SSO is easy, “Supporting whatever wonky homebuilt some large enterprises use is a huge time [sink].” Sketch, according to Annema, had to go so far as to build a rotating support role to provide SSO.

But others disagree, or at least maintain that the cost is out of step with the work required.

When Rob Chahin announced The SSO Wall of Shame, he explained his reasoning from the perspective of an experienced developer. “Having shipped SSO,” Chahin writes, “I have no qualms about considering it a service that needs to be paid for.” The qualms come from proportion, he says. “The enormous markups I see for these vendors cannot be feasibly attributed to the SSO cost.”

For Chahin, the math doesn’t work: “If your SSO pricing is 3x your base pricing, are you telling me that 2/3 of the cost of your product is just keeping the SAML going? Doesn’t seem reasonable to me.”

Profit

The SSO tax makes vendors money–-that much is obvious. But vendors aren’t going to come out and say that’s why they keep it around. Well, most of them won’t.

In a shockingly transparent post, Ben Orenstein, co-founder and CEO of remote pair programming app Tuple, reveals that it really is mostly about profit.

“If you’re a new SaaS founder and you want to maximize your revenue,” Orenstein writes, “I recommend you create an enterprise tier, put SSO in it, and charge 2-5x your normal pricing. Even with no other benefits, some customers will be forced to choose this option” (emphasis ours).

But what about those setup and maintenance costs? Orenstein covers this aspect, too, writing that “SSO costs close to nothing after a little automation, so this price increase is all profit.” He goes on to admit that doing this “always felt a little gray hat,” which is one reason why Tuple stopped charging the SSO tax.

Upselling

This reason is related to but distinct from pure profit. When vendors lock SSO access into an enterprise pricing tier, they can better segment their customers and drive potential enterprise customers into actual enterprise plans.

Patrick McKenzie, of “charge more” and Stripe fame, explains that “SSO is a segmentation lever, and a particularly powerful one because everybody in the sophisticated-and-well-monied segment is increasingly forced to purchase it.” He compares it to HIPAA-compliant services, saying “Yes, enjoy 2X on the invoice.”

Orenstein goes into this too, writing that “On its face, SAML-based Single Sign-On (SSO) is the perfect feature to push your bigger customers into your enterprise tier.”

Picture the typical pricing page again. The standard plans list a specific cost in dollars, but the enterprise plan often simply advises you to “contact sales.” So not only is the SSO tax profitable, but vendors use it to put companies into the position of having to negotiate.

The Case For Not Upcharging For SSO

While the argument for charging the SSO tax is clearly persuasive, there are counterarguments that have persuaded some vendors to turn down the easy money. The benefits of not upcharging for SSO might be less tangible than the alternative, but they’re still worth considering if we ever hope to change the status quo.

PR (AKA: “The Right Thing To Do”)

Unsurprisingly, most software buyers don’t like the SSO tax. So naturally, some vendors have harnessed that resentment for marketing purposes, either by announcing they’re getting rid of the SSO tax or making a big deal about never charging for it.

The Tuple post we got into earlier, for instance, is titled “SSO Should Be Table Stakes,” and it explains why Tuple would no longer charge an SSO tax. Similarly, Scalr, a company providing a Terraform cloud alternative, published a post titled “SSO Tax: Why Scalr Is Not Charging Extra For Security.”

Even if a vendor doesn’t make their lack of an SSO tax an explicit part of their messaging, they can still benefit from not being on the Wall of Shame and from establishing a positive reputation with users.

Industry security

Richard Hartmann, Director of Community at Grafana, has tweeted that there’s an industry-level or even ethical reason to dispose of the SSO tax.

Hartmann gets at the heart of why people find the SSO tax so infuriating, and he’s not the only one who feels this way. Ed Contreras, Chief Information Security Officer at Frost Bank, for example, called the SSO tax “an atrocity.”

His reasoning is that security infrastructure is too important to be priced as a luxury. “With single sign-on,” he explains, “We’re protecting both of our companies, and I would even say indemnification clauses should get changed if I don’t get my security requirements.”

Product-led growth

Another argument against the SSO tax is that it’s antithetical to the idea of product-led growth. While a tiered pricing structure is central to PLG, the standard or freemium version of a product still needs to include the capabilities that customers depend on and fall in love with.

Locking away SSO–-especially if it’s gated behind a “Contact sales” button-–introduces friction and withholds a core feature from users. If the goal of your company is to design a product-led marketing engine and a self-serve buying process, an SSO tax can strangle deal flow.

Kyle Poyar, Operating Partner at OpenView, argues that companies are “missing out by not making SSO more accessible.” He writes that, as more customers demand SSO as part of baseline security, they might not even consider a vendor who locks it away. On top of that, he writes that customers with SSO also “tend to be stickier with better retention rates.”

The Future of the SSO Tax

If the section above got you feeling hopeful, I’m here to (regretfully) burst that bubble. Sadly, the SSO tax is almost certainly not leaving us any time soon. The hard truth is that for most vendors, the relatively abstract benefits of not charging for SSO just can’t outweigh the impact on revenue.

The best hope for change is the growing consensus that SSO is vital for security. In time, that idea could make companies who charge the tax look retrograde or even negligent. Objectors to the SSO tax can rally around and build on the work of public pressure campaigns like SSO.tax and Stop The SSO Tax. These “name ‘em and shame 'em” techniques haven’t changed much so far. But hey, every backlash has to start somewhere.

The SSO Tax Isn’t Going Anywhere (Unless We Make It)

So here’s where we are: Vendors feel “gray hat” about charging an SSO tax. Customers feel frustrated about paying it. Onlookers shame vendors for charging it. And still, the SSO tax remains.

The SSO tax is one of those interesting quirks of capitalism that show that markets do not always work in everyone’s interest. As Orenstein explains, even as his company took the rare stance of not charging the SSO tax: “Even with no other benefits, some customers will be forced to choose this option. People will get a little mad at you, but not much, because just about everyone does this.”

But remember: it wasn’t too long ago that “just about everyone” smoked on airplanes and drove around without seatbelts. That seems crazy now, but it’s also important to remember that those things didn’t change by themselves. It took a concerted effort to raise awareness (speaking of, make sure to share our explainer video to anyone plagued by this issue) and public pressure, and that’s what it will take to finally abolish the SSO tax.

If you liked this blog, we have more original and curated security content where that came from—subscribe to our wonderful bi-weekly newsletter!

Share this story:

More articles you
might enjoy:

Deep Dives
Healthcare Security Is a Nightmare: Here's Why
Kenny Najarro
Deep Dives
Personal VPNs Can Be Shady, but Should Companies Ban Them?
Elaine Atwell
Deep Dives
The Risks of End of Life Software and How to Address Them
Kenny Najarro
Watch a Demo
Watch a Demo