Dear SaaS Vendors: It’s Time We Enable SSO for Everyone

Dear SaaS Vendors (ourselves included),

We talk to a lot of IT leaders about managing SaaS. While each conversation is unique and nuanced, one topic consistently comes up: Single Sign-On (SSO). Time and time again, we hear that SSO is a foundational component of a company’s SaaS strategy. SSO tools like Okta, OneLogin, Ping Identity, Azure AD, and Google SSO bring increased security and efficiencies that make SaaS work for a modern company. These tools are so foundational that organizations small, medium, and large won’t officially approve a SaaS vendor unless it integrates with their SSO platform.

Through these conversations, we’re convinced that customers’ SSO expectations for SaaS vendors have fundamentally changed. While SSO integration used to be a premium ask from large enterprises, it is now a basic security expectation for companies of all sizes.

How are we as vendors keeping up?

With SSO now so important and prevalent, how well are we vendors meeting this demand?

Positively, vendor support has never been better. Okta’s application network and OneLogin’s app catalog each have over 5,000 apps that integrate out of the box. These catalogs are growing every day. Within these thousands, many hundred support SAML/OpenID Connect and we’re almost at the century mark for full provisioning/deprovisioning support via SCIM. Through the hard work from these pioneering SaaS vendors, Single Sign-On has never been better for IT leaders.

But, There’s a Big Problem

Although we vendors have made great progress, we are also creating a huge problem. Customers big and small increasingly need SSO support for basic security & operational requirements. But our pricing models fail to meet this need.

Nearly every top SaaS vendor withholds Single Sign-On support from lower price tiers. SSO support is typically only included in the “Business” or “Enterprise” plan. Surf around some popular vendors’ pricing pages and you’ll see the pattern. Here are a few examples:

Github: SAML is limited to the Business tier. The business tier is 2.3X more expensive than the Team tier.

Slack: SSO/SAML is restricted to the Plus tier, nearly 2X more expensive than the Standard tier (although they do support Google OAuth in the Standard tier).

Dropbox: SSO integration is only available in the Advanced and Enterprise plans. Advanced is 1.6X more expensive than the Standard plan

This list could have hundreds of entries with the same story. What does your pricing page show?

Why has this happened?

There are two main reasons.

Reason #1: The historical cost of integrating with Single Sign-On

Implementing and maintaining SSO integrations in SaaS products has historically been difficult. Not so long ago, the SSO market hadn’t yet settled on a few mature players. SSO standards like SAML, OpenID Connect, and OAuth were less mature. And the developer ecosystem hadn’t yet matured to where it is today.

These factors conspired to make SSO integration incur significant engineering and support costs. Because integrating was expensive to implement and support, it made sense to charge more for the feature.

Reason #2: Strategic pricing to upsell enterprise customers

The second reason is shrewd pricing strategy. We vendors know that SSO is important to customers, especially enterprise customers. SSO is so important to these customers that they are willing to pay a premium for SSO integration. So we make a smart business decision to leave SSO integration out of lower price tiers (full disclosure: we at VendorHawk almost did this ourselves).

Times have changed

We can’t really fault ourselves for putting SSO/SAML in the higher tiers. Charging for costly and valuable functionality is good business practice. But times have changed.

Change #1: Integrating with SSO is easy now

Integrating with Single Sign-On isn’t nearly as costly as it used to be. The market has settled on a few mature players. SAML, OpenID Connect, and OAuth2 are mature standards. And open source & paid developer offerings make SSO integration cost a fraction of its historical cost.

Change #2: SSO integration is a basic security expectation

SSO integration is no longer a premium feature for enterprise customers. It’s a basic expectation from customers of all sizes. Keeping SSO integration in the higher tier wrongfully makes customers choose between security and cost. We shouldn’t charge for basic security.

Why does this matter?

When we limit SSO integration to higher price tiers, we limit our customers and ourselves in four primary ways:

#1: We expose customers to risk

Limiting SSO exposes our customers to security risks associated with self-managed access and to operational risks by keeping our application out of their SSO flow. Withholding SSO integration is like selling a house with doors that don’t lock.

#2: We expose ourselves to risk

When our customers have security risks, we have security risks. When customer security incidents involve our products, we suffer too. Limiting SSO integration opens us up to unnecessary risk.

#3: We discourage customer success

Onboarding new customers smoothly is critical to their success. When our products integrate with SSO, we make it much easier to provision end users and drive them to value. This is especially true when we go “all the way” and implement user provisioning/de-provisioning via SCIM.

#4: We limit our business opportunities

Limiting SSO integration limits our business opportunities. It makes our solution cost prohibitive for smaller security-conscious customers. For larger customers, onboarding friction limits customer success which ultimately hurts business. If SSO integration means more customers and more successful customers, we can create long term ROI from SSO integration without charging more for it.

#SSOForAll

Starting today, let’s make a change. Let’s offer SSO integration on all of our pricing tiers. Managing SaaS sprawl is hard enough. Let’s stop making it harder.

Voice your support for #SSOForAll today.