Single Sign-On (SSO) provides a range of productivity and security benefits for organizations that adopt this convenient authentication method across multiple applications. Employees are freed from the hassle of having to log in more than once. SSO also reduces security risks related to identity and access management (IAM). However, these benefits typically come with an unexpected cost, the so-called “SSO Tax.” It’s not an actual tax, but rather an expense that comes from having to license a software product’s higher tier to enable SSO functionality. This article discusses the origins of the SSO Tax, how it works, and how you can avoid paying it.
A Brief Overview of SSO
Many of us use SSO every day, perhaps without realizing it. SSO is an authentication service that enables a user to log into one system, and then have that initial authentication carry over to allow access to other systems. With SSO, users have no need to enter their log in credentials again. It’s a federated identity management (FIM) technology that allows users to be authenticated by other services without exposing the user’s password.
SSO requires integration between an identity provider (IdP), such as Okta, Entra, or Ping, and the Service Provider (SP), a third-party app like Calendly or Github. This integration is done by exchanging certificates between the providers, allowing them to verify that the “authentication approval” is signed by the certificate of that third-party.
What is the SSO Tax?
Legacy SSO does not work with every version of a piece of software. It is usually necessary to upgrade to a higher licensing tier to get the functionality required to implement legacy SSO. For instance, the Base version of AirTable, which costs $10 per user/month, does not support SSO. To add SSO to AirTable, you have to switch to the $60 per user/month edition of the software—A 500% increase in cost. (Source: https://sso.tax)
How Much Does the SSO Tax Cost You?
The SSO tax can add up quickly. Consider the example of Calendy, which costs $12 per user/month at the base level. To enable SSO for Calendy, you have to upgrade to the $25 per user/month version. That’s an SSO tax of $13 per user/month. An organization with 1,000 Calendy users will be paying $13,000 a month, or $156,000 per year in SSO tax. The average enterprise uses over 300 software-as-a-service (SaaS) applications, so the SSO tax can easily run into millions of dollars annually.
How to Avoid the SSO Tax
A new generation of SSO solutions enables you to escape from the SSO tax. As exemplified by UNIXi, they achieve SSO without requiring integration between an application, the IdP, and an SSO server. Rather, using a browser extension and a decentralized, password-less approach to authentication, these new SSO solutions enable universal SSO with basic software subscription that match your actual needs. There’s no need to upgrade to a higher licensing tier to get the integration functionality. No more SSO tax. SaaS vendors do not have to integrate with an IdP, either.
Further Benefits to the New Approach
The new approach to SSO delivers benefits beyond saving on the SSO tax. By avoiding integration, it enables far more pervasive deployment of SSO. Any unmanaged or “shadow” SaaS can be included in SSO without integration. No integration also means faster adoption of SSO and no integration costs. There should also be a reduction in credential theft and systemic risks to SSO also become lower.
Conclusion
Legacy SSO comes with a tax in the form of higher software licensing fees. To get SSO, you have to upgrade, and that can be quite expensive in organizations with many users and applications. New modes of SSO, such as password-less and integration-less approaches to authentication, make it possible to achieve SSO on lower tiers of existing software. There’s no need to upgrade, and hence no SSO tax.
