Shopping for Business Software? Beware the SSO Tax

It's long been an open secret among business software buyers that "enterprise" is synonymous with "expensive." That's why companies with tight budgets tend to steer clear of self-described enterprise software—not to mention that they have no use for a catalog of features designed for massive companies with thousands of employees. But imagine their surprise when they find themselves railroaded into sky-high enterprise pricing because they need just one feature.

That feature is single sign-on (SSO). It's a capability that's typically provided by identity management systems, such as Azure Active Directory, Okta, or OneLogin. Once installed, users log in to the network just once, and the SSO system takes over from there, granting them access to applications using a method based on encrypted tokens. It's far more secure than traditional, password-based logins, making it a must-have security measure for companies of all sizes.

However, while most of today's business apps and services support SSO, there's a catch. Unfortunately, vendors almost always unlock SSO support only at their most costly, enterprise pricing tiers, which inevitably comes as a rude awakening for small to midsize businesses, in particular, once they realize SSO is a feature they can't do without. This predatory sales tactic needs to end.

Why Is SSO So Crucial?

There are several reasons why SSO is considered an IT best practice. First, SSO eases the burden on employees to come up with strong passwords for multiple systems. The more logins an employee has to remember, the more likely they will use weak passwords, re-use passwords for multiple accounts, or store their passwords in an insecure way. (Password managers can also help here, but only if they're used properly. Even then, they're still not as secure as SSO.)

More importantly, SSO helps reduce what's termed the "attack surface" of a network. Each application that requires a unique login is another opportunity for an attacker to gain access to business data. But with SSO, it's as if you've built a wall around your data with only one front gate. No one can access an application without the SSO system's approval. That's a significant security upgrade, especially when combined with multi-factor authentication.

SSO makes IT operations easier, too. If an employee has an SSO account, authorizing access to a new application is as easy as connecting the app to that account. But the most significant benefit comes when the employee leaves the company. Without SSO, IT staff would need to manually shut down each of their accounts, leaving room for error. But with SSO, one press of a button and it's lights-out across the board.

These and other security benefits of SSO are so significant that even small businesses (and their financiers) have begun mandating SSO authentication as a matter of IT policy. Once that policy is in place, however, SSO sticker shock can hit like a sucker punch.

How Much Will SSO Cost You?

It's not that SSO support isn't worth paying for. Given its value, something like a 10% SSO surcharge might seem reasonable. Unfortunately, that's not the type of price increase we're talking about.

According to The SSO Wall of Shame, a site maintained by security expert Rob Chahin, the difference between a vendor's base pricing and what you'll pay to get SSO support is often double or more. Among 53 vendors Chahin sampled, the median price hike was 108%, but some vendors increased prices by 300%, 500%, or more. In one case, the bump was a whopping 6,300%. Other vendors refuse to list their enterprise pricing at all, instead forcing customers to negotiate their own rates.

Something like a 10% SSO surcharge might seem reasonable. Unfortunately, that's not the type of increase we're talking about.

SAML and OIDC. These protocols are well documented and understood, and there are even plenty of free software projects that implement them.

One could argue that a security feature like SSO requires careful code review and auditing, which increases development costs. But just about any commercial codebase requires such auditing today, especially if a vendor hopes to sell its software into highly regulated industries, such as healthcare and finance.

Enterprise pricing shouldn't be the hammer vendors bring down on companies that want an essential security feature like SSO.

The Industry Must Do Better

There's nothing inherently wrong with business software vendors tying features to specific pricing tiers. Most companies are willing to pay extra for needed features and service levels. There's even a case to be made for top-dollar enterprise pricing when it means supporting thousands of users, or guaranteeing near-perfect uptime, or serving multiple geographic regions.

But enterprise pricing shouldn't be the hammer vendors bring down on companies that want an essential security feature like SSO. Experts from industry and governments agree that threats like malware, data breaches, identity theft, and ransomware are all on the rise. The last thing the tech industry needs is to raise barriers to data security, especially if it's for no reason other than the almighty buck.

For the benefit of the entire internet, application vendors should decouple critical security features like SSO from their pricing plans and make them more broadly available to customers of all sizes, and at reasonable rates. If they did so, it would actually be a win-win. Not only would it increase their customers' trust and confidence in their software, but it's also the right thing to do.

About Our Expert

Neil McAllister

Senior Editor

My Experience

Computer magazines and tech publications had a huge influence on my formative years, so when I was given the opportunity to work in tech journalism, I jumped at the chance. My career studying and writing about tech has now spanned more than two decades. Before PCMag, I spent time as a writer and editor at InfoWorld, and a few years as a news reporter for The Register, Europe's largest online tech publication. Throughout, I've strived to explain deep and complex topics to the broadest possible audience and, I hope, share some of the thrill and fascination I find in this field every day.

My Areas of Expertise

Business software and software as-a-service (SaaS)
Cloud computing
Web hosting and data center technology
Data security
Software development
Databases
Linux and open-source software

The Technology I Use

My first computer was an Apple ][+, which my parents brought home for Christmas of 1982. Before that, I wrote BASIC programs on binder paper and entered them during leased time at the networked computer lab in the basement of the Lawrence Hall of Science in Berkeley, California.

It's been a long road since then. As I look around my home office, I see a virtual elephants' graveyard of desktop PCs, laptops, tablets, and phones, spanning nearly every OS you can think of. Ever seen a flip phone that doubles as a PalmPilot? I've got one.

Today, I split most of my time between Windows (on either a Lenovo ThinkPad or a Microsoft Surface Pro) and macOS (on a MacBook Pro with Apple Silicon). And, of course, I spend a ton of time on my Android phone.

I've also been a Linux user since 1996, back when Red Hat Linux came on CD-ROM. My distro of choice today is Ubuntu.

I can program in multiple languages (but don't count on my code to be any good). Between stints at publications, I have also worked at a few tech startups, specializing in technologies like virtualization and Linux containers.

At PCMag, my aim is to bring all this experience to bear to help you find the best technologies to power your businesses, and empower yourself, your employees, and your customers.

Read the latest from Neil McAllister

Read full bio