It’s long been an open secret among business software buyers that “enterprise” is synonymous with “expensive.” That’s why companies with tight budgets tend to steer clear of self-described enterprise software—not to mention that they have no use for a catalog of features designed for massive companies with thousands of employees. But imagine their surprise when they find themselves railroaded into sky-high enterprise pricing because they need just one feature.
That feature is single sign-on (SSO). It’s a capability that’s typically provided by identity management systems, such as Azure Active Directory, Okta, or OneLogin. Once installed, users log in to the network just once, and the SSO system takes over from there, granting them access to applications using a method based on encrypted tokens. It’s far more secure than traditional, password-based logins, making it a must-have security measure for companies of all sizes.
However, while most of today’s business apps and services support SSO, there’s a catch. Unfortunately, vendors almost always unlock SSO support only at their most costly, enterprise pricing tiers, which inevitably comes as a rude awakening for small to midsize businesses, in particular, once they realize SSO is a feature they can’t do without. This predatory sales tactic needs to end.
Why Is SSO So Crucial?
There are several reasons why SSO is considered an IT best practice. First, SSO eases the burden on employees to come up with strong passwords for multiple systems. The more logins an employee has to remember, the more likely they will use weak passwords, re-use passwords for multiple accounts, or store their passwords in an insecure way. (Password managers can also help here, but only if they’re used properly. Even then, they’re still not as secure as SSO.)
More importantly, SSO helps reduce what’s termed the “attack surface” of a network. Each application that requires a unique login is another opportunity for an attacker to gain access to business data. But with SSO, it’s as if you’ve built a wall around your data with only one front gate. No one can access an application without the SSO system’s approval. That’s a significant security upgrade, especially when combined with multi-factor authentication.
SSO makes IT operations easier, too. If an employee has an SSO account, authorizing access to a new application is as easy as connecting the app to that account. But the most significant benefit comes when the employee leaves the company. Without SSO, IT staff would need to manually shut down each of their accounts, leaving room for error. But with SSO, one press of a button and it’s lights-out across the board.
These and other security benefits of SSO are so significant that even small businesses (and their financiers) have begun mandating SSO authentication as a matter of IT policy. Once that policy is in place, however, SSO sticker shock can hit like a sucker punch.
How Much Will SSO Cost You?
It’s not that SSO support isn’t worth paying for. Given its value, something like a 10% SSO surcharge might seem reasonable. Unfortunately, that’s not the type of price increase we’re talking about.
According to The SSO Wall of Shame(Opens in a new window), a site maintained by security expert Rob Chahin, the difference between a vendor’s base pricing and what you’ll pay to get SSO support is often double or more. Among 53 vendors Chahin sampled, the median price hike was 108%, but some vendors increased prices by 300%, 500%, or more. In one case, the bump was a whopping 6,300%. Other vendors refuse to list their enterprise pricing at all, instead forcing customers to negotiate their own rates.
Something like a 10% SSO surcharge might seem reasonable. Unfortunately, that’s not the type of increase we’re talking about.
Such tactics can profoundly impact IT budgets, particularly for small to midsized businesses (SMBs), to the point that they can even impede business agility and growth. So how can they be justified?
What’s Their Excuse?
We can only speculate about the reasons business software vendors might have for classifying SSO support as an enterprise-only feature. They seldom offer any. Maybe that’s because nothing seems to point to a legitimate answer.
For example, building SSO support into an application is neither costly nor particularly difficult. The technology is based on open standard protocols, including SAML and OIDC. These protocols are well documented and understood, and there are even plenty of free software projects that implement them.
One could argue that a security feature like SSO requires careful code review and auditing, which increases development costs. But just about any commercial codebase requires such auditing today, especially if a vendor hopes to sell its software into highly regulated industries, such as healthcare and finance.
Recommended by Our Editors
Enterprise pricing shouldn’t be the hammer vendors bring down on companies that want an essential security feature like SSO.
Once an app is connected to an SSO system, it doesn’t require much ongoing maintenance, either. SSO integrations aren’t going to increase the number of support calls an application vendor will have to field by any measurable amount.
In short, supporting SSO does not, in and of itself, create additional or unusual costs that software vendors must recoup from customers. So it’s hard not to conclude that the practice of tying a critical security feature like SSO to enterprise pricing is almost literally extortionate—as in, “That’s some real nice business data you’re storing in our application. Be a shame if something happened to it.”
The Industry Must Do Better
There’s nothing inherently wrong with business software vendors tying features to specific pricing tiers. Most companies are willing to pay extra for needed features and service levels. There’s even a case to be made for top-dollar enterprise pricing when it means supporting thousands of users, or guaranteeing near-perfect uptime, or serving multiple geographic regions.
But enterprise pricing shouldn’t be the hammer vendors bring down on companies that want an essential security feature like SSO. Experts from industry and governments agree that threats like malware, data breaches, identity theft, and ransomware are all on the rise. The last thing the tech industry needs is to raise barriers to data security, especially if it’s for no reason other than the almighty buck.
For the benefit of the entire internet, application vendors should decouple critical security features like SSO from their pricing plans and make them more broadly available to customers of all sizes, and at reasonable rates. If they did so, it would actually be a win-win. Not only would it increase their customers’ trust and confidence in their software, but it’s also the right thing to do.
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.