The prohibitive cost structure has been labeled the “SSO Tax” and CISA says potential SMB customers “perceive SSO as being excessively costly due to the higher cost of the premium-tier service that includes SSO as compared to the lower-tier service that does not include SSO coupled with a requirement to subscribe for a minimum number of seats that may exceed the actual number of users.”
There are two websites (sso.tax and ssotax.org) that keep track of this phenomenon. They list the offending software vendors on their “wall of shame” who have put SSO out of reach from the SMB market, such as Adobe, Monday.com, New Relic, Quip, and RingCentral. For example, the collaboration service Quip’s Starter price is $10 per month per user, but the Plus tier has a price of $25 per month per user that offers the SSO feature. Monday.com, a popular back-office accounting service, starts at $7 per month and increases to $27 per month for its SSO features. “This discourages organizations from adopting a robust identity and access management system,” wrote Olga Livingston on CISA’s blog last week. CISA recommends unbundling SSO from other premium services and including the feature in the basic pricing tier by vendors.
But cost and organizational ability are just the tip of the spear. Part of the problem is that SSO requires “numerous moving parts,” as CISA says in its report. Often legacy applications require updates — some that can be major efforts — to support SSO technologies for example. “Many SMBs are using outdated systems for their day-to-day operations that can’t support a modern SSO solution,” writes CISA in its report. These upgrades are further hampered by poor SSO documentation. CISA cites that “users consistently emphasized that instructions are incomplete, vague, and often inaccurate” when it is time for SMBs to implement their SSO solution, and recommends vendors step up their game in this area.