Skip the SSO tax with Pomerium

May 29, 2024

Robust security is no longer optional in the modern threat landscape. Data breaches can damage business reputation and result in costly lawsuits. Yet, traditional Single Sign-On (SSO) solutions often come with a hefty price tag, forcing companies to choose between security and their bottom line.

The status quo shouldn't force companies to choose between security and their bottom line. Skip the SSO tax and add SSO to any self-hosted application with Pomerium.

Common single sign-on options

What is SSO tax?

The SSO tax is when vendors charge users to access SSO as a service. This essentially means that customers pay extra money for a feature that companies should consider a basic security best practice. A common analogy is, “buying a car, paying for the brakes.”

Here’s the problem: those are some expensive brakes. The wall of shame shows significant pricing increases as a result of software vendors realizing they can force companies to pay for a basic security feature.

The Benefits of Single Sign-On (SSO)

SSO is a game-changer for user access management, especially for organizations juggling multiple cloud applications. Imagine logging into one central location (an identity provider like Google or Okta) and seamlessly accessing all your work apps without needing individual logins for each. This not only improves user experience but also enhances security, as it provides the following benefits:

  • Improved User Experience: Employees can access all their work applications with a single login, reducing frustration and wasted time.

  • Enhanced Security: SSO centralizes user authentication, making it easier to enforce access controls and manage user identities.

  • Reduced IT Burden: Onboarding and offboarding employees becomes much simpler with centralized user management.

  • Reduced Risk of Credential Theft: By reducing the number of logins needed, SSO minimizes the risk of compromised credentials.

Why is SSO Tax a problem?

The "SSO tax" creates a significant barrier for businesses, particularly smaller companies. Here's why it's a problem:

  • Unfair Pricing: Charging a premium for a core security feature like SSO is akin to selling a car and requiring an extra fee for brakes. It's a fundamental requirement, not a luxury add-on.

  • Reduced Security Adoption: High SSO costs can force companies to choose between user convenience and security, potentially leaving them vulnerable to cyberattacks.

  • Hinders Cloud Adoption: The "SSO tax" discourages businesses from adopting cloud-based solutions due to the additional cost of implementing SSO across multiple platforms.

Vendors might argue that SSO is a luxury feature and not necessary for small- and medium-sized businesses (SMBs), but that’s not true in practice. Not having SSO means:

  • Scaling difficulties: Onboarding and offboarding employees becomes difficult to manage at scale. The more applications you have, the bigger the scale.

  • Multiple access points: The purpose of single sign-on is to have one strong access point instead of multiple weak ones. This exposes multiple attack vectors for possible exploitation.

  • Credential fatigue: Forcing employees to keep track of multiple login credentials only results in increased chance of lost or stolen details. Moreover, password reset requests inundate IT management with unnecessary tickets.

While larger companies can afford to pay the extra SSO pricing tiers, SMBs can’t always afford to pay for enormous markups. Inevitably, when companies cannot afford SSO and hold sensitive customer data, they expose this data, leading to downstream security implications for customers.

Does the SSO tax actually cause software to be insecure?

Grip Security discussed the problem with over 100 CISOs and found that “80% of SaaS applications used by employees are not in their SSO portals,” listing the SSO licensing cost as the #1 reason for this predicament. So yes: the situation absolutely forces companies to choose between security and cost.

But vendors must be charging SSO for a reason, right?

There are some valid reasons why vendors might charge extra for SSO:

  • Development and Maintenance: Integrating SSO functionality requires additional development work and ongoing maintenance to ensure compatibility with various identity providers.

  • Supporting Multiple Identity Providers: Each identity provider has its own protocols and APIs, requiring tailored integrations. Supporting a wide range of providers increases development and maintenance complexity.

  • Customization Needs: Some companies might require custom configurations for their SSO implementation, adding to the vendor's workload.

While the above holds some merit, the following is also true:

  • Disproportionate Pricing: The upsell cost for SSO often goes far beyond what's reasonable to cover development and maintenance. It can be a significant multiplier of the base package, making it a luxury for smaller businesses that need it most.

  • Shifting Priorities: Charging a premium for SSO incentivizes profit over security. It creates a situation where companies have to choose between affordability and best practices.

  • Standardization Ignored: The sheer variety of identity providers can be a challenge, but industry standards exist to simplify integrations. Vendors who leverage these standards can reduce development costs and offer SSO at a more reasonable price.

The Ethical Dilemma

Ultimately, the "SSO tax" creates an ethical dilemma for vendors. While development costs exist, charging exorbitant fees makes it harder for businesses to prioritize security. Ideally, vendors should:

  • Offer SSO in Base Packages: Consider SSO a core feature, not an expensive add-on. In today's cloud-based world, secure access management is essential.

  • Develop Standardized Integrations: Leveraging industry standards can streamline development and reduce costs associated with supporting multiple identity providers.

  • Provide Transparent Pricing: Vendors should clearly outline the costs associated with SSO and avoid hidden fees or excessive markups.

To those SMBs and even larger companies that would like to cut costs, Pomerium can alleviate some of that for you.

How does Pomerium workaround the SSO tax?

While many companies will write endless blogs shaming vendors for implementing an SSO tax, Pomerium believes in solution-oriented discussions. Pomerium Zero allows you to implement SSO for your self-hosted applications without the burden of the SSO tax. Here's what makes Pomerium Zero stand out:

  • Free and Open Source: Pomerium Zero is a free, open-source solution. You don't have to pay any licensing fees or hidden charges to enjoy the benefits of SSO.

  • Easy to Implement: Pomerium Zero is designed for ease of use. It integrates seamlessly with your existing infrastructure and requires minimal configuration.

  • Secure and Scalable: Pomerium Zero prioritizes security without sacrificing performance. It offers robust access controls and scales to meet the needs of your growing business.

  • Empowering Businesses of All Sizes: Whether you're a small startup or a large enterprise, Pomerium Zero makes secure SSO accessible.

Even better, Pomerium can add SSO to legacy applications that do not have built-in SSO. Simply put Pomerium in front of your legacy application, implement SSO through Pomerium, and voila — you don't need to change the application at all.

Pomerium Zero offers this as a basic feature. The immediate ROI scales linearly with every single application your company uses where you self-host and pay to unlock SSO. If ten internal applications cost $20/user/month for SSO, Pomerium saves $200/user/month.

We use SAML. Do we have to keep paying the SSO tax?

While we highly suggest shifting to OIDC, companies that cannot shift away from SAML can find an OIDC compliant federating identity provider (such as Amazon Cognito) to implement SSO through Pomerium and save on the SSO tax.

Have other questions about a specific application or your custom identity provider? Feel free to reach out to us on our Discuss forums to ask how you can save on the SSO tax today.


More Blog Posts

See All Blog Posts
Introducing Pomerium Zero
Announcing Pomerium v0.26
4 Trends Shaping the Future of Access Control

Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved