In the world of SaaS procurement, there is a recurring moment of frustration. You find a tool that fits your needs perfectly. The "Pro" plan is reasonably priced at $25/user/month. You are ready to buy.
Then, your IT Director asks a simple question: "Does it support SAML SSO for Okta?"
You check the pricing page. Yes, it does—but only on the "Enterprise" plan. You click "Contact Sales," only to discover that the Enterprise plan starts at $80/user/month, with a 50-seat minimum. Suddenly, a $500/month contract has exploded into a $48,000/year commitment.
This phenomenon is known in the industry as the "SSO Tax." It is the practice of treating Single Sign-On (SSO)—a fundamental security requirement for any modern business—as a luxury feature to force upsells.
Why Vendors Do It: The "Willingness to Pay" Proxy
From a vendor's perspective, SSO is not just a feature; it is a segmentation signal. If a company cares about SSO, it likely has a dedicated IT team, compliance requirements (SOC 2, ISO 27001), and deeper pockets. Therefore, gating SSO is a highly effective way to force larger companies out of cheap self-serve plans and into high-margin sales-assisted contracts.
The Economics of the "Enterprise Wall"
The jump from a "Business" plan to an "Enterprise" plan is rarely linear. As illustrated below, the cost per user often triples or quadruples the moment SSO becomes a requirement.
This pricing strategy creates a perverse incentive: small and mid-sized businesses (SMBs) are financially discouraged from securing their accounts. They are forced to choose between affordable software and secure software.
Calculating the True Cost of the Tax
When evaluating whether to pay the SSO Tax, you must look beyond the sticker price. As detailed in our Strategic Guide to Procurement, the decision should be based on a risk-adjusted cost analysis.
Consider the operational costs of not having SSO:
- Offboarding Risk: Without SSO, revoking access for a terminated employee requires manually logging into every single SaaS portal. If you miss one, that ex-employee retains access to sensitive data.
- Password Fatigue: Employees forced to remember dozens of unique passwords will inevitably resort to weak ones (e.g., "Company123!"), increasing the risk of credential stuffing attacks.
- Support Overhead: IT teams spend a significant amount of time resetting forgotten passwords for non-SSO applications.
Negotiation Strategies
While the SSO Tax is pervasive, it is not always immutable. Here are three strategies for procurement teams:
- The "Security Exception" Ask: Some vendors will agree to enable SSO on a lower tier as a line-item add-on if you push hard enough, especially if you are close to the end of a quarter.
- Multi-Year Leverage: Offer to sign a 2- or 3-year contract in exchange for unlocking Enterprise features at a Business tier price point.
- The "SSO Tax" Wall of Shame: Citing public lists of vendors who gate SSO (like sso.tax) can sometimes shame a sales rep into offering a concession, or at least acknowledging the pricing disparity.
Conclusion
The SSO Tax is a friction point that isn't going away soon. Until market pressure forces vendors to treat security as a utility rather than a luxury, buyers must factor this "hidden" premium into their initial budget planning. Never assume the price on the website is the price you will pay if you need to pass a security audit.
References
[1] The SSO Wall of Shame. sso.tax. A community-maintained list of vendors that gate SSO behind enterprise pricing.
[2] The SSO Tax: When Basic Security Becomes a Luxury. Medium. Analysis of the security implications of tiered identity management.