[jroes]

I feel like charging for SSO is a reasonable request of enterprises when adopting open source software. Most enterprises require SSO as policy (and should). Most enterprises also don't contribute financially to the sustainability of open source software, so this is one way to ensure that happens.

[eropple]

The problem is that everyone should have SSO, and that includes small orgs.

If you don't want your stuff used by small orgs that can't afford to pay, that's a totally reasonable standpoint. At the same time, though, if it's good they probably will use it despite not having SSO, and so that decision makessecurity (something that, by and large, benefits everyone) into an opt-in luxury good. Speaking only for me, I'd be uncomfortable espousing that as a philosophy.

[jroes]

I agree that orgs of all sizes should use SSO. The pricing should scale appropriately.

But as we have seen, companies are not doing enough to secure the sustainability of the open source software they rely on for their businesses, and I think a balance needs to be struck.

[rlnorthcutt]

One thing that Appsmith does is to offer Google and Github SSO for the open source version, and then SAML, OIDC, OAuth2 for the business edition. It can be very difficult to figure out where to draw the line, but I think looking at the needs of the individual developer vs a business team of devs is a good start.

[eropple]

They are not. I agree.

SSO isn't where to try to bleed that pig though, I think, to the point where for team-based systems it is probably more proper to disallow anything else (and maybe make them pay for guest access outside of their domain!).