[mtlsnk]

This looks great. What is the reason for adding the https://sso.tax? Why did you make SSO an enterprise feature?

Is it due to some (technical) reason that would require a monetary compensation to be profitable?

SSO has security benefits (on top of the maintainability aspect) which would also benefit small businesses.

[wielrls]

To be honest, we're still finalizing our long-term pricing details. For what it's worth, "Sign in with Google" and "Sign in with Microsoft" are available to all users, and we'll prioritize additional canonical OIDC providers as demanded (let us know what you need!). 100% agree with the security benefits here. The SSO reference on our pricing page specifically applies to SAML-based IdPs, intended for customers who require further customization re: auth and provisioning strategy.

[mtlsnk]

I hadn't the time to look around further, so I missed the Google and Microsoft SSO login options. As long as those are/remain free, there is no SSO tax.

I will have another look when I have more time, thank you.

[IshKebab]

SSO tax seems like a very reasonable price differentiation method to me. Most of the price increases on sso.tax are quite reasonable for a company that needs SSO (most companies I've worked in don't bother until they are above 100 employees, despite what that site says).

[paxys]

> most companies I've worked in don't bother until they are above 100 employees, despite what that site says

Companies don't "bother with" SSO because using SSO is expensive, since every product charges more for the privilege. Otherwise there's no reason why a 2-person company shouldn't be using SSO from the get go.

[mtlsnk]

There are many small businesses that outsource their IT to managed service providers, but are understandably limited in their budget.

In my opinion, SSO tax results in arbitrary denial of employing best practices for these businesses.

Passwords are evil, because people generally don't care about security or don't have the capacity to employ proper hygiene around passwords. This likely means that SSO tax indirectly contributes to an increased number of account compromises (especially in small businesses, because more limited funds means more limited security; they're low-hanging fruit for bad actors).

[dbmikus]

The alternative is that the starter pricing tiers are more expensive. Pick your poison.

[anilgulecha]

> SSO tax seems like a very reasonable price differentiation method to me

Security is not a differentiation method. It's table stakes for any technical product. That's what the above linked website explains.

[lelanthran]

> Security is not a differentiation method. It's table stakes for any technical product.

Security as table stakes, sure. SSO, certainly not.

It's an additional cost, last I checked it was between 10$ and 20$ per user per month if you take the cheapest option and outsource it.

This whole notion of "Unless you meet this security standard that 99% of products don't meet, your product hasn't met table stakes" is nonsense and needs to die.

SSO will get cheaper in the future; for now it's hard for a product development team to justify getting 0$ in revenue just because of some purity test by irrelevant folk on the internet.

[anilgulecha]

We will have to agree to disagree on whether SSO is security or not.

[lelanthran]

> We will have to agree to disagree on whether SSO is security or not.

It's not a binary flag, it's a spectrum. "Defense in depth" is a thing, and that means a layered approach to security.

Just because a product is missing SSO does not in any way mean that that product fails any security check.

IMO, holding the position that not having SSO is the same as not having security is unreasonable.

Missing SSO does not magically make the other $FOO layers of your security vanish into the ether.

[rad_gruchalski]

Running my own keycloak or another ory hydra is a boring task. Locking SSO behind some arbitrary scale and raked up price takes sales away from you. It’s a matter of perspective.

[lelanthran]

> Running my own keycloak or another ory hydra is a boring task.

Simply running keycloak is not sufficient for SSO.

An SSO implementation may take months of dev time (i.e. $50k, minimum, considering cost of dev hours spent on it, and opportunity cost of not having those devs putting those hours into features).

And after you have done that, it remains an expensive feature - it's a high-touch feature that will eat product support time like you wouldn't believe.

Outsourcing this is still the cheapest option, and it still costs more than the product itself in many cases.

[rad_gruchalski]

I don’t understand your point. My question is: if the service provider offers SSO as an additional feature, why limit it to certain size of a client? Their service supports it. Why cannot my two persons company enable this feature? My two persons company can run my own keycloak and use it as an OAuth provider in your product all right. If you need months of dev time to enable SSO on my account then say that upfront because I will certainly find a different service provider because you clearly don’t know what you’re doing.

[zinclozenge]

If they're offering SSO using a 3rd party provider like Auth0 then they probably have to charge for it because of how expensive it is.