SSO tax seems like a very reasonable price differentiation method to me. Most of the price increases on sso.tax are quite reasonable for a company that needs SSO (most companies I've worked in don't bother until they are above 100 employees, despite what that site says).
> most companies I've worked in don't bother until they are above 100 employees, despite what that site says
Companies don't "bother with" SSO because using SSO is expensive, since every product charges more for the privilege. Otherwise there's no reason why a 2-person company shouldn't be using SSO from the get go.
There are many small businesses that outsource their IT to managed service providers, but are understandably limited in their budget.
In my opinion, SSO tax results in arbitrary denial of employing best practices for these businesses.
Passwords are evil, because people generally don't care about security or don't have the capacity to employ proper hygiene around passwords. This likely means that SSO tax indirectly contributes to an increased number of account compromises (especially in small businesses, because more limited funds means more limited security; they're low-hanging fruit for bad actors).
> Security is not a differentiation method. It's table stakes for any technical product.
Security as table stakes, sure. SSO, certainly not.
It's an additional cost, last I checked it was between 10$ and 20$ per user per month if you take the cheapest option and outsource it.
This whole notion of "Unless you meet this security standard that 99% of products don't meet, your product hasn't met table stakes" is nonsense and needs to die.
SSO will get cheaper in the future; for now it's hard for a product development team to justify getting 0$ in revenue just because of some purity test by irrelevant folk on the internet.
Running my own keycloak or another ory hydra is a boring task. Locking SSO behind some arbitrary scale and raked up price takes sales away from you. It’s a matter of perspective.
> Running my own keycloak or another ory hydra is a boring task.
Simply running keycloak is not sufficient for SSO.
An SSO implementation may take months of dev time (i.e. $50k, minimum, considering cost of dev hours spent on it, and opportunity cost of not having those devs putting those hours into features).
And after you have done that, it remains an expensive feature - it's a high-touch feature that will eat product support time like you wouldn't believe.
Outsourcing this is still the cheapest option, and it still costs more than the product itself in many cases.
I don’t understand your point. My question is: if the service provider offers SSO as an additional feature, why limit it to certain size of a client? Their service supports it. Why cannot my two persons company enable this feature? My two persons company can run my own keycloak and use it as an OAuth provider in your product all right. If you need months of dev time to enable SSO on my account then say that upfront because I will certainly find a different service provider because you clearly don’t know what you’re doing.
> If you need months of dev time to enable SSO on my account then say that upfront because I will certainly find a different service provider because you clearly don’t know what you’re doing.
If you could do that, you would. The point is that SSO is high-touch and high-maintenance, and the price reflects that.
If it is as cheap you appear to think so, you'll make a killing offering SSO for businesses and undercutting the current providers by (maybe) 50%.
I don't think you are doing that. Maybe I am wrong, but if you are right you're leaving easy money on the table.
