Heya, I work for a commercial auth provider but we provide a free version with unlimited SSO connections. (Details in profile if you are interested.) So I have a bias.
There's a number of ways for open source software stacks to make money, but I agree that finding features that companies with money will pay for is a great one.
I think Patio11 said it once, but SSO feels now like HTTPS felt in 2015. Used to be super expensive, but now should be "table stakes".
Other ways open source companies can make money:
- hosting (offers that sweet sweet recurring revenue)
- support (especially SLAs, which pair nicely with hosting)
- other enterprisey features, such as integrating with enterprisey tools (DataDog, SIEM tools)
- other auth features like fine grained authorization (RBAC, ABAC, PBAC) and provisioning (SCIM)
- control planes (I see this with tools like Cerbos and Permit which both offer fine grained authorization execution engines that are free, but charge for the control plane)
- certifications (SOC2, FIPS, HIPAA, PCI). this might not make sense in all cases, it does depend on the tool
- custom feature development (better if this is pulling forward planned development rather than something unplanned)
It's not easy, though.
I wrote more on my personal blog about freemium[0] and open-source[1] business models.
The problem is there's a huge gap between "We are a small company, and don't care about SSO" and Enterprise.
The company I work for is in the middle - anything where SSO is gated behind "Enterprise" is not even considered by us. We don't need 90% of the other "features" under the Enterprise plans, and most aren't willing to custom quote us for Basic+SSO.
Withhold it from free versions, sure - but definitely don't lock SSO only behind the most expensive option.
Companies of that size are common. It would in isolation even be profitable to serve them. The problem is if you introduce a middle tier that includes SSO, many enterprises will go for that instead of the expensive enterprise tier you want them to buy. Basically, you sacrifice medium companies as customers in order to chase after that sweet enterprise money.
Companies of that size are served by the "enterprise call a salesperson" offering. If you really don't need all of the other features you can probably negotiate a discount.
That makes sense, but I still think there are other features that can be gated behind enterprise to help make sure that doesn't happen while still providing SSO for smaller companies.
You can have user limits on the non-enterprise plans (Microsoft does this, for example, with Business Premium locked at 300 users or less), or gate other features behind enterprise: Have MFA across the board, but lock conditional access behind enterprise, lock more advanced audit logs & reporting behind enterprise, lock RBAC behind enterprise, or data residency, custom security policies, API limits, etc.
There are numerous other features that are non-negotiable for enterprises to help funnel them into the enterprise plan, while still being able to service medium companies with SSO.
I'd hardly call a business with between 150-300 employees, that cares about SSO but doesn't need the full suite of enterprise features an outlier, I'd imagine that's fairly common nowadays.
Maybe in 2015 it was an outlier, but SSO is now a non-negotiable and with many of these businesses on M365 business premium, which includes EntraID P2, SSO is now accessible to a large number of companies where it wasn't before. It's no longer some niche enterprise only functionality, it's a bare minimum for business SaaS.
The fact you’re unwilling to even consider a product with SSO behind the enterprise license is what makes you an outlier, and frankly probably a bad customer.
And if you’re trying to negotiate custom, non standard licensing when you’ve only got 300 employees you will likely be a noisy customer in perpetuity.
No offense, that’s just how I’m betting 99% of folks read your response.
> There’s a reason they all do it, and it’s because SSO is one of the few features enterprises are almost universally willing to pay for.
Also, anyone who's dealt with SAML knows it's like licking lead-based paint. It's the knowledge equivalent of antimatter, every line of code you write costing you a point of IQ.
SSO has to bring in monthly recurring revenue, to cover the monthly recurring disability payments to the many people who've lost the ability to feed and dress themselves after reading too much of the xml-dsig spec.
withholding enterprise features from free versions isn't the problem, the problem is charging extortionate rates for an important security feature.
> "Decouple your security features from your value-added services...If your SSO support is a 10% price hike, you’re not on this list. But these percentage increases are not maintenance costs, they’re revenue generation because you know your customers have no good options."
Problem is lots of SSO implementation will be dealing with some arrogant architects claiming you know nothing and their semi broken SAML is something you should implement for them for free - repeat for 100 times for each customer having their own way of breaking the spec or using something crooked.
It is getting better with Entra P2 or Okta as it is couple of minutes to configure if you use good framework in your projects.
But the tax was because of what I wrote about in first place.
This is why at work, we're encouraging and recommending to use some kind of SSO, but we're basing our cost off of the customers IDP.
Some "green" IDP like O365 OIDC, Okta, Entra and such are usually included without extra cost (and will be self-service soon, too). Some "yellow" - usually SAML - IDPs come at a fixed fee. We know them, we know they are weird, but we can deal with it.
Other things are flagged as red and call in hourly billed projects and recurring maintenance fees. Like, one customer has an in-house developed SAML IDP written in PHP a decade ago or so. I want our customers to use SSO, but that's a level of jank I'm not supporting for free.
There’s a reason they all do it, and it’s because SSO is one of the few features enterprises are almost universally willing to pay for.