Why SMBs Don't Deploy SSO

As someone who works on our SSO implementation, the reason for the SSO tax is twofold:

- Positioning: it’s seen as an enterprise product so attracts enterprise pricing

- Support: it’s genuinely a high touch feature which lots of customers fuck up all the time in the same way and always needs support and engineering help.

Documentation for those issues? We have it, it doesn’t stop the support requests coming in. I was looking at a request this morning where the error message is coming from Azure itself and clearly says “this is not configured correctly.” The request hasn’t even reached our systems yet!

Until SSO is as plug n play for users as Google Sign-in, SSO will continue to attract a high price point. And I’ll continue to push back on attempts internally to democratise it.

Missing one of the key reasons: most SMBs are sharing seats (usually in violation of the license terms for the products they're using), which is rather harder with good SSO products. Per seat licensing for b2b products is lucrative, but carries the risk that you're just pushing your customers to share passwords, which is usually way worse for security.

One of my friends from high school has a dad with a business. I still live in the same city where I went to high school so I occasionally get called to do some tech support for my friend’s dad. Last summer, he ended up in SSO hell and so I got loaded on muscle relaxants and went to help him.

He’s an excellent guy with a great attitude and a genuine love for what he does. He’s infectious and when I get to see him, I usually laugh so hard I damned near hyperventilate.

His SSO issue was so severe that all that good humour and attitude was totally absent. It took a couple of days, but we got him going.

I’m a big fan of democratizing tech, especially security tech. But SSO is quite complicated at the best of times. When it goes wrong, it’s like troubleshooting a plate of spaghetti where half the noodles try to bite you.

In the case of SMB, when it goes wrong their businesses mostly grind to a halt. They often don’t have dedicated IT staff - the model of a son’s friend who comes in to help because he didn’t move away is quite common in SMB.

It’s a good idea, but in practice until we can get it to be completely turnkey, I don’t believe that many SSO providers could even afford to provide support for SMBs.

I've implemented SSO in a small business context. It's insanely hard. Absolutely not worth it.

Until Apple and Microsoft find a way to a LetsEncrypt-type comprehensive mission, it's out of the question.

And, since Azure 'Entra' is a Microsoft profit center, no easy to use tool will be in their interest.

The org I work for recently signed a small (5-user) enterprise agreement with a popular web-based form solution provider for $5k. When I asked them to enable SSO, they asked for an additional $2.5k, which I felt was ridiculous. This is why we didn't do SSO.

SSO is not the silver bullet they seem to think it is. You are delegating your security to an org that may not be as secure as they claim, e.g. Okta:

https://arstechnica.com/information-technology/2023/11/no-ok...

They should use YunoHost! By far one of the most impressive things about YunoHost is that a good number of the services you can run with it have directory service integration! https://yunohost.org/en/users

I don’t want to bother with vendor lock in and an additional single point of failure. That’s why I don’t use sso

Full disclosure: I work at WorkOS (https://workos.com/), we provide SSO (among other things) as a service.

I glanced through the report and it comes to the normal conclusion that SSO is hard and expensive to get right. Do SMBs focus on providing value to their customers in the problem space that they are experts at or do they spend months just getting sign-in working?

Yeah I get the concern about the "SSO tax" but unfortunately SSO isn't free. Someone is paying for it somewhere, be that implementation, outsourcing to a service, and/or maintenance and customer support for the live of the product.

That said there are a lot more services and libraries out today that try to make this easier such as https://www.passportjs.org/ (which WorkOS sponsors).

I'm largely in favor of SSO, but it's not without its downsides, going beyond capital costs: SSO can also be implemented in a way that introduces an onerous latency tax when using services.

>Why SMBs Don’t Deploy Single Sign On (SSO)

Bullshit article. The reason SMBs don't deploy SSO is because SaaS and other tooling puts SSO integration behind very high tier paywalls.

I'm talking pricing schemes where sure, you can sign up for a 20 person team on a service because that's the only expected user base in house, but the moment you ask for SSO they demand you license your entire employee headcount.

Among many ridiculous schemes I've dealt with.