[HN Gopher] An admittedly wandering defense of the SSO tax
___________________________________________________________________
An admittedly wandering defense of the SSO tax
Author : ned_at_codomain
Score : 38 points
Date : 2024-08-20 20:41 UTC (2 hours ago)
(HTM) web link (ssoready.com)
(TXT) w3m dump (ssoready.com)
| matheist wrote:
| Nice explanation. I'd be interested in hearing from anyone who
| used to feel negatively about the "SSO tax" and then switched to
| feeling positive/neutral about it -- what changed your mind and
| why? Vice versa, too. (Not interested in rehashing arguments
| about why it's good or bad.)
| wmf wrote:
| This car with no seat belts, no airbags, and no ABS is just price
| discrimination! Strangely, no one seems interested in celebrating
| the implied discount for not having safety.
| ned_at_codomain wrote:
| This is a solid objection that I hadn't considered before!
|
| Why isn't SAML SSO mandated (either literally or my
| convention)?
|
| Practically speaking, as someone who spends all day trying to
| convince developers to _implement_ SAML SSO, I really wish this
| were the case :)
|
| I think in practice, software vendors correctly assess that
| relatively few of their prospective customers actually care.
|
| If many small / price sensitive companies really wanted SAML
| SSO from their vendors -- if there were really meaningful
| demand -- I imagine we'd see more pricing plans with SAML SSO
| bundled into entry level tiers.
|
| As for mandates, this is a challenging ethical question. I
| don't think it's necessarily _obvious_ in all cases that some
| institution should impose safety regulations upon us.
|
| There's clearly some set of risks we accept, and some set of
| risks we don't accept. And we all draw the line in different
| places.
|
| This is pretty obviously true. Not many of us worry about
| objects randomly falling off buildings. We don't all wear
| helmets all the time. It's certainly a risk, but do we really
| care?
|
| I think the revealed preference from many software buyers is
| basically ... no, they don't care about having the security
| benefits of SSO.
| wmf wrote:
| I also don't want to mandate anything but as an industry we
| have to find some way to do better on security. Free SSO and
| 2FA with very strong nudges seems like a good path.
| ameliaquining wrote:
| On a lot of issues (passwords, SQL injection, automated
| deployments), buyers originally didn't care much about
| security, but the security community slowly but surely
| managed to shift norms and get doing the right thing to
| become normalized. I think that could happen on SSO too, if
| not for the fact that it's so effective as a price
| discriminator, which in turn I think makes it less likely to
| happen absent some kind of regulation. (Developers at small
| companies might not care, or they might _want_ to do the
| right thing but be unable to justify it to the boss;
| meanwhile, SSO is usually a non-negotiable requirement for
| enterprises. I think that 's a bigger factor than apathy or
| "price sensitivity" (enterprises are often extremely price-
| sensitive) in why it's such a good discriminator.)
|
| I favor regulation on this, even though it's probably not
| necessary in every case, simply because I don't see any other
| way to break this equilibrium.
| commandar wrote:
| >This is a solid objection that I hadn't considered before!
|
| To be quite frank: this strongly suggests that while you put
| a lot of effort into writing a long article in defense of the
| SSO tax, you didn't perform more than the most cursory
| research about _why_ it 's a topic of discussion.
|
| This argument is literally above the fold on the two top
| search results for the term.
|
| >In short: SSO is a core security requirement for any company
| with more than five employees.
|
| https://sso.tax/
|
| And the other _explicitly_ makes the car-safety analogy:
|
| >Imagine buying a car and the manufacturer asks for an extra
| payment to unlock 100% of the braking power. Not offering
| security features if they already exist in your product means
| a vendor doesn't care about your security. Our aim is to
| spotlight vendors who overcharge for security features, in
| hopes of instigating a change in the industry.
|
| https://ssotax.org/
|
| And to be franker: the word "security" appears exactly once
| in your entire piece. That's a near-complete avoidance of the
| actual issue that people are highlighting.
|
| I perfectly understand the rationale behind the pricing
| model. The point is that "only large enterprises need or care
| about SSO" is _completely_ wrong-headed and detrimental to
| the overall security posture of _any_ business customer. That
| is and should be unacceptable.
| ned_at_codomain wrote:
| Hm, that seems like a misrepresentation of what I'm saying.
|
| I specifically meant that the previous commenter made me
| think of mandates.
|
| I run a company that makes SAML SSO software. I've thought
| quite extensively about SAML SSO. See:
|
| https://news.ycombinator.com/item?id=41036982
|
| Addendum: I have a very strongly vested interest in more
| people using SSO. I literally spend my time trying to
| convince developers to set it up!
| stackskipton wrote:
| As someone who deals with application support, another big reason
| is SSO is such a support nightmare. No one wanted to touch SSO
| tickets because of how frustrating they were to deal with. People
| wouldn't follow the instructions. Microsoft/Google moved
| something in their portal and we didn't know so instructions were
| useless. Microsoft/Google would be having issues and we got
| tickets because they were still working until tokens expired.
| Their Admins would turn on 2FA and when their support desk got
| "Cannot login to $OurProduct", they would just flip it over to us
| without caring. List goes on and on.
| sparrish wrote:
| This is the real reason there's an SSO tax. It costs to support
| SSO, the customers who want SSO should pay for that cost.
| ned_at_codomain wrote:
| I would agree that this cost-plus pricing structure applies
| in some cases. Some companies definitely want to constrain
| the universe of SSO users.
|
| But this will usually show up in pricing structures with SSO
| as a relatively inexpensive add-on feature -- not as part of
| an indivisible bundle.
|
| Seemingly we want to talk about both of these things as "the
| SSO tax" but I think we can agree that they're pretty
| different scenarios.
| wmf wrote:
| I thought some company had free SSO for Google and 365 only
| and advanced SSO on the enterprise tier. I don't remember
| which company though, so maybe I made this up.
| candiddevmike wrote:
| There are plenty of folks who setup SSO with open source
| projects without a support contract. Why should they have to
| pay for it with other software?
| SkyPuncher wrote:
| I was lead engineer for a startup. By virtue of being the most
| flexible in my day-to-day, I ran front line for most of the
| customer support issues.
|
| SSO issues took exponentially longer than nearly every other
| support issue and accounted for well over 50% of our support
| efforts.
|
| We didn't really feel like there was much we could do about it
| either. Most of it came down to the fact that the user of our
| application was not the person also able to setup SSO. The
| result was a massive game of pass the hot potato until we would
| get fed up and request a call with our customers IT team.
| t0mas88 wrote:
| This it's exactly the issue with SSO and enterprise customers
| with complex requirements on how their IDP needs to be
| integrated.
| grinich wrote:
| The "human cost" of SSO is definitely the hardest part.
|
| At WorkOS we solved this by shipping the whole config workflow
| in the form of an admin portal. It checks things like SAML
| certificate, signatures/assertions, attribute mapping, etc. and
| a zillion other edge cases across dozens of identity systems.
|
| It's pretty much "Stripe Checkout" for setting up SAML. Live
| demo here (click "Configure")
| https://explore.workos.com/app/settings
| ned_at_codomain wrote:
| Oh cool! We have pretty much the same thing
| greenstreet1994 wrote:
| how is yours different? curious to know
| anotherhue wrote:
| It's a bad system and you should feel bad for using it.
|
| By all means charge enterprises more, but base it on something
| else, headcount, revenue, non-profit status...whatever.
|
| Every time I hear about a data breach I wonder if someone avoided
| perfectly reasonable SSO protections because of this tax.
| colechristensen wrote:
| If you have enterprise pricing, have substantial enterprise
| features. That's it.
| TZubiri wrote:
| I get that there's some correlation between hacker culture and
| piracy and free as in gratis.
|
| But lately I've seen a flood of flat out complaining about things
| costing money.
|
| As software devs we should be for software having a price tag,
| not against it
| langcss wrote:
| The complaint isn't about anything costing money. It is about
| making SSO an enterprise feature which pushes the price up
| alot. At the same time SSO is good for security. So it is like
| an office space charging double for swipe cards instead of a
| number lock.
|
| I think what annoys people is the reason why: a way to make
| more money from enterprises, and that they could make that
| money some other way.
| happyopossum wrote:
| > So it is like an office space charging double for swipe
| cards instead of a number lock.
|
| If the landlord had to hire a bunch of extra support people,
| with expertise outside their normal domain, just to support
| swipe cards then this would make sense, no?
|
| I can imagine a lot of products where accompany literally
| could not afford to provide support for SSO issues to a basic
| tier customer with 100 employees
| happyopossum wrote:
| My job involves working with customers to test out products - has
| for years, and for several jobs. None of my products have ever
| charged extra for SSO, and most require it, so I get to deal with
| it all the time.
|
| For the past 5+ years, the part of configuration that takes the
| longest - by far - is always SSO. I cannot imagine the amount of
| added support calls, time, and frustration brought about by it,
| so I can completely understand why some companies gate it behind
| more expensive tiers.
| SOLAR_FIELDS wrote:
| The reality is much simpler than the article would have you
| believe. The article goes through all these convoluted
| explanations about value add but the simple fact of the matter is
| that SSO is the one differentiator that businesses will guarantee
| pay for. The other features are often unknown to stakeholders
| outside of the internal champion and need explanation oftentimes.
| But SSO, enterprises always need at a certain scale. So it's
| incredibly effective because it's the one feature that every
| single enterprise that wants to purchase your product cannot do
| without.
|
| In fact, the exact opposite conclusion of the article is reached
| if we follow this logic. One of the taglines reads: _Buyers want
| different things_. Well, maybe the stakeholder /champion actually
| using your software might. But often they are not the ones that
| are making the money decision in an organization. The people who
| ARE making that decision, however, do not want different things.
| They probably could care less about different things. They want
| SSO.
| karlgkk wrote:
| I think the friction here is from midsized companies. Where
| onboarding software that's purchased is much harder than free
| software.
|
| I think it might be worth saying "SSO is free, up to n users".
|
| Also this is pricing for "adequate security", which rubs a lot
| of people the wrong way.
|
| But I do agree, competent, organizational wide SSO with SCIM is
| definitely an enterprise feature.
| commandar wrote:
| I'm in the healthcare world.
|
| SSO is a hard requirement for us.
|
| There have been many, many times where we've considered an
| application where we could justify the spend at, e.g., the
| departmental level for the limited user base that needed it,
| but where SSO being bundled into higher price tiers combined
| with minimum user counts took a potential solution from "very
| easy discretionary spend" to "not happening, full stop."
|
| I'm often the one having to make these decisions. It's
| absolutely exhausting having to explain to non-technical
| department heads that "yes, this would solve your problem at a
| price that fits budget, but the vendor bundles a vital security
| feature into a tier that inflates the price to a point that it
| makes this unfeasible."
| paxys wrote:
| This is a good economics lesson but fails to address the actual
| issue people have with the SSO tax. It isn't about the concept of
| price discrimination, but price discrimination when it comes to
| _security_. You can charge extra for convenience features or
| other value-add features, sure, but the choice of login provider
| is something that should be table stakes for every person and
| every organization regardless of how big they are or how much
| they can pay. An even worse example - plenty of apps gate _two-
| factor auth_ behind a paid tier as well.
| SOLAR_FIELDS wrote:
| Sure, but most SaaS support "SSO at home" in lower tiers via
| either Google idp or GitHub. So yes you're locked into those
| vendors which kind of sucks but it's not necessarily true that
| you have to give up security without forking over the "SSO tax"
| JohnMakin wrote:
| This reminds me of when several years ago I was a pretty early
| enterprise Vault user - I poc'd out a pretty simple
| implementation with the OSS version that at that time included
| SSO support with Okta. Management was like "great we don't have
| to pay for any of this then, let's use OSS then" and I argued
| that there was zero chance they were going to leave that as a OSS
| feature, sure enough, some months later they rug pulled it. It
| was pretty much the only additional feature outside of core
| functionality we absolutely "needed," everything else was pretty
| fluff.
| tomrod wrote:
| Neat advertisement to drum up support for easily adding SSO with
| an open source tooling.
| icambron wrote:
| I don't really mind paying for SSO. It's fine. But I hate that
| it's the one feature in the "enterprise" tier that I need, and
| now I have to talk to a sales rep and sign a contract. You could
| have just charged me more per seat and it would have been better
| for both of us. Instead I looked for another vendor that didn't
| let their sales team convince them to let the AEs gatekeep a
| basic feature.
| ivan_gammel wrote:
| I was responsible for IT in a hypergrowth scale-up and I don't
| like this article, it misrepresents the problem. The problem is,
| when you are big enough to set up SSO like Okta, you have to
| upgrade nearly all of your subscriptions in a short time to make
| use of it, suddenly resulting in a huge increase in the budget.
| So, let's say the business goes from X to 2X in revenue and from
| X to almost 2X in staff (let's assume there's some small increase
| in productivity over time). In some incredible logical twist
| every SaaS provider thinks that 2X increase in price is
| affordable, despite that the company is still burning money and
| the enterprise features aren't really needed yet. 2X budget isn't
| approved by CFO, cost-cutting exercise starts and price increase
| is matched by significant reduction in number of licenses. Did it
| worth it? Not sure. Volume-based pricing complimented by feature
| add-ons would do a good job too.
| dakial1 wrote:
| This is the same way all airlines in the world work since the
| invention of Revenue/Yield Management. Which is basically price
| discrimination to get the biggest piece of the value.
|
| Airlines will mostly segment client based on things like Minimum
| Stay (in destination) and how many days before the flight the
| ticket was bought to find the most desired of all users: The
| business traveler.
|
| SSO is (roughly) the same thing, companies who would like SSO are
| probably the ones in the corporate level, and this is an
| efficient way to find them. Of course there are false positives,
| but software companies are willing to live with those to get the
| biggest part of the pie.
|
| And this is actually good for users, as it allows for the other
| users who have more flexibility to pay a lot less (both at
| airlines and software) than they would pay if those companies
| didn't discriminate.
___________________________________________________________________
(page generated 2024-08-20 23:00 UTC)