In the modern era where online privacy is limited, security is no joke. While software vulnerabilities are nothing new, the ubiquity of connected apps such as social networking, email, and messaging means there is a newfound obligation as product owners to implement security measures to the best of our ability.
SUMO Heavy is not a large enterprise. But being a smaller firm doesn’t mean we don’t deserve control over our security. Having clients in industries requiring COPPA, PCI, SOC, and SOX compliance we have learned just how important it is to have strong authentication and authorization that is easy for our internal end-users to operate across software vendors.
Even as a company with less than 30 people, we have implemented Single Sign-On (SSO) via SAML. Our vendor stack is not anything out of the ordinary, but as we grow would be an absolute beast to manage without SSO. We have our G Suite directory pulled into OneLogin, and have been moving all the apps we can to authenticate via SAML integration with OneLogin.
For those interested, our main SaaS vendors are:
- Adobe Creative Cloud
- Amazon Web Services
- Atlassian Cloud
- Office 365
When evaluating new products for our long-term strategy, we tend to eliminate any vendor who does not provide SSO as an option. In some cases, if Google authentication is available and normal email logins can be disabled, we may consider it.
With SSO some vital aspects of user management are possible:
- Provisioning new users across applications can be done with a few clicks
- Deprovisioning users is done in even fewer clicks
- Users have one password to manage for most of their applications, and we’re improving the number of supported applications
- Implementing new security policies such as MFA is simple and can be required
- Forgetting a password for one application is rarely a problem
- SSO vendors can prevent weak and reused passwords, and can thwart brute force attacks
Before implementing SSO, we were spending valuable time each week managing permissions, resetting passwords, and overall maintenance. Now, it’s all managed in one place and is mostly self-service.
Sounds great. So what’s the problem?
This is where it gets weird. SSO is considered an enterprise feature, so companies should charge more for it! That’s not only incorrect, but it’s also irresponsible. It’s a trick for SaaS products to sell their highest tier on a yearly contract by eliminating SSO from their lower tiers. Sometimes, these enterprise tiers require a commitment to a minimum number of users as well. These products are preventing smaller companies from implementing an important aspect of security, and for no other reason than to secure large contracts.
The thing is, it’s not difficult or overly expensive to implement. In fact, the SSO providers are one of the lowest costs. OneLogin is available with monthly billing and very reasonable minimums (25 users for the starter plan, 10 users for enterprise, and 5 users for unlimited) — starting at $2/mo/user. This article isn’t intended to be an in-depth evaluation of various SSO vendors, but there are others that have reasonable pricing as well.
Why should you care?
OK, so you probably don’t care about our internal setup, and that’s understandable. But the message is important. Security is not a feature, it is a necessity. The option of using products that implement SSO should not be inaccessible via an artificial tax used to perpetuate vendor lock-in for established SaaS products and for startups to get that hockeystick they all lust after. Implementing SSO via SAML doesn’t require extra licensing, in fact once you have an SSO vendor set up, you can implement it at no cost in many of your favorite open source web applications via add-ons.
SSO via SAML is becoming more available as new SaaS products enter the market, which is making it a more achievable implementation for companies of all sizes, but there’s a long road ahead. There needs to be more awareness around the benefits of SSO from vendors such as OneLogin, Okta, and JumpCloud as well as more demand from SMBs.
What can I do?
If you’re a small business that wants to implement SSO and are running into issues with mandatory minimums or high costs for specific vendors just to have access to SSO, one of the best things you can do is ask what options there are. The worst someone can say is no, and there’s almost always room for negotiation. Here are some ideas:
- Monthly billing at a slightly higher per-user cost
- SSO as an add-on for a per-user cost rather than upgrading to the next tier
- Lower / remove the minimum user count
Sometimes the sacrifice will be worth it, and sometimes it won’t, but you won’t know without asking. Don’t be afraid to pick up the phone and talk to someone, or ask for monthly billing even if it’s not advertised. You’ll often hear no — especially from the larger vendors, but there will almost always be one out there willing to work with you, and they may be a vendor you’ll keep forever.
If you’re a SaaS vendor, then offer SSO. That’s it. Could you charge more per user? Sure, that’s fair. There’s some infrastructural and maintenance overhead involved. Should you reserve it for your largest active and potential customers? No, just don’t do it.
This post is not intended to call out individual vendors. That’s not our job, and frankly, it’s already being done. If you’re a small business that cares about the security of your users and clients, check out https://sso.tax/.