How SaaS vendors trap you into Enterprise plans aka the secret SSO Tax

July 25, 2022 · 3 min read SSO Tax
Feature Image

Every company knows this situation: A new employee joins and you want them to be able to start being productive right away. The one hurdle we all face: The new joiners now need access to all of your teams fancy SaaS tools. No access means no productivity and a frustrating onboarding experience for the initially motivated new joiner.

Depending on the size of your company, you might create software accounts for the new joiner yourself or you already have an IT admin doing that for you. If so, lucky you! Either way, the more employee fluctuation you have, the more tedious it becomes.

Your typical onboarding process

Onboarding in Slack

Let’s play this through: Imagine onboarding a single new employee in the marketing team (let’s call the new employee Alice). Now let’s imagine not only adding all the core tools but also the marketing specific tools. You’ll quickly arrive at 50+ tools that need to be created for a single user. Let’s take the steps together:

  1. Open the tool, e.g. Notion
  2. Find your credentials and sign in
  3. Create user account for Alice with the correct roles/permissions
  4. Document in a Google Sheet that Alice has Notion and is part of the “Marketing group”
  5. Repeat for 49 more tools 🤯

Now imagine, it’s not just Alice but also Bob and Barbara that join your company. Your pain multiplies! 🤯🤯🤯

Moreover the State of SaaSOps Report from 2021 shows that “the average SMB uses 110 SaaS apps”. The more SaaS apps you have, the more user account creation and revocation processes will need to be done on a regular basis.

Can’t I just skip documenting Alice’ access?!

Well, depends. If you are SOC or ISO certified you absolutely can’t. Knowing who has access to what is an integral part to become certified.

For everybody else out there: You can theoretically skip this part but this just means that you will regret this decision once Alice leaves the organization. On the day of her offboarding you have to go through every single application that your organization uses to make sure that no access has been forgotten. You certainly don’t want to have somebody still having access to your applications and data after leaving the company!

Could Single Sign-On (SSO) be the solution?

Single Sign-On means a user can sign into an application with the same credentials that were originally set up with Identity Providers such as Google, Azure AD, Okta etc. That’s a great benefit! For the tools that provide this feature Alice can now just pick the tools she wants to use and doesn’t have to wait for you to create them separately.

However, what SSO doesn’t take care of is assigning the correct user role/permission for the new joiner. So you’ll still need to log into all the tools and add Alice to the right groups in order for her to start working productively. So you still end up signing-in to all of your tools.

Well, what if you build a system that does what SSO does, but also covers those roles/permissions?! It actually exists and is called SCIM (System for Cross-domain Identity Management). If you use an access management tool that “speaks SCIM” you can set it all up from a central place.

The enterprise-subscription trap

Problem solved, right? Not quite. The largest downside of SSO & SCIM is that there is something with the fancy name of “SSO Tax”. Most SaaS tools try to upsell you to their enterprise plan by hiding those incredibly useful features behind a paywall. Paying this SSO Tax can easily lead to increased tool cost of 2x, 3x or in some cases even 17x! Paying that “tax” for all of your applications can quickly add up. A 3x of those 110 application leads to ridiculous extra costs that no CFO or CEO would appreciate.

So are we all doomed?

No, absolutely not. We started AccessOwl because we were fed up with manual tool creation and artificial extra costs for software. AccessOwl automates how your employees receive software access, no matter what API is available or subscription you are using. IT teams from companies like Zeplin save 30 minutes on every access request.

Learn more about it by booking a demo with us!

Mathias Nestler