We wrote once about the feature tax: the trick of charging you to flip a boolean that's already written, on infrastructure that's already running. That piece was the argument. This one is the receipt.
Because "SSO costs extra" is easy to nod along to and easy to forget. A number on an invoice is harder to forget. So let's put the whole invoice on the table for three moments every B2B product passes through: the platform base (priced by monthly active users, which everyone charges and which is fair: more users genuinely cost more to serve), plus the two line items that actually meter SAML, the SSO connection and the SCIM provisioning that rides it. Three live columns, one all-in total. We include the base on purpose. The SSO tax isn't the only place money leaks; the gap in the platform price itself runs to thousands a year, and leaving it out would understate what the feature-tax model really costs you. All rates are each vendor's published June 2026 pricing.
SSO isn't even the only meter, just the loudest. There's a quieter one: the cap on OAuth clients, the apps and services you register on your own side. It never bites during evaluation; it bites mid-integration, the afternoon you go to wire up one more tool and find you're out, left to either reuse a client you shouldn't (your support desk minting tokens for your core API is not a sentence you want to read to a SOC 2 auditor) or jump a tier to add one row to a table. A client is a row and a secret; it costs the vendor nothing, so we don't meter it. But SSO is the headline tax, so that's what the tables below price.
Scenario 1: your first enterprise deal
~1,000 MAU. Your first real logo just signed, on the condition they log in through their own identity provider, with their users provisioned automatically. One SAML connection, with SCIM:
| Vendor | Plan /mo | SSO /mo | SCIM /mo | All-in /mo | All-in /yr |
|---|---|---|---|---|---|
| Authagonal | $29 | $0 | $0 | $29 | $319 |
| Clerk | $25 | $0 (first free) | $0 | $25 | $300 |
| WorkOS | $0 | $125 | $125 | $250 | $3,000 |
| Auth0 | $0 | incl. | incl. | $0 | $0 |
At this size, three of the four sit near zero. Clerk's first connection is free (its plan is $25). Auth0's Free tier now bundles one enterprise connection, self-service SSO, and SCIM for $0, up to 25,000 MAU. Genuinely free, and credit for it (the catch is further down). We're $29, all-in. Only WorkOS breaks ranks: $3,000/yr already, all of it the per-connection SSO-and-SCIM tax. So far the tax is mostly hiding: add a second enterprise customer and watch it surface.
Scenario 2: a handful of enterprise customers
~10,000 MAU, SSO now part of the sales motion. Three SAML connections, with SCIM:
| Vendor | Plan /mo | SSO /mo | SCIM /mo | All-in /mo | All-in /yr |
|---|---|---|---|---|---|
| Authagonal | $149 | $0 | $0 | $149 | $1,639 |
| Clerk | $25 | $150 (1 free + 2×$75) | $0 | $175 | $2,100 |
| WorkOS | $0 | $375 | $375 | $750 | $9,000 |
| Auth0 | quote | quote | quote | quote | quote |
Now we're the cheapest line in the table, not by trimming features but because the base is all you pay. Every one of those three connections is a paying customer, so the per-connection meter speeds up exactly as SSO starts doing its job. WorkOS's separate SCIM line has already doubled it to $9,000/yr; ours is still $1,639, SAML and SCIM included.
Scenario 3: SSO is now table stakes
~50,000 MAU. Ten enterprise customers, ten SAML connections, with SCIM. Nobody evaluates you without it anymore:
| Vendor | Plan /mo | SSO /mo | SCIM /mo | All-in /mo | All-in /yr |
|---|---|---|---|---|---|
| Authagonal | $339 | $0 | $0 | $339 | $3,729 |
| Clerk | $25 | $675 (1 free + 9×$75) | $0 | $700 | $8,400 |
| WorkOS | $0 | $1,250 | $1,250 | $2,500 | $30,000 |
| Auth0 | quote | quote | quote | quote | quote |
Read the top row against the bottom one. Authagonal's entire annual bill (platform, unlimited SAML, SCIM, MFA, audit, branding, the lot) is $3,729. WorkOS's SSO-and-SCIM tax alone is $30,000: more than eight times our whole invoice, before WorkOS has charged a cent for the platform itself, and it doesn't need to, because the tax is the platform. That ~$26,000-a-year gap is exactly what was going unmentioned when we only showed the SSO line. The bytes are identical to a password login; the code was written once and shipped to everyone. You'd be paying, every year, for twenty checkboxes and a platform you could have had for roughly an eighth of the price.
On the numbers. Plan is the MAU-tiered platform price: the one thing we, and most vendors, legitimately charge more for as you grow. WorkOS includes user management free to 1M MAU, so its whole bill is the per-connection tax. Clerk Pro is $25/mo with MAU largely included at these volumes (modest overage possible at 50k); its first SSO connection is free, then ~$75 each, and SCIM comes free with a connection. Auth0 changed its model recently enough that it needs its own paragraph, just below. Authagonal's annual figures are what it actually bills: 11× the monthly price, because annual plans get a month free (so $29/mo is $319/yr, not $348). Competitor annuals are monthly × 12; if a vendor discounts annual billing we haven't vetted it, so their real totals may dip a little, nowhere near enough to close the gap.
One more on Auth0, because its model is the subtlest. Auth0 now bundles one enterprise connection, SSO, and SCIM into its Free plan, free up to 25,000 MAU. At a single connection that genuinely costs nothing, and credit for it. But its paid consumer tiers strip them back out; the footnote tells you to "upgrade to B2B" to keep SSO. And B2B runs several times the consumer price for the same users (Essentials starts near $150/mo against ~$35), so Auth0's real SSO tax isn't per-connection, it's the B2B premium: a multiple on the base price for the privilege of selling to businesses. That base is slider-priced by MAU and goes custom above ~20k users, which is why Auth0 reads quote in our 10k and 50k rows instead of an interpolated guess.
(Two more vendors meter on a different axis, so they're not in the tables: same tax, different hat. **Okta* licenses SSO per user, ~$2/user à la carte, scaling with the humans behind each connection rather than the connection count. Duende IdentityServer sells SAML as a flat add-on, ~$1,500/yr on top of a ~$5,750/yr license, and then you host, patch, scale, and build the admin UI, MFA, and audit trail yourself. Cheap-looking line item, enormous real bill.)*
Frequently asked
Why do I have to pay extra for SSO?
For most vendors, you don't pay extra because SSO costs them more. It doesn't. You pay extra because security and compliance features are the ones you're least able to refuse, so they're the most profitable to gate. SAML is a settled, twenty-year-old standard; the marginal cost of enabling it for one more tenant rounds to zero.
What is the "SSO tax"?
The practice of charging a premium (usually per connection, often $75–$125/mo each, or by forcing an Enterprise-tier upgrade) to turn on single sign-on. There's a public list of offenders at sso.tax. It's a tax on doing the responsible thing, collected at the moment you have the least leverage to say no.
How much does SSO cost at Auth0, WorkOS, and Clerk?
On their published June 2026 rates: WorkOS bills about $125/mo per SSO connection (plus another ~$125 for SCIM); Clerk gives you one free connection, then about $75/mo each after. Auth0 is the odd one out: it includes one enterprise connection and SCIM free up to 25k MAU, then removes SSO from its paid self-serve plans and routes production or multi-connection use to a quote-only B2B track. At ten enterprise customers, WorkOS and Clerk run roughly $15k and $8.1k a year for SAML alone; Auth0 won't publish a number for it. Figures change, so check each vendor's current pricing page.
Is there a free tier?
Yes. Free up to 250 monthly active users, every feature included, and (unlike every other free tier) unlimited SSO/SAML connections, not just one. It's capped only on scale: cross 250 MAU and you move onto a paid plan. No credit card, no SLA, community support.
Do I have to upgrade my plan to add another OAuth client or application?
Not with us. Applications aren't a paywalled axis, so you register one per app or service without changing tiers. Several providers do cap or meter clients (especially machine-to-machine ones), which is what forces the choice between reusing a client you shouldn't and paying for the next tier.
You can tell a lot about a company from what it charges you for. Most auth vendors charge for things that cost them nothing: a SAML flag, a SCIM flag, a row for one more client. Ours comes down to a single line: pay for how big you get, not for which switches you're allowed to flip.
Here's exactly who charges for what, vendor by vendor. SSO's on our side of the table, at no extra charge, and so is the eleventh client you didn't know you'd need. See it priced for your numbers.
Top comments (0)