Security Boulevard recently shared that 80% of the SaaS applications used by employees are not in their SSO portals. The main challenges include the cost of SSO and the lack of support by SaaS vendors.
We need to democratize SSO for everyone, including SaaS customers and vendors!
Now the cost for SaaS vendors to implement SSO is enormous. It usually takes 3-6 months to implement the 1st version and requires constant maintenance. Then SaaS vendors pass the huge cost to their customers. That's the partial reason that you see this SSO wall of shame. https://sso.tax
SaaS vendors need a new and much cost-effective way to implement SSO.
Top comments (4)
I'm a little skeptical of these findings.
As the Director of Infrastructure for a B2B SaaS Product, I'm not only our SSO Admin for the company, I also have the unique perspective of being the Lead SSO Support Engineer for the past 8 years on our Product. I've worked with all the major vendors in the game on both sides of the integration.
Should SSO be more accessible? Yes, only 50% of our customers integrate their SSO portals with our product, but there are many SSO options today with low entry barriers. Teams as small as 5 can easily get set up with SSO and integrated with their applications within hours, not days, weeks, or months. You don't need to convert everything to SSO to launch the service either, you can start with core services and add more over time.
Should More SaaS Products implement SSO? I agree with the general premise, but I have doubts around the reported percentage of non-SSO SaaS products.
My organization (~ 200 employees) leverages Dozens of different SaaS products across Engineering, Product, Sales, Customer Support, Finance, and Operations. I'd say ~ 80% of them have SSO, but I will concede that some services do charge a premium for the feature. IMO, if you connect with SSO, you should receive a discount as it reduces the liability of the third party.
From the engineering perspective, it's trivial to add the feature with the applications that make up our platform (Ruby & Javascript). These features can be implemented by a developer team over the course of a few weeks.
Thanks for sharing your experience, Joe. I agreed with what you said except the last point: SaaS vendors can implement SSO by a developer team over the course of a few weeks.
First of all, my assumption is that the engineers have not done such a thing before. They need to learn the OIDC/SAML protocol from scratch.
My estimation is 3-6 month engineering time to support 2 major identity providers, e.g., Okta, Azure AD. Later on, if they need to add support for other identity providers, e.g., ForgeRock, Google workspace, Ping, OneLogin, they need a couple of weeks at least engineering time for each of them.
To give you an example, one of my friends was involved in implementing SSO for their company's SaaS. It took 3 engineers 3 months.
I can’t speak for every programming language or framework, but I imagine most have a community-driven dependency or plugin that can cut down on implementation time. For Node, passport.js makes this possible within a half day for a junior engineer, maybe a day if they’ve never used a dev SSO instance like okta before
You can talk to your engineering team to get a better understanding how much effort is needed. Our experience is different from what said.