Weaponizing SSO for profit
This article looks at the practice of SaaS vendors placing Single Sign-On, SSO, capabilities behind premium pricing tiers, effectively turning a fundamental security feature into a premium offering
Due to a higher awareness and need for security, new regulation and security frameworks (such as ISO 27001 and NIST CF), it has become more or less a must-have for many to be able to manage user centrally.
This is a good thing. We have the technology, the standards and the knowledge to do so. It has, however, become a toxic meme for SaaS vendors to have a pricing tier structure where you need to pay for the highest tier to get to use SSO with their service.
Effectively, this is Weaponizing SSO to force companies into a higher tier than needed to access best practice security and often demanded by regulation or customers
"Ohh, you want long passwords over eight chars for your accounts, that will be an extra $2 / user / month" "Ohh, you want to enable 2 Factor to log in, that will be an extra $3 / users / month" "Ohh, you want to manage access to the application yourself, that will be an extra $5 / user / month"
