I read your comment as saying that SSO is denied to “regular” (non-enterprise) customers because enterprise customers would buy the regular product if it was included there, thus pointing out that all the other “enterprise” needs (terms, etc) aren’t real?
Most enterprise features are nice-to-haves. SSO is a must-have for companies with enough security or compliance ceremony, which includes most enterprises.
Small companies don't need sso because when an employee leaves, they just go into all their sass and remove the user or change the password. A large company can't work without SSO because in an org with hundreds of users they can't login to each SASS and disable and enable everyone coming and going at the company, which is many per month in some cases.
This is very much correct, and quite self-evident: they live without, therefore they don't need it. Wanting something != needing it. Companies that actually need SSO are the ones that have internal or external compliance requirements, and/or for which managing users without SSO becomes prohibitively expensive. Turns out, at that point, they're willing to pay through the roof for it.
> quite self-evident: they live without, therefore they don't need it
Lots of people live without things others observe they need. Doesn't make going without a good idea.
> Companies that actually need SSO are the ones that have internal or external compliance requirements...
This logic is backwards.
Why do you think SSO is a "requirement" that security certifications or compliance policies look for? Why did that come to be? Who does SSO benefit? Are those personas relevant for only large companies or small ones too?
Do beginning drivers not “need” seatbelts or brakes? Or are these devices only needed to avoid tickets and pass inspection?
One thing worth pointing out. If you don’t mind using GitHub or Google you can get “SSO at home” for a lot of things, since most
SaaS provide Google/Github login in their lower priced tiers. It will usually be OIDC based and not SAML, but it’s definitely possible to use these providers up to a quite significant scale.
Why? You use SSO in your personal life all the time. Why would you not want to continue doing so in your business?
If anything, small companies need SSO more than any others - those companies usually outsource a lot (SaaS vs a dedicated hire), managing credentials is annoying.
SSO has lots of other benefits. MFA primarily. This is non negotiable these days, even for the smallest company. I’ve not seen many services supporting this without SSO.
Don’t get me started on the services that have their own smart ideas on what constitutes a safe password. Max 8 characters with no repeated letters and of which 4 must be an emoji, with automatic logout every 12 minutes. Yes those still exist.
Password policies are things you want control over in your IdP to avoid all this BS. SSO really should be standard.
> This is non negotiable these days, even for the smallest company.
Says who?
In reality, users don't care. Regulators, however, sometimes do, which leads to certifications and compliance requirements - and only then SSO and MFA become non-negotiable.
I work with a variety of small companies (5-25 FTEs) that are increasingly facing strict MFA requirements in order to maintain insurance. SSO isn’t an explicit requirement, but there are a myriad of general access requirements that they struggle to follow without some level of centralization via federated identity/SSO.
