SSO: When Does It Actually Make Sense?

Single Sign-On (SSO) is one of those things that sounds amazing in the sales pitch and gets complicated fast in reality.

One password for everything. Instant access to all your tools. Centralized control over who gets in. Employees don't have to remember 47 passwords. Security team manages everything from one place.

Perfect, right?

Except the SSO provider wants $11/user/month. Salesforce charges an extra $150/user/month for the tier that supports SSO. Your project management tool just doubled its price to enable it. And your accounting software doesn't support SSO at all.

Here's when SSO actually makes sense—and when it's just expensive security theater.

What SSO Actually Solves

Before evaluating if you need SSO, understand what problem you're actually solving.

The Authentication Problem

Without SSO:

• Employee logs into email (password 1)
• Opens CRM (password 2)
• Checks project management (password 3)
• Accesses accounting (password 4)
• Uses communication platform (password 5)
• Reviews analytics (password 6)

12 systems = 12 passwords. People reuse passwords. Security suffers.

With SSO:

• Employee logs into identity provider once
• All connected apps trust that authentication
• Click to access any system, no additional login
• One password to remember (or MFA prompt to approve)

The real benefit: Reduced password fatigue, better security because people stop reusing passwords, centralized access control.

The Offboarding Problem

Without SSO:

Someone leaves the company. Now you need to:

• Disable email account
• Remove from CRM
• Delete from project management
• Revoke accounting access
• Remove from communication platform
• Check 47 other systems for access
• Hope you didn't miss anything

With SSO:

Disable their account in the identity provider. They're immediately logged out of everything connected to SSO. One action, comprehensive revocation.

The real benefit: Instant access termination, no archaeological hunt through systems, reduced risk from overlooked access.

The Provisioning Problem

Without SSO:

New employee starts. IT manually:

• Creates email account
• Sets up CRM access
• Adds to project tools
• Grants appropriate permissions
• Configures communication platform
• Repeats for every business system
• Takes hours, inevitable delays

With SSO:

Create account in identity provider, assign to groups, provisioning flows automatically create accounts in connected systems with appropriate permissions.

The real benefit: Faster onboarding, consistent access, less manual IT work.

SSO solves real problems. The question isn't whether it's valuable—it's whether it's worth the cost for your specific situation.

The Real Cost of SSO

Let's do the actual math for a 40-person company.

SSO Provider Costs

Google Workspace (Business Plus tier required):

• $18/user/month (includes email, storage, SSO via Google Identity)
• 40 employees = $720/month = $8,640/year
• Note: You're already paying for email, SSO is included at this tier

Microsoft Entra ID (Azure AD):

• Free tier: Basic directory, no SSO (P1 or P2 required for SSO)
• P1: $6/user/month (SSO, conditional access, group-based access)
• P2: $9/user/month (adds identity protection, governance)
• 40 employees × $6 = $240/month = $2,880/year (added to Microsoft 365 costs)

Okta Workforce Identity:

• Starter: Not available (min 25 users, $2/user/month for very limited features)
• Workforce Identity: $8/user/month (real SSO features)
• Enterprise: $15/user/month (advanced security, automation)
• 40 employees × $8 = $320/month = $3,840/year

JumpCloud:

• Starter: Free up to 10 users (basic directory)
• Standard: $11/user/month (SSO, LDAP, RADIUS)
• Premium: $21/user/month (conditional access, device trust)
• 40 employees × $11 = $440/month = $5,280/year

OneLogin:

• Starter: $2/user/month (very limited, max 3 apps)
• Advanced: $8/user/month (unlimited apps, real SSO)
• 40 employees × $8 = $320/month = $3,840/year

The SSO Tax: Application Tier Upgrades

Here's where it gets expensive. Most SaaS applications gate SSO behind enterprise tiers.

Salesforce:

• Professional: $75/user/month (no SSO)
• Enterprise: $150/user/month (includes SSO)
• SSO cost: +$75/user/month
• 10 sales team members = $750/month = $9,000/year for SSO capability

Slack:

• Pro: $7.25/user/month (no SSO)
• Business+: $12.50/user/month (includes SSO)
• Enterprise Grid: Custom (definitely includes SSO, definitely expensive)
• SSO cost: +$5.25/user/month
• 40 employees = $210/month = $2,520/year

Zoom:

• Pro: $14.99/user/month (no SSO)
• Business: $19.99/user/month (includes SSO)
• SSO cost: +$5/user/month
• 40 employees = $200/month = $2,400/year

Asana:

• Starter: $10.99/user/month (no SSO)
• Enterprise: Custom pricing (includes SSO)
• SSO cost: Estimated +$12/user/month based on typical enterprise pricing
• 40 employees = $480/month = $5,760/year

Real total for SSO implementation:

• SSO provider: $3,840/year (Okta)
• Salesforce upgrade: $9,000/year
• Slack upgrade: $2,520/year
• Zoom upgrade: $2,400/year
• Asana upgrade: $5,760/year

Annual cost: $23,520 for a 40-person company to enable SSO across 4 major applications.

That's not a typo. Twenty-three thousand dollars annually.

When SSO Actually Makes Sense

Given those costs, when is SSO worth it?

Scenario 1: You're Already at Enterprise Tiers

If you're paying for:

• Salesforce Enterprise (need advanced features anyway)
• Enterprise-tier communication tools (compliance requirements)
• Advanced analytics and BI platforms
• Industry-specific applications with complex needs

Then: The marginal cost of SSO is zero or minimal. You're paying for the tier regardless, SSO is included. Absolutely enable it.

Scenario 2: Compliance Requirements

If your customers or industry require:

• SOC 2 Type II certification
• ISO 27001 compliance
• HIPAA security controls
• Financial services regulations
• Government contractor requirements

Then: SSO becomes a checkbox on security questionnaires. Customer contracts may require it. The cost isn't optional—it's cost of doing business in your market.

Reality check: SOC 2 doesn't strictly require SSO, but auditors expect centralized access control. You can argue alternatives, but SSO is the path of least resistance.

Scenario 3: High Employee Turnover

If you have:

• Frequent role changes (monthly access updates for 20%+ of staff)
• Seasonal hiring and offboarding
• Contractor/consultant churn
• Rapid team scaling

Then: The time saved on provisioning and deprovisioning justifies the cost. Calculate IT hours spent on access management monthly, multiply by hourly cost, compare to SSO expense.

Example math:

• 10 employee changes per month
• 2 hours per employee managing access across systems
• 20 hours monthly × $75 loaded IT cost = $1,500/month
• SSO cost: $1,100/month (provider + app upgrades)
• Break-even, plus faster execution and reduced risk

Scenario 4: 100+ Employees

At scale:

• Per-user SSO costs drop (volume pricing)
• Application upgrades you need anyway
• IT team needs centralized control
• Security complexity demands it

At 100 employees:

• Okta: $6/user/month (negotiated from $8)
• Application upgrades: Often already required for features
• Total cost: Still expensive but percentage of IT budget drops
• Security value increases with attack surface

Scenario 5: Security Incident History

If you've experienced:

• Account compromises from password reuse
• Delayed offboarding causing data access issues
• Audit findings on access control
• Customer security concerns

Then: SSO is insurance and remediation. The cost of one breach likely exceeds 5 years of SSO investment.

When SSO Doesn't Make Sense

Let's be equally clear about when SSO is overkill.

You Have Fewer Than 50 Employees

The math doesn't work:

• SSO costs: $15K-30K annually
• Password manager (Bitwarden): $1,800 annually
• Difference: $13K-28K saved

What you lose:

• Single sign-on convenience (but password managers auto-fill anyway)
• Centralized deprovisioning (but offboarding checklist works)
• Automated provisioning (but onboarding is manageable at this scale)

What you gain:

• $13K-28K for actual business needs
• Simpler infrastructure
• No vendor lock-in to SSO provider

Your Applications Don't Support SSO

Common scenarios:

• Industry-specific legacy tools (common in manufacturing, healthcare, finance)
• Small vendor products (can't afford enterprise features)
• Custom-built internal systems (would need to add SAML/OIDC support)
• Consumer-tier tools that work fine for business

If 60% of your applications can't connect to SSO, you're paying for partial coverage and still managing passwords for everything else.

Better approach: Password manager for everything, MFA on critical systems.

You're Budget-Conscious and Growing

Early-stage priorities:

• Hire the next team member
• Build the product
• Acquire customers
• Establish market fit

SSO can wait until you're at a stage where enterprise customers demand it or compliance requires it.

We've seen too many 30-person startups spend $20K on SSO to appear "enterprise ready" while their product needed investment. The customer checking your security didn't sign anyway.

Your Team Is Technically Unsophisticated

SSO adds complexity:

• Identity provider configuration
• SAML/OIDC setup per application
• Debugging authentication flows
• Handling edge cases and exceptions

If your team struggles with basic IT, SSO creates dependency on specialists or expensive consultants.

Simpler alternative: Password manager + good processes. Less sophisticated, but your team can manage it.

The Hybrid Approach That Actually Works

You don't have to choose all-or-nothing with SSO.

Core SSO for Critical Systems

Enable SSO for:

• Email and productivity suite (Google/Microsoft—already included)
• CRM with customer data
• Accounting and financial systems
• Communication platforms
• Admin access to infrastructure

Use password manager for:

• Small vendor tools
• Industry-specific applications
• Legacy systems without SSO support
• Rarely-used services
• Tools with shared accounts

Cost comparison (40 employees):

• Full SSO: $23,520/year
• Hybrid: $8,640/year (Google Workspace only) + $1,800 (password manager) = $10,440/year
• Savings: $13,080/year

What you lose:

• Single sign-on for non-critical tools
• Automated provisioning across all systems

What you keep:

• SSO for systems that matter most
• Centralized control for critical access
• 56% cost reduction

Google/Microsoft as Your SSO Provider

If you're using:

• Google Workspace or Microsoft 365 already
• Applications that support Google/Microsoft identity
• Standard business tools (many support these natively)

Then: You already have SSO capability included. Don't pay for a separate provider.

Limitations:

• Fewer advanced security features than dedicated SSO providers
• Some enterprise apps want "real" SSO providers (Okta, OneLogin)
• Less flexibility in authentication policies

For most mid-sized businesses: These limitations don't matter. Google/Microsoft SSO is sufficient.

MFA + Password Manager as SSO Alternative

The poor man's SSO:

1. Require MFA on all critical systems

   • Email (everything resets through email)
   • Banking and accounting
   • CRM and customer data
   • Admin access

2. Password manager for credentials

   • Bitwarden, 1Password for teams
   • Shared vaults for team accounts
   • Auto-fill reduces friction

3. Offboarding checklist

   • Documented list of all systems
   • Systematic access revocation
   • Shared credentials changed

Cost: $2,500/year total Functionality: 80% of SSO benefit at 10% of the cost Trade-off: More manual processes, no automated provisioning

This is what we recommend for most growing businesses under 75 employees. It works.

Evaluating SSO Providers

If you've decided SSO makes sense, here's how to choose.

Application Coverage

Check which apps you use support each provider:

• Okta: Widest application coverage (7,000+ integrations)
• OneLogin: Good coverage (6,000+ integrations)
• Microsoft Entra ID: Best for Microsoft-heavy environments
• Google Workspace: Good for Google-oriented tools
• JumpCloud: Solid coverage, plus LDAP/RADIUS for legacy

Critical question: Do 80%+ of your business applications support this provider? If not, you're paying for partial coverage.

Pricing Transparency

Red flags:

• "Contact sales" for pricing (translation: expensive and negotiable)
• Per-app charges on top of per-user
• Essential features gated behind highest tier
• Data transfer or API call charges

Green flags:

• Public pricing on website
• Clear tier differences
• Volume discounts spelled out
• No hidden fees for reasonable usage

Support Quality

At $3,840-5,280/year, you deserve:

• Technical support that responds within hours
• Documentation that doesn't assume you're an enterprise architect
• Community or forum for common issues
• Migration assistance from previous solution

Ask during evaluation:

• What's included support response time?
• Do you charge extra for implementation help?
• What happens when authentication is down?

Lock-in Risk

Questions to ask:

• How easy is it to export our configuration?
• If we leave, what happens to user accounts?
• Do applications work if your service is down?
• Can we test failover scenarios?

SSO is critical infrastructure. Being locked to a provider who raises prices 40% next year puts you in a bad negotiating position.

Implementation Reality Check

Buying SSO is step one. Making it work is where companies stumble.

Timeline for SSO Deployment

Month 1: Foundation

• Choose and configure SSO provider
• Set up identity provider (Google, Microsoft, Okta, etc.)
• Configure user directory and groups
• Test authentication flows

Month 2: Core Applications

• Connect email and productivity suite
• Integrate CRM (often complex)
• Connect communication platforms
• Test with pilot group (5-10 users)

Month 3: Broader Rollout

• Additional business applications
• Test provisioning and deprovisioning
• Train IT staff on management
• Document processes

Month 4: Company-wide

• Migrate all users
• Enforce SSO for configured apps
• Disable old authentication methods
• Monitor for issues

Realistic timeline: 4-6 months to full deployment for 40-person company.

Common Implementation Problems

Application doesn't support the provider:

• You chose Okta, but critical app only supports SAML via custom configuration
• Vendor charges consulting fees to enable SSO
• Feature documentation is enterprise-only

User experience breaks:

• Authentication loops (redirects in circles)
• Mobile apps don't support SSO
• Shared devices need constant re-authentication
• Browser extensions interfere with flows

Provisioning doesn't work as advertised:

• Automated account creation fails for complex roles
• Deprovisioning doesn't fully remove access
• Group mappings don't sync correctly
• Manual intervention required frequently

Cost spirals:

• Applications charge extra for SSO tier
• Need consultants to implement properly
• User growth increases costs faster than budgeted
• Hidden charges for API calls or data sync

Budget 50% more time and 25% more money than the sales pitch suggests. SSO implementations always hit complexity.

The Decision Framework

Here's how to make the call for your business.

Calculate Your SSO Tax

1. List all business applications
2. Check current tier and SSO tier pricing
3. Calculate upgrade cost for each
4. Add SSO provider annual cost
5. Total = your real SSO cost

If the number makes you wince, SSO probably doesn't make sense yet.

Evaluate Alternatives

Can you achieve the goals with:

• Password manager + strong policies?
• MFA on critical systems?
• Documented offboarding checklist?
• Regular access audits?

If yes: Save the money. Implement good security hygiene instead.

Consider Your 18-Month Roadmap

If you're planning:

• Pursuing enterprise customers (they'll ask about SSO)
• SOC 2 certification (makes SSO much easier)
• Doubling headcount (provisioning becomes burdensome)
• Adding sensitive customer data (compliance may require it)

Then: SSO might make sense to implement now, even if not strictly necessary today.

If you're planning:

• Staying lean and profitable
• Focusing on SMB customers (don't care about SSO)
• Maintaining current team size
• Building product, not scaling operations

Then: Defer SSO until circumstances change.

What We Actually Recommend

For companies under 50 employees:

Skip dedicated SSO providers. Use Google Workspace or Microsoft 365's included SSO for apps that support it. Password manager + MFA for everything else.

Annual cost: $8,640 (Google Business Plus for 40 employees) + $1,800 (Bitwarden) = $10,440

For companies 50-100 employees:

Evaluate based on application coverage and compliance needs. If 80%+ of your apps support Google/Microsoft SSO, stick with that. If you need broader coverage or compliance, budget for Okta or OneLogin.

Annual cost: $15,000-25,000 depending on application upgrade requirements

For companies 100+ employees:

SSO is worth it. Choose based on application ecosystem (Microsoft-heavy = Entra ID, diverse = Okta). Budget appropriately for application tier upgrades.

Annual cost: $30,000-60,000 depending on application stack

The Bottom Line

SSO is genuinely useful. It solves real problems. But it's expensive, and for many growing businesses, the cost doesn't justify the benefit.

A password manager with MFA gets you 80% of the security value at 10% of the cost. That's the right choice for most companies under 75 employees.

When customers start asking about your SSO capability, when compliance requires centralized access control, when you're managing 50+ employee changes annually—then SSO makes sense.

Until then? Implement good password hygiene, enable MFA where it matters, and invest the $20K you would have spent on SSO in growing the business.

The best security investment is the one you'll actually implement and maintain. For most growing companies, that's not SSO. Yet.