The SSO tax: what SAML/SSO really adds to a zero trust rollout
Consolidating your SaaS estate behind one identity provider is step one of the identity pillar, and the part everyone assumes is free. The engineering is cheap. The licensing is not. Most SaaS vendors gate SAML and OIDC single sign-on behind an enterprise tier, and that surcharge, the so-called SSO tax, compounds across every application you federate. This page sizes it, shows where it bites, and lists the levers that contain it. Figures dated June 2026 with sources.
A surcharge, not a feature fee
The SSO tax is rarely a clean add-on price. Vendors lock SAML/OIDC behind their top tier, so you pay for everything else in that tier to get the one capability zero trust requires.
Single sign-on is the foundation of the identity pillar. You federate every SaaS application to one identity provider so that conditional access, phishing-resistant MFA, and joiner-mover-leaver deprovisioning apply uniformly, instead of each app carrying its own island of credentials. Technically this is well-trodden: SAML and OIDC are mature standards and most identity teams can wire up an application in hours.
The cost is not the engineering. It is that a large share of SaaS vendors do not sell SSO as a modest add-on. They gate it behind an enterprise tier that bundles SSO with seats, support levels, and features you may not need, then price that tier well above the plan you are on. The community catalogue at ssotax.org exists precisely to document this: hundreds of vendors whose SSO-enabled plan costs more than 10% above their standard plan, many of them several times more.
Documented markups
A sample from ssotax.org (accessed June 2026). The markup is the jump from the standard plan to the cheapest plan that unlocks SSO, expressed per user per month.
| Vendor | Standard plan | Cheapest SSO plan | Markup |
|---|---|---|---|
| 1Password | $4 / user / mo | $8 / user / mo | +100% |
| Figma | $12 / user / mo | $45 / user / mo | ~+275% |
| GitHub | $4 / user / mo | $21 / user / mo | +425% |
Source: ssotax.org Wall of Shame, accessed June 2026. These are list prices and change with vendor packaging; treat them as illustrative of the pattern, not a current rate card. ssotax.org also lists many vendors that price SSO as "contact sales" with no published figure at all.
Why it is a portfolio problem, not an app problem
One app's SSO upcharge looks like a rounding error. The identity pillar federates dozens of apps at once, and the surcharge stacks.
The most common SSO consolidation in a zero trust programme federates fifteen to forty SaaS applications to a single identity provider. The internal engineering for that, the SAML/OIDC setup with vendor support, typically runs $40,000 to $200,000 in time, and that is the number most plans budget for.
What the plan often misses is that some fraction of those applications charge an SSO surcharge to enable federation at all. Per application that surcharge commonly lands at $5,000 to $25,000 per year once the per-seat uplift is multiplied across your user count. If ten of your thirty federated apps carry a tax in that band, you have added $50,000 to $250,000 of recurring licensing that appears nowhere in the identity-platform quote, because it is buried inside each application's own renewal. That is the line that turns a clean SSO business case into an awkward one at the finance review.
Four levers that move the bill
The SSO tax is list pricing applied per vendor, which means it is negotiable, avoidable, or substitutable in most cases.
Audit before you assume. Treat every in-scope application's SSO-tier price as a known unknown until you have read the contract. Budget the delta between the plan you are on and the cheapest SSO-capable plan, per app, before committing to consolidation.
Negotiate it. The SSO surcharge is list pricing and is frequently discounted, particularly at renewal or when you are adding seats. A vendor that wants your expansion will often waive or cut the enterprise-tier uplift to keep the account.
Prefer base-tier SSO. A growing number of developer-first B2B platforms now include SSO, and sometimes SCIM, in their free or base tier. Where you have a genuine vendor choice, on-by-default identity support is a real total-cost advantage, not a nice-to-have.
Proxy the long tail. For low-risk applications with few users where the enterprise tier is not worth it, front the app with an identity-aware proxy (Cloudflare Access, Entra App Proxy, Google IAP) at roughly $5 to $10 per user per month. You get conditional access and a single front door without paying the vendor's SSO upcharge.
Where this sits in the budget
The SSO tax is one line in the identity pillar and one of the recurring hidden costs of a zero trust programme.
SSO tax questions
What is the SSO tax?
How much does the SSO tax add per application?
Why does the SSO tax matter for zero trust specifically?
How do you reduce or avoid the SSO tax?
Is the SSO tax the same as the SCIM tax?
- ssotax.org, the public catalogue of SaaS vendors charging an SSO premium (Wall of Shame; markup examples accessed June 2026). https://ssotax.org
- Clerk, The real cost of enterprise SSO: per-connection vs per-MAU pricing (SAML federation infrastructure cost estimate). https://clerk.com/articles/the-real-cost-of-enterprise-sso-per-connection-vs-per-mau-pricing
Markup figures accessed and verified at ssotax.org in June 2026. They are vendor list prices and change with packaging; use them as illustrative of the pattern, not a current quote.