Independent reference. Not affiliated with any zero trust vendor. Updated Q2 2026.
ZeroTrustCost
Hidden cost

The SSO tax: what SAML/SSO really adds to a zero trust rollout

Consolidating your SaaS estate behind one identity provider is step one of the identity pillar, and the part everyone assumes is free. The engineering is cheap. The licensing is not. Most SaaS vendors gate SAML and OIDC single sign-on behind an enterprise tier, and that surcharge, the so-called SSO tax, compounds across every application you federate. This page sizes it, shows where it bites, and lists the levers that contain it. Figures dated June 2026 with sources.

What it is

A surcharge, not a feature fee

The SSO tax is rarely a clean add-on price. Vendors lock SAML/OIDC behind their top tier, so you pay for everything else in that tier to get the one capability zero trust requires.

Single sign-on is the foundation of the identity pillar. You federate every SaaS application to one identity provider so that conditional access, phishing-resistant MFA, and joiner-mover-leaver deprovisioning apply uniformly, instead of each app carrying its own island of credentials. Technically this is well-trodden: SAML and OIDC are mature standards and most identity teams can wire up an application in hours.

The cost is not the engineering. It is that a large share of SaaS vendors do not sell SSO as a modest add-on. They gate it behind an enterprise tier that bundles SSO with seats, support levels, and features you may not need, then price that tier well above the plan you are on. The community catalogue at ssotax.org exists precisely to document this: hundreds of vendors whose SSO-enabled plan costs more than 10% above their standard plan, many of them several times more.

The magnitude

Documented markups

A sample from ssotax.org (accessed June 2026). The markup is the jump from the standard plan to the cheapest plan that unlocks SSO, expressed per user per month.

VendorStandard planCheapest SSO planMarkup
1Password$4 / user / mo$8 / user / mo+100%
Figma$12 / user / mo$45 / user / mo~+275%
GitHub$4 / user / mo$21 / user / mo+425%

Source: ssotax.org Wall of Shame, accessed June 2026. These are list prices and change with vendor packaging; treat them as illustrative of the pattern, not a current rate card. ssotax.org also lists many vendors that price SSO as "contact sales" with no published figure at all.

The compounding

Why it is a portfolio problem, not an app problem

One app's SSO upcharge looks like a rounding error. The identity pillar federates dozens of apps at once, and the surcharge stacks.

The most common SSO consolidation in a zero trust programme federates fifteen to forty SaaS applications to a single identity provider. The internal engineering for that, the SAML/OIDC setup with vendor support, typically runs $40,000 to $200,000 in time, and that is the number most plans budget for.

What the plan often misses is that some fraction of those applications charge an SSO surcharge to enable federation at all. Per application that surcharge commonly lands at $5,000 to $25,000 per year once the per-seat uplift is multiplied across your user count. If ten of your thirty federated apps carry a tax in that band, you have added $50,000 to $250,000 of recurring licensing that appears nowhere in the identity-platform quote, because it is buried inside each application's own renewal. That is the line that turns a clean SSO business case into an awkward one at the finance review.

Containing it

Four levers that move the bill

The SSO tax is list pricing applied per vendor, which means it is negotiable, avoidable, or substitutable in most cases.

Audit before you assume. Treat every in-scope application's SSO-tier price as a known unknown until you have read the contract. Budget the delta between the plan you are on and the cheapest SSO-capable plan, per app, before committing to consolidation.

Negotiate it. The SSO surcharge is list pricing and is frequently discounted, particularly at renewal or when you are adding seats. A vendor that wants your expansion will often waive or cut the enterprise-tier uplift to keep the account.

Prefer base-tier SSO. A growing number of developer-first B2B platforms now include SSO, and sometimes SCIM, in their free or base tier. Where you have a genuine vendor choice, on-by-default identity support is a real total-cost advantage, not a nice-to-have.

Proxy the long tail. For low-risk applications with few users where the enterprise tier is not worth it, front the app with an identity-aware proxy (Cloudflare Access, Entra App Proxy, Google IAP) at roughly $5 to $10 per user per month. You get conditional access and a single front door without paying the vendor's SSO upcharge.

Related

Where this sits in the budget

The SSO tax is one line in the identity pillar and one of the recurring hidden costs of a zero trust programme.

Frequently asked

SSO tax questions

What is the SSO tax?
The SSO tax is the premium a SaaS vendor charges to turn on SAML or OIDC single sign-on, almost always by gating SSO behind a higher-priced enterprise tier rather than selling it as a standalone add-on. Because federating an app to your identity provider costs the vendor almost nothing in infrastructure (Clerk's analysis puts the underlying SAML federation cost at roughly $0.015 per monthly active user), the upcharge is a packaging decision, not a cost-recovery one. The public catalogue at ssotax.org documents hundreds of vendors whose SSO-enabled plan costs more than 10% above their standard plan.
How much does the SSO tax add per application?
It varies enormously because it is tied to whichever enterprise tier the vendor gates SSO behind, not to a fixed SSO fee. Documented markups at ssotax.org (accessed June 2026) range from around 100% (1Password moves from $4 to $8 per user per month) to several hundred percent (GitHub from $4 to $21, a 425% jump; Figma from $12 to $45, roughly 275%) up to extreme outliers in the thousands of percent. In absolute terms, for a mid-sized application the surcharge commonly lands at $5,000 to $25,000 per year per application once you multiply the per-seat uplift across your user count.
Why does the SSO tax matter for zero trust specifically?
Single sign-on consolidation is step one of the identity pillar: you federate your SaaS estate to one identity provider so that conditional access, MFA, and lifecycle deprovisioning apply everywhere. Guidance that calls SSO migration 'mostly free internal engineering time' is only half right. The engineering is cheap; the licensing is not. An organisation federating 15 to 40 applications can find the SSO tax adds a six-figure annual line that never appears in the identity-platform quote, because it is buried in each application's own renewal.
How do you reduce or avoid the SSO tax?
Four levers. First, audit every SaaS contract for its SSO-tier price before you assume consolidation is free, and budget the delta. Second, negotiate: the SSO surcharge is list pricing and is frequently discounted, especially at renewal or when you are expanding seats. Third, prefer vendors that include SSO and SCIM in their base or free tier (a growing number of developer-first B2B platforms now do). Fourth, for low-risk, low-user apps where the enterprise tier is not worth it, front them with an identity-aware proxy (Cloudflare Access, Entra App Proxy, Google IAP) at $5 to $10 per user per month rather than paying the vendor's SSO upcharge.
Is the SSO tax the same as the SCIM tax?
They travel together but are not identical. SSO governs authentication (who can log in); SCIM governs automated provisioning and deprovisioning (creating and removing accounts as people join and leave). Both are usually locked behind the same enterprise tier, so paying the SSO tax often buys SCIM as well. From a zero trust standpoint SCIM matters as much as SSO: without automated deprovisioning, departed users keep live accounts, which is exactly the standing-access risk zero trust is meant to remove.
Sources
  1. ssotax.org, the public catalogue of SaaS vendors charging an SSO premium (Wall of Shame; markup examples accessed June 2026). https://ssotax.org
  2. Clerk, The real cost of enterprise SSO: per-connection vs per-MAU pricing (SAML federation infrastructure cost estimate). https://clerk.com/articles/the-real-cost-of-enterprise-sso-per-connection-vs-per-mau-pricing

Markup figures accessed and verified at ssotax.org in June 2026. They are vendor list prices and change with packaging; use them as illustrative of the pattern, not a current quote.