Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Obligatory mention of the SSO tax: https://sso.tax/


So how exactly are open source software stacks supposed to make money if not by withholding enterprise features from the free version?

There’s a reason they all do it, and it’s because SSO is one of the few features enterprises are almost universally willing to pay for.


Heya, I work for a commercial auth provider but we provide a free version with unlimited SSO connections. (Details in profile if you are interested.) So I have a bias.

There's a number of ways for open source software stacks to make money, but I agree that finding features that companies with money will pay for is a great one.

I think Patio11 said it once, but SSO feels now like HTTPS felt in 2015. Used to be super expensive, but now should be "table stakes".

Other ways open source companies can make money:

- hosting (offers that sweet sweet recurring revenue)

- support (especially SLAs, which pair nicely with hosting)

- other enterprisey features, such as integrating with enterprisey tools (DataDog, SIEM tools)

- other auth features like fine grained authorization (RBAC, ABAC, PBAC) and provisioning (SCIM)

- control planes (I see this with tools like Cerbos and Permit which both offer fine grained authorization execution engines that are free, but charge for the control plane)

- certifications (SOC2, FIPS, HIPAA, PCI). this might not make sense in all cases, it does depend on the tool

- custom feature development (better if this is pulling forward planned development rather than something unplanned)

It's not easy, though.

I wrote more on my personal blog about freemium[0] and open-source[1] business models.

0: https://www.mooreds.com/wordpress/archives/3621

1: https://www.mooreds.com/wordpress/archives/3438


The problem is there's a huge gap between "We are a small company, and don't care about SSO" and Enterprise.

The company I work for is in the middle - anything where SSO is gated behind "Enterprise" is not even considered by us. We don't need 90% of the other "features" under the Enterprise plans, and most aren't willing to custom quote us for Basic+SSO.

Withhold it from free versions, sure - but definitely don't lock SSO only behind the most expensive option.


Locking SSO behind the Enterprise option works. Your company is an outlier that can be ignored.


Companies of that size are common. It would in isolation even be profitable to serve them. The problem is if you introduce a middle tier that includes SSO, many enterprises will go for that instead of the expensive enterprise tier you want them to buy. Basically, you sacrifice medium companies as customers in order to chase after that sweet enterprise money.


Companies of that size are served by the "enterprise call a salesperson" offering. If you really don't need all of the other features you can probably negotiate a discount.


That makes sense, but I still think there are other features that can be gated behind enterprise to help make sure that doesn't happen while still providing SSO for smaller companies.

You can have user limits on the non-enterprise plans (Microsoft does this, for example, with Business Premium locked at 300 users or less), or gate other features behind enterprise: Have MFA across the board, but lock conditional access behind enterprise, lock more advanced audit logs & reporting behind enterprise, lock RBAC behind enterprise, or data residency, custom security policies, API limits, etc.

There are numerous other features that are non-negotiable for enterprises to help funnel them into the enterprise plan, while still being able to service medium companies with SSO.


I'd hardly call a business with between 150-300 employees, that cares about SSO but doesn't need the full suite of enterprise features an outlier, I'd imagine that's fairly common nowadays.

Maybe in 2015 it was an outlier, but SSO is now a non-negotiable and with many of these businesses on M365 business premium, which includes EntraID P2, SSO is now accessible to a large number of companies where it wasn't before. It's no longer some niche enterprise only functionality, it's a bare minimum for business SaaS.


The fact you’re unwilling to even consider a product with SSO behind the enterprise license is what makes you an outlier, and frankly probably a bad customer.

And if you’re trying to negotiate custom, non standard licensing when you’ve only got 300 employees you will likely be a noisy customer in perpetuity.

No offense, that’s just how I’m betting 99% of folks read your response.


> There’s a reason they all do it, and it’s because SSO is one of the few features enterprises are almost universally willing to pay for.

Also, anyone who's dealt with SAML knows it's like licking lead-based paint. It's the knowledge equivalent of antimatter, every line of code you write costing you a point of IQ.

SSO has to bring in monthly recurring revenue, to cover the monthly recurring disability payments to the many people who've lost the ability to feed and dress themselves after reading too much of the xml-dsig spec.


withholding enterprise features from free versions isn't the problem, the problem is charging extortionate rates for an important security feature.

> "Decouple your security features from your value-added services...If your SSO support is a 10% price hike, you’re not on this list. But these percentage increases are not maintenance costs, they’re revenue generation because you know your customers have no good options."


Problem is lots of SSO implementation will be dealing with some arrogant architects claiming you know nothing and their semi broken SAML is something you should implement for them for free - repeat for 100 times for each customer having their own way of breaking the spec or using something crooked.

It is getting better with Entra P2 or Okta as it is couple of minutes to configure if you use good framework in your projects.

But the tax was because of what I wrote about in first place.


This is why at work, we're encouraging and recommending to use some kind of SSO, but we're basing our cost off of the customers IDP.

Some "green" IDP like O365 OIDC, Okta, Entra and such are usually included without extra cost (and will be self-service soon, too). Some "yellow" - usually SAML - IDPs come at a fixed fee. We know them, we know they are weird, but we can deal with it.

Other things are flagged as red and call in hourly billed projects and recurring maintenance fees. Like, one customer has an in-house developed SAML IDP written in PHP a decade ago or so. I want our customers to use SSO, but that's a level of jank I'm not supporting for free.


Some of these seem iffy. Looking at one at random with a seemingly excessive increase:

Coursera: $399 per u/y -> $49875 per year [7], 12400%

So, I check out the footnote:

[7] Coursera requires a minimum of 125 users to access SSO pricing. As they do not have an Enterprise price listed, this price just scales their lower cost tier up to 125 seats.

Dividing by 125 shows the SSO pricing is $399, so exactly the same as the non-SSO pricing. I fail to see how this is an SSO tax.

It might be that there is an SSO tax as the Enterprise price wasn't available to them, but listing it as 12400% increase seems like a deliberate attempt at deception.


looks legit to me.

I've used to work in small startup with ~10 people. The owner was always happy to pay for tools to developer productivity. We did not subscribe to Coursera, but in the theoretical case we'd all want to, the pricing would be:

10 users, no SSO: $3999/year

10 users, with SSO: $49875/year

It's an SSO tax, and a super hefty too. We'd probably balk at it and chose the less-secure option instead. And the fact that we'd get extra 116 licenses we had no need for is absolutely irrelevant, there is nothing we can do with it at all.


Even in your example, and assuming that the only feature that the enterprise plan offers is SSO, that's not even close to a 12400% increase, that's a 1147% increase.

My point was that saying the minimum order is 125 seats for enterprise, and so claiming that the price for a single seat is increase by 12400% is being deceptive.

If you buy a six-pack of beer, you don't say "This is terrible! I only wanted one beer and this six-pack is a 500% increase in price!". If you only want one beer, you just buy the single beer and leave the six-pack on the shelf.


If there is an option to buy a single beer on the shelf, sure. But in this case there is no such option.

Imagine you _really_ wanted to try Foobar beer. So you get to beer distributor, and you find out that while each bottle is just $5, the minimum order is a crate of 144 bottles and they give no samples.

In this case, you might say: "Yeah, I really wanted to try that beer but there is no way I am paying $720 for that". It's exactly the same here.

(re 1147% vs 12400% - sure, maybe you could argue you should not look at a single license, but rather at a pack of 5 or 10 licenses... but this does not change numbers much for Coursera, it's still huge increase.)




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: