What is the Cost of SSO and Password Management?

By 2030, the SaaS estate will look different. KPMG expects shadow SaaS (also known as business-led SaaS) to be more than 80 percent of the overall SaaS service layer in just 8 years. Naturally, most security teams are seeking ways to fortify their organization’s evolving, dynamic SaaS estate—many times, turning to legacy solutions like cloud access security brokers (CASB) or identity and access management (IAM) providers.  

Far too often, IAM, SSO, and password management tools have the same fate as CASB, with their decade-long run of failure. And just as CASB failed to keep pace with the changing SaaS service layer, identity and password management solutions have failed to keep pace security needs for identities. Besides developed IAM solutions like Okta, Ping Identity, OneLogin, and Microsoft Entra are Password Managers like LastPass or 1Password to at least provide some credential security for business users accessing SaaS outside identity/SSO management.

These SaaS identity solutions also leave a trail of failed attempts to govern SaaS identities, globally. But the reasons are different. Repeatedly, security teams reference the cost and diminishing returns of using these solutions to secure or govern SaaS identities. And when we take a closer look, we can see why so many organizations end up with only 5-15 percent of their SaaS estate shielded by authentication and access controls like SSO.  

Here are some of the reasons SaaS identity security is so costly, and why many organizations have silently accepted this glaring security gap.

Reason 1 – Technology is too costly

IAM and SSO vendors have a pesky habit of breaking up features and calling them “products”.  So, if you had 1,000 users and quoted a solution to include single sign-on (SSO), multi-factor authentication (MFA), provisioning and deprovisioning, and some directory services, it could set you back $300,000 to $500,000 per year. And even once this initial cost is absorbed, most organizations must also get SSO-enabled licenses from their SaaS provider—commonly known as the SSO tax. According to, the average cost (tax) of SSO-enabled SaaS is approximately 315 percent higher than non-SSO-enabled licenses. When you put these costs together, many organizations could be unable to realize SSO to the entire SaaS estate. It is simply too expensive to try to put SSO in front of every SaaS app.  

Reason 2 – Deployment is too complex

When setting up SSO for SaaS services, another challenge is the overall complication of the whole project. For example, there are multiple ways to authenticate to many kinds of SaaS services—SAML, Secure Web Access (SWA), OpenID Connect (OIDC), OAuth2, SCIM for provisioning, and dependencies like JSON Web Tokens and APIs, along with a litany of integrations to enforcement points. Deciphering which protocols to use and which enforcement to implement SaaS-by-SaaS creates a tangle of complexity and dependencies to make it all work (even for the limited scope mentioned above). Often, this can lead many organizations to fall short on achieving universal SaaS identity security, because as the project progresses, the complexity of each user-SaaS protection scheme adds to the queue and SaaS to be onboarded piles up, shuffling the order of the highest priority as more SaaS is added to the business almost daily; resulting in a steadily growing security gap for user-SaaS relationships.  

Reason 3 – Enforcement is too hard

Aside from the initial cost and a frustrating deployment, many security teams are saddled with the burden of maintaining IAM and SSO solutions and the ever-evolving demands of the business, including onboarding and offboarding. Secondly, given that most SaaS services are accessed via simple username and password, many organizations encourage their users to take advantage of form-filling, password-push features of identity providers, such as Secure Web Access (SWA). This challenge is more daunting, given that it depends on users voluntarily vaulting credentials with the SSO vendor. And the voluntary nature of credential vaults is precisely what costs security teams so much when deploying IAM and SSO solutions. Additionally, when organizations depend on password managers, security outcomes can become worse, as many users share credentials, use duplicate credentials, and harbor zombie accounts to SaaS years after using it.

Reason 4 – User and SaaS churn, turnover

According to a report by Blissfully, 60 percent of SaaS services turnover every two years. So, if you have 1,000 total SaaS services in your environment, it is safe to bet that 600 of those will be different in two years. And there’s no way of knowing which ones it will be.  

Secondly, it is virtually impossible to take a retrospective look at extinct or abandoned SaaS with dangling access, zombie accounts, or overly permissive privileges lingering for months or years that could lead to account takeover. Often, this leaves security and IAM teams with too much uncertainty to just onboard everything into SSO. After all, it could be a wasted effort to deploy IAM and SSO solutions for SaaS today when there’s no way to know for sure which SaaS will still be around in a couple of years. And one of the lowest hanging fruits to mitigate—dangling access and abandoned SaaS—is out of scope for IAM and SSO solutions, because there’s no way to discover SaaS with these solutions to even know if you have existing identity exposures. Consequently, we find a cultural habit of accepting this security gap unable to be closed by IAM and SSO solutions.

Reason 5 – Duplicate and weak passwords, credentials

The cost associated with cleaning up weak and duplicate passwords could be the most painful of all. First, you must find all the places where passwords are in use. This is more difficult than it sounds. Before you can know which kinds of passwords are being used, you must first identify all the user-SaaS relationships across the SaaS estate. The best way to do this is through identity-centric SaaS fingerprinting—graphing user-SaaS relationships based on interactions with identities and SaaS services—typically via standard mail services like Microsoft 365 or Google Workspace. After mapping users and SaaS services, you are ready to swap the existing weak or duplicate password with an automatically generated strong credential unknown to the user—skipping the need for voluntary enrollment. With non-duplicate, strong credentials in place, you can continue to rotate passwords on a regular schedule or on-demand if a security incident demands revoking access to a SaaS service.

When you add up the cost of technology, people, processes, and projects, it is clear why so many organizations have been unable to realize the promise of securing SaaS identities.  


For more than a decade, IAM, SSO, and password management solutions have touted safeguards for SaaS access through a variety of services, microservices, protocols, packages, and prices. Now, we have seen why so many organizations fail to experience the promise of IAM, SSO, and password management — the juice is not worth the squeeze.  

Every security decision requires tradeoffs—productivity v. protection, freedom v. order, collaboration v. confidentiality, innovation v. integrity—and these tradeoffs are never more pronounced than when staring at the abyss that is the SSO security gap. Often, deploying and maintaining IAM, SSO, and password management solutions can be too costly, too time-consuming, and too dynamic to effectively scale universal access control to everything in the SaaS service layer.  

That is why customers rely on Grip. Grip empowers security teams with unified SaaS credential and password management to enforce access control across the entire SaaS estate—sanctioned and unsanctioned, managed and unmanaged, known and unknown SaaS. With Grip’s award-winning SaaS Security Control Plane (SSCP), security teams can discover worldwide user-SaaS relationships—past, present, and future—to rapidly remove accumulated SaaS risks from 10+ years and universalize strong authentication and offboarding in just a few clicks.

Get a demo

Learn more about Grip’s award-winning SaaS Security Control Plane – download the data sheet

*** This is a Security Bloggers Network syndicated blog from Grip Security Blog authored by Grip Security Blog. Read the original post at: