To add an anecdote from the other perspective, I was the PM for the authn/z capabilities of a big enterprise platform.

SSO was one of the greatest support burdens due to the numerous protocols we supported and the vast array of sometimes bizarre, often complex auth environments across the customer base.

The biggest hidden cost came from the complete lack of consistency in auth implementations from 3rd party vendors, i.e. it wasn’t enough to implement the SAML/OIDC/etc specs, because many of the systems our customers wanted to connect with had not implemented to spec.

This is all prior to dealing with 2FA which was definitely another major factor.

▲

tptacek 2 days ago | parent | next [-]

If you just supported OIDC, you'd still have upcharged for it, at least unless you had an ideological reason not to (we don't, for ideological reasons, but I sort of rue that decision).

	▲	haswell 2 days ago \| parent [-]
		I realize in retrospect my comment was probably confusing as written. The company didn’t charge extra for SSO despite the support cost, also for ideological reasons. But they were also singularly focused on large enterprise customers so it was table stakes. Plenty of other platform modules to upsell. My point was mostly to highlight that it can be costly for a bunch of reasons.

▲

Too a day ago | parent | prev [-]

But with SSO you can offload all the 2FA handling to the IdP.

	▲	haswell a day ago \| parent [-]
		Most customers did. But due to a wide variety of customer types and various hybrid auth environments, we had to support 2FA directly in-platform as well. There were also privilege elevation scenarios to consider, e.g. to access highly sensitive data, the current authenticated user must enter a 2nd factor to continue.