The frustration of securing organizations’ access to single sign-on (SSO) functionality without having to pay extra for “license upgrade fees” is a common issue. Many cloud software applications require this additional payment in order to unlock the integration with an SSO provider. This is known as the “SSO tax,” and it has become a point of contention for many organizations.
However, the problem doesn’t stop there. Even after paying the SSO tax, organizations may not receive the level of security and functionality they were expecting. Cyber attackers have identified vulnerabilities in the session management beyond SSO, exploiting weaknesses in authentication tokens and exposing organizations to potential threats. This lack of security extends beyond specific incidents, such as the Okta HAR files debacle, and includes account compromises resulting from phishing attacks and malware like EvilProxy.
What further complicates the situation is the complicity of cloud software application providers in these security gaps. While they charge organizations the SSO tax, some of these providers do not invest the fee in implementing the expected SSO security controls. This lack of transparency and functionality leaves organizations vulnerable to potential account theft and other security risks.
In reality, the SSO experience that organizations believe they are paying for may not align with the actual security controls provided by the application providers. This discrepancy reflects a fundamental flaw in the system, where organizations are forced to pay additional fees for SSO integration without receiving the expected security measures in return.
Behind the scenes, SSO is intended to streamline the end-user experience, reduce the risk of bad password practices, and centralize the authentication process. However, the reality does not always live up to these expectations. Many enterprises have invested in SSO solutions to improve security, with the understanding that paying the SSO tax is a necessary cost. SSO is designed to simplify the process of logging into multiple applications, reduce security risks, and centralize authentication processes to mitigate threats from threat actors.
With SSO in place, organizations expect to have access to powerful security controls, such as FIDO2 multifactor authentication (MFA), length of authentication sessions, and the ability to force a logout of all sessions. These controls are seen as essential features that organizations believe should come standard with an SSO solution. As employees log into an SSO platform, a series of authentication steps occur in the background, involving the exchange of authentication tokens between the user’s browser, the SSO platform, and the application being accessed.
Overall, the issue of the SSO tax and its associated security implications poses a significant challenge for organizations seeking to secure their access to SSO functionality. As the debate around the fairness and transparency of SSO integration fees continues, it is clear that there is a need for greater accountability and investment in security measures from both cloud software application providers and SSO solution providers. Only when these issues are addressed can organizations truly benefit from the security benefits that SSO promises to deliver.