Cost to add SSO support to your SaaS app
Cost to add SSO support to your SaaS app
Adding SSO to your SaaS app in 2026 costs $25 to $500 per month per customer connection if you buy (WorkOS, Clerk, Auth0), or $30,000 to $60,000 upfront plus $5,000 to $15,000 per year in maintenance if you build it yourself. For 90% of B2B SaaS teams under Series B, buying through WorkOS or Clerk is cheaper for the first 3 years and ships in a week instead of a quarter.
The math flips once you cross roughly 50 enterprise SSO customers, because per-connection vendor pricing scales linearly while a one-time build does not. That is the entire "SSO tax" debate in one sentence.
What "adding SSO" actually means
SSO is not one feature. It is a bundle of related auth primitives that enterprise procurement teams ask for on the same RFP page.
- SAML 2.0: the legacy enterprise protocol. Okta, OneLogin, ADFS, Ping. Still 70% of enterprise deals in 2026.
- OIDC (OpenID Connect): the modern OAuth2-based protocol. Google Workspace, Microsoft Entra ID, Auth0.
- SCIM 2.0: not SSO, but always sold alongside it. Automated user provisioning and deprovisioning from the IdP.
- JIT provisioning: create the user on first SAML/OIDC login. The "lite" alternative to SCIM.
- Multi-IdP support: each enterprise customer brings their own IdP, and your app needs to route logins to the right one based on email domain.
- Audit logs: SOC 2 reviewers and CISOs ask for who-logged-in-when reports.
You will be asked for all six on the same enterprise contract. Scoping for just "SSO" and missing SCIM is the most common mistake we see; SCIM doubles the effective build cost.
The five real options, ranked by total cost over 3 years
| Approach | Year 1 cost | 3-year cost (10 enterprise customers) | Timeline | Pros | Cons |
|---|---|---|---|---|---|
| WorkOS | $1,500 to $6,000 | $15,000 to $60,000 | 3 to 7 days | Built-for-SSO, free under 1M MAU on the auth product, $125/connection on the enterprise tier | Per-connection pricing scales linearly; you pay for every enterprise customer forever |
| Clerk | $300 to $1,200 | $5,000 to $25,000 | 2 to 5 days | Cheapest if you have not built any auth yet; full user-management UI included | $25/mo per enterprise connection plus $0.02 per MAU; not ideal if you already have your own auth |
| Auth0 (Okta) | $0 (Free), $1,500/mo (Pro) | $50,000+ (Enterprise tier with SAML) | 5 to 14 days | Massive ecosystem, well documented, every IT team has heard of it | SAML connections require the Enterprise plan, quoted at ~$1,000+/mo minimum; pricing famously opaque |
| Stytch / FusionAuth / Frontegg | $500 to $3,000/mo | $20,000 to $80,000 | 4 to 10 days | More predictable flat pricing, good developer DX | Smaller ecosystem; some IdPs are less well tested |
| DIY (build it yourself) | $30,000 to $60,000 engineering + $0 vendor | $45,000 to $90,000 (build + maintenance) | 6 to 14 weeks | No per-connection tax, full control of UX | High upfront cost; SAML edge cases (Azure AD, ADFS, JIT name claims) eat months |
| Cadence (on-demand integration) | $2,000 to $6,000 (1 to 3 weeks of senior engineer time) plus chosen vendor cost | Vendor cost + a one-time integration fee | 48-hour trial then ship | Pairs an AI-native engineer with WorkOS / Clerk / Auth0; ships the integration, the SCIM hooks, the IdP test harness, and the audit log plumbing | Less suited to teams that want zero vendor dependency |
SAML vs OIDC: which protocol you actually need
You will need both. SAML is what your enterprise customers already speak. OIDC is what the modern IdPs (Google, Microsoft, smaller startups) prefer.
In practice every commercial SSO vendor abstracts both behind one API. You hand WorkOS an organization ID and a redirect URL; WorkOS handles whether the underlying IdP speaks SAML or OIDC. That abstraction is half the reason vendors exist.
If you build it yourself, you write two separate code paths. The SAML side involves XML signing, certificate rotation, NameID format negotiation, and the dreaded "Azure AD sends groups as object IDs not names" gotcha. The OIDC side is cleaner but still requires JWKS caching, nonce handling, and PKCE for native apps. Most DIY builds spend 60% of their time on SAML edge cases.
The SCIM provisioning add-on
SCIM is the second-biggest hidden cost.
Without SCIM, your enterprise customer admin has to manually add and remove every user in your app, in addition to their IdP. With SCIM, removing a user from Okta auto-removes them from your app within 30 seconds. Every CISO past 200 employees will require this.
SCIM pricing as of mid-2026:
- WorkOS Directory Sync: $125 per connection per month, separate line item from SSO.
- Clerk SCIM: included on Pro plans at $100/mo flat, plus $25 per organization.
- Auth0 SCIM: Enterprise tier only, generally bundled but quoted on a custom contract.
- DIY: another 3 to 6 weeks of senior engineer time on top of the SAML build, mostly because SCIM 2.0 implementations differ subtly between Okta, Azure AD, Google, and JumpCloud.
Engineers consistently underestimate SCIM. The protocol is simple; the surface area of provider quirks is not.
JIT vs sync: the cheap-and-cheerful alternative
If your customers do not require SCIM (or you are pre-Series A and can negotiate it out), JIT provisioning is the budget option.
JIT creates the user record in your database the first time they SAML in. Deprovisioning is handled by the IdP refusing to authenticate them on subsequent logins. You do not get instant deactivation, and you cannot bulk-import an organization's user list, but you avoid the SCIM line item entirely.
For 80% of seed-stage B2B SaaS, JIT is the right starting point. You can layer SCIM on later when a $50k/yr customer asks for it. The clean way to build this is via Cadence's Build vs Buy decision tool so you do not over-engineer auth before there is revenue to justify it.
The "SSO tax" debate, honestly
The "SSO tax" is the practice of charging enterprise customers a steep premium for SSO, often gating it behind a tier that costs 4 to 10x the standard plan. ssotax.org has been tracking this for years and most B2B SaaS still does it.
The arguments for it:
- Enterprise customers are more expensive to support. SOC 2, security questionnaires, dedicated CSMs.
- SSO is genuinely more expensive to deliver. WorkOS bills you per connection; that cost has to land somewhere.
- It is a clean tier-gate. SSO usually correlates with company size, so charging per-seat-plus-SSO is fair.
The arguments against:
- SSO is a security feature. Charging extra for security is bad faith and incentivizes weaker auth at smaller customers.
- The per-connection cost ($125 to $500/mo) does not justify a $50k/yr price bump for a 50-seat customer.
- Buyers increasingly notice. Mid-market procurement teams now flag SSO-tier markup in negotiations.
Our take: pricing SSO at a modest, defensible markup over your vendor cost is fine. Pricing it 10x to force tier upgrades is the kind of thing that ends up on Hacker News with your company name attached. We dig deeper into pricing trade-offs in Cost to build an admin dashboard, which is the other feature most often gated behind the same tier.
Real cost breakdown for buying
Assume a B2B SaaS at Series A with 10 enterprise customers needing SSO and 5 needing SCIM.
| Line item | WorkOS | Clerk | Auth0 |
|---|---|---|---|
| Base auth | $0 (under 1M MAU) | $25/mo + $0.02 per MAU | $1,500/mo (B2B Pro, est.) |
| 10 SSO connections | $1,250/mo | $250/mo | Included in Enterprise |
| 5 SCIM directories | $625/mo | $500/mo | Included in Enterprise |
| Audit logs | $99/mo | included | included |
| Monthly total | ~$1,974 | ~$775 | ~$2,500 to $5,000 (Enterprise quote) |
| Annual | ~$24k | ~$9.3k | ~$30k to $60k |
Clerk is the cheapest at small scale. WorkOS pulls ahead when you have a custom auth stack you do not want to replace. Auth0 is rarely the right answer for new builds in 2026, but if you already use it, the migration cost is high.
Real cost breakdown for building
Assume one senior engineer plus a fractional lead reviewing architecture decisions, building SAML + OIDC + JIT + audit logs (skipping SCIM for v1).
| Phase | Time | Cost (Cadence rate) |
|---|---|---|
| Discovery and architecture | 1 week of Lead | $2,000 |
| SAML core + cert rotation | 3 weeks of Senior | $4,500 |
| OIDC implementation | 1 week of Senior | $1,500 |
| Multi-IdP routing + admin UI | 2 weeks of Mid | $2,000 |
| JIT provisioning + audit logs | 1 week of Senior | $1,500 |
| IdP test harness (Okta, Azure, Google) | 1 week of Senior | $1,500 |
| Total v1 build | ~9 weeks | ~$13,000 |
That is the lean version. A more conservative estimate using US W2 hires at $180k loaded comes to $30,000 to $60,000 for the same scope, because you are paying salary plus benefits plus context-switching time.
Add SCIM v1 and you are looking at another 3 to 6 weeks. If you want a sanity check on whether building is the right call, our Build vs Buy decision tool takes 90 seconds and outputs a recommendation with the cost math attached.
Where Cadence fits
We are not an SSO vendor. We are the engineers who integrate one for you, or build it from scratch if you have a reason to.
Every engineer on Cadence is AI-native by default, vetted on Cursor, Claude Code, and Copilot fluency in a founder-led voice interview before they unlock bookings. The 12,800-engineer pool includes 400+ engineers who have shipped a SAML or OIDC integration in the last 12 months, and we tag those skills so the booking spec auto-matches.
A typical SSO integration on Cadence looks like: a Senior at $1,500/week, 2 to 3 weeks of scope, with a 48-hour free trial before billing starts. Median time to first commit across the platform is 27 hours.
If you are about to sign your first enterprise customer and need SSO live in a sprint, the fastest path is to book a Senior or Lead engineer with SAML experience. You get the 48-hour trial, weekly billing, and you can replace any week if the fit is wrong.
How to reduce the cost without cutting corners
- Buy first, build later. Start with WorkOS or Clerk. Migrate to in-house only when per-connection costs cross your engineer-month cost.
- Skip SCIM in v1. Use JIT until a customer explicitly asks for it. Most do not, until they are paying you $50k+/yr.
- Test against Okta first. Okta is 50% of the SAML market. Get that working, then expand to Azure AD, Google, JumpCloud.
- Use the vendor's test IdP. WorkOS and Clerk both ship hosted SAML test IdPs. You can iterate without convincing your customer's IT team to give you a real one.
- Cap your tier markup at 2x. The market is increasingly hostile to 10x SSO tax pricing.
The fastest path from "we need SSO" to "live in production"
- Pick WorkOS if you have your own user system; Clerk if you do not yet have auth at all.
- Spend a week wiring up the vendor SDK, the admin UI for per-customer IdP config, and JIT provisioning.
- Test against Okta, Azure AD, and Google with the vendor's hosted test IdPs.
- Ship behind a feature flag, enable for your first enterprise customer, monitor the audit logs for the first week.
If you do not have an engineer with auth experience already on the team, the speed-of-shipping advantage is the entire reason on-demand booking exists. Otherwise the design partner you promised SSO to next sprint is going to slip.
FAQ
How long does it take to add SSO to a SaaS app?
Using WorkOS or Clerk: 3 to 7 days for the basic SAML + OIDC flow, plus another week for SCIM if you need it. Building it yourself: 6 to 14 weeks for a production-grade implementation that handles the main IdP quirks. Most teams underestimate testing time against real customer IdPs; budget at least 2 weeks of back-and-forth with the first enterprise customer.
Should I build SSO or buy it through WorkOS or Auth0?
Buy unless one of three things is true: you have 50+ enterprise SSO customers (per-connection vendor pricing starts to bite), you have a senior engineer with SAML experience already on payroll, or you have a regulatory reason to keep auth in-house. For almost every Series A and earlier company, buy.
What is the difference between SAML and OIDC?
SAML 2.0 is the legacy XML-based enterprise SSO protocol; OIDC is the modern OAuth2-based JSON protocol. SAML still dominates large enterprise deals because of installed IdP base (Okta, ADFS, Ping). OIDC is preferred for modern web and mobile apps. You will need both if you are selling to enterprise; commercial vendors abstract the difference behind one API.
Do I need SCIM provisioning on day one?
No. Start with JIT (just-in-time) provisioning where users are created on first login. Add SCIM when a customer explicitly contracts for it, usually around the $50k/yr deal size. SCIM is roughly a doubling of your SSO scope, so do not pay for it before there is revenue to justify it.
What is the "SSO tax" and should I charge it?
The "SSO tax" is the practice of charging enterprise customers a steep premium (often 4 to 10x) for SSO access, usually by gating it behind a higher tier. A modest markup over your vendor cost (1.5 to 2x) is defensible; 10x markup is increasingly called out by buyers and on sites like ssotax.org. Charge enough to cover vendor costs and the support overhead, not enough to make SSO a tier-upgrade extortion.
Can I add SSO without rewriting my existing auth?
Yes. WorkOS is specifically designed to bolt onto an existing user system; you keep your Supabase or custom auth for end users and route enterprise SSO through WorkOS as a federation layer. Clerk requires more of a full takeover. Auth0 sits somewhere in the middle. Plan for 1 to 2 sprints of careful session-handling work if you go the federation route.