TL;DR
The SSO Tax is dying. The SCIM Tax is far worse - and it's invisible.
SSO affects login convenience - end users complain, and "Sign in with Google" forced vendors' hands. SCIM affects security, but only IT feels the pain. End users don't notice if offboarding is manual.
Vendors exploit this asymmetry:
- They gate SSO to win deals
- They gate SCIM to guarantee enterprise upsells later
IT gets uniquely screwed. Stitchflow defeats the SCIM Tax with flat per-app pricing - no enterprise upgrade required.
The SSO Tax is dying
If you're in IT, you are familiar with the SSO Tax - the unfair pricing model that hides Single Sign-On behind an expensive enterprise tier.
We argue that while the SSO Tax is frustrating, the SCIM Tax is far more damaging to security, compliance, and budget. To understand why, we need to look at vendor priorities and how their revenue strategy deliberately uses security as a hostage lever.
The traditional SSO Tax works by gating SAML/OIDC behind a high-cost tier. Vendors recognize that requiring a password for every new tool is massive friction. If they gate SSO, they force the security team into a high-stakes negotiation.
However, the SSO Tax is rapidly becoming irrelevant for several key reasons:
- Consumer SSO is the workaround: Most SaaS tools offer "Sign in with Google" or "Sign in with Microsoft/Office 365" on their basic or free plans.
- Mid-Market pressure: Companies with 500+ employees typically mandate true SAML/OIDC integration. Vendors know they can lose a deal entirely if they lack basic SSO.
- Productivity vs. Security: While security teams care deeply about SSO, end-users care about it more. SSO dramatically improves login speed and reduces password fatigue. Users complain loudly when it's missing.
The result is that, due to market pressure and the ubiquity of Google/Microsoft login buttons, vendors are being forced to offer some form of frictionless access on lower-tier plans.
The SSO Tax is weakening, but vendors still have one high-leverage feature left to monetize.
The SCIM Tax: The unique IT vulnerability
The SCIM Tax is different. It is the extra price paid just to enable automated provisioning and deprovisioning, even when the API technology is already built. This feature exploits a unique vulnerability in IT: its invisibility.
End-users and Security don't notice it, so vendors can gate it.
SCIM automation is an infrastructure feature. End-users and sales leaders don't notice if a license is manually deactivated. Only the IT team and the finance department (after the money is wasted) feel the pain of missing SCIM.
Vendors know this. They can safely gate SCIM behind the highest tier because:
- It does not affect deal velocity (the initial purchase).
- It does not affect user adoption (the end-user experience).
- It only affects the cost, efficiency, and audit risk of the internal IT team.
It exploits inertia and fear.
By leaving basic, low-cost "Pro" plans without SCIM, vendors guarantee that IT teams will be forced into manual processes, leading to security holes and license sprawl. This is vendor extortion, a revenue strategy we call Ransom Economics.
- Manual mistakes lead to compliance gaps. This fear forces companies to eventually pursue the Enterprise Tier.
- Wasted licenses lead to cost leaks. This financial pain also drives companies toward the Enterprise Tier.
The SCIM Tax is a strategic move that turns IT hygiene into a high-margin upsell opportunity, designed to monetize the internal cleanup process - a process that is non-negotiable for any scaling business.
How widespread is this? We analyzed 721 SaaS apps. 42% lock SCIM behind enterprise pricing - that's the SCIM Tax. Another 57% have no SCIM at any price - not a ransom, just a gap they never built. Only 9 apps (1.2%) include SCIM on their base tier. Either way, you're stuck with manual work.
Why IT gets uniquely screwed
The core of the problem is the differing treatment of friction:
| Feature | Primary Beneficiary | Vendor's Leverage | Commercial Impact of Gating |
|---|---|---|---|
| SSO | End User & Security | Login Friction (weakened by Google/Microsoft) | Risk of losing the initial deal |
| SCIM | IT | Security and Compliance Risk / License Sprawl (unseen by users) | Guarantee of a future upsell |
Vendors use the diminishing SSO Tax to win the initial security negotiation, but they rely on the SCIM Tax to guarantee their massive Enterprise expansion down the line.
IT teams are left with a no-win scenario: they must either deal with manual, insecure workflows that guarantee compliance failures, or they must take the budget hit for the $80,000 SCIM Tax ransom, crippling budget for other projects.
IT is punished for vendor revenue strategy.
The commercial solution is here
We believe this is unfair. Basic security infrastructure should not be a profit center.
That's why Stitchflow doesn't just provide a technical workaround. We provide a commercial solution that defeats the SCIM Tax entirely. We deliver SCIM-level automation, maintenance, and resilience for a simple, flat fee per app - freeing your budget and your security posture from the vendor's enterprise roadmap.
We've measured the real cost of manual provisioning across 27 organizations: ~$12,000 per app per year in IT labor, unused licenses, and compliance gaps. Stitchflow costs less than half that. Why keep paying the SCIM Tax when you can defeat it entirely?
It's time IT stopped paying the price for the vendor's growth strategy.
Frequently asked questions
The SCIM vs. SSO Tax refers to the two major vendor paywalls that limit identity automation. While the SSO Tax historically gated SAML/OIDC behind higher tiers, the SCIM Tax is now the more damaging paywall - charging massive premiums just to automate provisioning and deprovisioning.
Jay has been serving modern IT teams for more than a decade. Prior to Stitchflow, he was the product lead for Okta IGA after Okta acquired his previous ITSM company, atSpoke.
