The SAML tax.
Across the IdP category, SAML SSO is structurally gated behind enterprise pricing tiers. The phenomenon is sometimes called the “SAML tax” — buyers who want federated SSO to their SaaS apps must upgrade to a tier materially more expensive than they'd otherwise need. The pattern is consistent enough across vendors that it's clearly a category-level pricing strategy, not a feature decision.
1.Which IdPs do it
Auth0: The tier jump for SAML is the most pronounced in the cohort. B2B SSO requires the Enterprise tier. Free, Essentials, and Professional don't include SAML. The cost step from Professional to Enterprise is approximately 3x per-MAU. Auth0 is the SAML-tax archetype.
Okta: Starter ($6/user/mo) doesn't include full SAML — it's positioned as "SSO Lite" with restrictions. Core Essentials ($14) is the minimum for full SAML. The 2.3x step from Starter to Core Essentials is the Okta SAML tax.
OneLogin: Starter tier excludes SAML. Advanced ($4 SSO + $4 MFA = $8/user/mo) is the minimum.
Duo: Beyond plan ($9/user/mo) is required for SSO. Lower tiers (MFA $3-$6) don't include SAML. The jump from Duo MFA to Duo Beyond is the SAML tax.
Entra ID: Free tier includes SAML to SaaS apps. P1 ($6/user/mo) adds SAML to on-prem apps. The structural difference — Entra positions SAML to SaaS as a free feature, which is why M365 buyers find Entra "free". The Entra SAML tax exists but is less aggressive than Okta/Auth0.
JumpCloud: SAML SSO module ($3/user/mo) is à-la-carte. No tier-jump SAML tax — buyers pay for the SSO module specifically. JumpCloud is the cohort outlier on the SAML-tax dimension.
Authentik: Open-source — SAML included for free. No SAML tax at all. The trade is self-host ops cost.
Ping Identity: All paid tiers include SAML (it's the core product). The Ping pricing model is enterprise-only ($50K+/yr minimum), so the entire entry price is effectively a SAML tax in a different shape.
2.Why IdPs do it
The SAML tax tracks an upstream pattern: SaaS app vendors charge their own SSO tax — many enterprise SaaS products gate SAML SSO behind their highest tier (the sso.tax phenomenon). IdP vendors observe that customers buying SaaS at the SAML-enabled tier are already committed to enterprise pricing across their stack. IdP pricing tiers track this: customers paying for SaaS enterprise tiers can pay for IdP enterprise tiers.
There's also a structural argument from the IdP's perspective: SAML implementation is where IdPs add genuine engineering investment (identity federation protocols, SAML signing, attribute mapping, etc.). The IdP's perspective: this is real engineering, not a feature flag.
Both perspectives are valid; the buyer's perspective is: regardless of why, the cost is real and predictable, and modelling it correctly affects which IdP the buyer should choose.
3.What the buyer can do
- Model the IdP tier as the SAML-enabled tier from the start. Don't budget the Starter / lower tier headline if you need SAML.
- For M365 buyers, lean into Entra. SAML to SaaS apps is genuinely free at Entra; the rest of the cohort taxes it.
- For modular-pricing tolerance, consider JumpCloud. The à-la-carte module model avoids the tier-jump structure but the full stack still costs the same as Okta's tiered model.
- For open-source-comfortable buyers, Authentik bypasses the SAML tax entirely. The trade is ops cost.