The SAML tax.
Across the IdP category, SAML SSO is rarely gated outright behind the most expensive enterprise tier — most vendors include it at or near the entry tier. The phenomenon sometimes called the “SAML tax” shows up instead as caps and minimums: connection limits, app-count limits, on-prem restrictions, and annual contract floors that push the effective cost above the headline rate. The shape varies by vendor, so the buyer math has to be done per vendor, not assumed category-wide.
1.Which IdPs do it
Auth0: SAML (enterprise connections) is included from B2B Essentials ($150/mo floor) — 3 connections, Professional 5 — with $100/mo per additional connection beyond the cap (max 30). The Free tier has no enterprise connections. The cost is in connection count and MAU volume, not a single tier gate.
Okta: Starter ($6/user/mo) includes SSO and MFA. Core Essentials ($14) adds lifecycle provisioning and workflows, not SAML itself. The structural cost here is the $1,500/yr annual contract minimum, which prices out the smallest teams rather than gating the feature.
OneLogin: Unlimited SAML and OIDC SSO is included in every tier, starting at Basic ($3/user/mo). No SAML tax. MFA is available across tiers but requires an SSO plan as a prerequisite; the entry tier caps identity lifecycle at 5 apps.
Duo: SSO is included from the Essentials tier ($3/user/mo); only the Free tier is MFA-only. The SAML step is minimal — effectively the move off the free plan.
Entra ID: Free tier includes SAML to SaaS apps. P1 ($7/user/mo) adds SAML to on-prem apps. The structural difference — Entra positions SAML to SaaS as a free feature, which is why M365 buyers find Entra "free". The Entra SAML tax exists but is less aggressive than Okta/Auth0.
JumpCloud: SAML SSO module ($3/user/mo) is à-la-carte. No tier-jump SAML tax — buyers pay for the SSO module specifically. JumpCloud is the cohort outlier on the SAML-tax dimension.
Authentik: Open-source — SAML included for free. No SAML tax at all. The trade is self-host ops cost.
Ping Identity: All paid tiers include SAML (it's the core product). The Ping pricing model is enterprise-only ($50K+/yr minimum), so the entire entry price is effectively a SAML tax in a different shape.
2.Why IdPs do it
The SAML tax tracks an upstream pattern: SaaS app vendors charge their own SSO tax — many enterprise SaaS products gate SAML SSO behind their highest tier (the sso.tax phenomenon). IdP vendors observe that customers buying SaaS at the SAML-enabled tier are already committed to enterprise pricing across their stack. IdP pricing tiers track this: customers paying for SaaS enterprise tiers can pay for IdP enterprise tiers.
There's also a structural argument from the IdP's perspective: SAML implementation is where IdPs add genuine engineering investment (identity federation protocols, SAML signing, attribute mapping, etc.). The IdP's perspective: this is real engineering, not a feature flag.
Both perspectives are valid; the buyer's perspective is: regardless of why, the cost is real and predictable, and modelling it correctly affects which IdP the buyer should choose.
3.What the buyer can do
- Model the caps, not just the tier. SAML is usually included at the entry tier, but watch the connection limits (Auth0), app-count limits (OneLogin lifecycle), on-prem restrictions (Entra), and annual minimums (Okta) that push the effective cost up.
- For M365 buyers, lean into Entra. SAML to SaaS apps is genuinely free at Entra; the rest of the cohort taxes it.
- For modular-pricing tolerance, consider JumpCloud. The à-la-carte module model avoids the tier-jump structure but the full stack still costs the same as Okta's tiered model.
- For open-source-comfortable buyers, Authentik bypasses the SAML tax entirely. The trade is ops cost.