I’ve gone through a few “migrations to SSO” after years of non-SSO with customers in the past and it’s a fucking expensive nightmare.
Yet the customers still paid, so it was worth for them.
This is incorrect.
Lots of people live without things others observe they need. Doesn't make going without a good idea.
> Companies that actually need SSO are the ones that have internal or external compliance requirements...
This logic is backwards.
Why do you think SSO is a "requirement" that security certifications or compliance policies look for? Why did that come to be? Who does SSO benefit? Are those personas relevant for only large companies or small ones too?
Do beginning drivers not “need” seatbelts or brakes? Or are these devices only needed to avoid tickets and pass inspection?
If anything, small companies need SSO more than any others - those companies usually outsource a lot (SaaS vs a dedicated hire), managing credentials is annoying.
Don’t get me started on the services that have their own smart ideas on what constitutes a safe password. Max 8 characters with no repeated letters and of which 4 must be an emoji, with automatic logout every 12 minutes. Yes those still exist.
Password policies are things you want control over in your IdP to avoid all this BS. SSO really should be standard.
Says who?
In reality, users don't care. Regulators, however, sometimes do, which leads to certifications and compliance requirements - and only then SSO and MFA become non-negotiable.
