>> law, technology, and the space between

All content by Kyle E. Mitchell, who is not your lawyer.

You can subscribe via RSS/Atom or e-mail and browse other blogs.

Site of Shameif you can’t negotiate, castigate?

Software entitlement has a new website,, “The SSO Wall of Shame”. Quoting:

SSO is a core security requirement for any company with more than five employees.

SaaS vendors appear not to have received this message, however. SSO is often only available as part of “Enterprise” pricing, which assumes either a huge number of users (minimum seat count) or is force-bundled with other “Enterprise” features which may have no value to the company using the software.

SaaS vendors have received the message fine. Businesses with revenue and headcount need SSO, and individuals, microfirms, and small nonprofits don’t. SaaS vendors want businesses with revenue and headcount to pay. So they allocate features between plans accordingly, segmenting on need for SSO and other “Enterprise” features.

The point of a package of Enterprise features isn’t that every customer will want every feature, though demand is often highly correlated. Rather, the point is that none of those features alone perfectly divides customers the vendor wants to charge from customers they’re willing to serve for free or at a much lower price point.

The loaded vendor term for this is “bundling”. The loaded customer term for this is “tying”. Some tying is illegal. But much bundling is perfectly legal. In the United States, the key question is whether competition is lessened or protected. Not whether everybody who wants a thing gets it at a price they like.


If companies claim to “take your security seriously”, then SSO should be available as a feature that is either:

  1. part of the core product, or

  2. an optional paid extra for a reasonable delta, or

  3. attached to a price tier, but with a reasonably small gap between the non-SSO tier and SSO tiers.

Many vendors charge 2x, 3x, or 4x the base product pricing for access to SSO, which disincentivizes its use and encourages poor security practices.

Notice here that security is framed entirely as a vendor responsibility. But a conscious vendor can’t guarantee security despite a reckless customer, any more than a conscious customer can use a reckless vendor in a reliably secure way. It would be just as unfair and reductionist to say that companies should take security seriously by paying the price the market demands for it, as it is to say that vendors should take security seriously by making security features available at prices they can’t win on, overall.

I don’t call this out to condemn one side or the other, morally. Specific customer-vendor relationships get negotiated, and the overall balance of negotiating power bends, to a limited extent, to industry politics and propaganda. Setting up a website to try and muscle vendors on behalf of companies is fair play. The question is whether it’s effective play.

It’s not. Simply “calling vendors out” for not making a good thing available at a lesser price point isn’t going to sprout new columns all over SaaS companies’ pricing pages. That’s competition’s job. Find vendors offering a package that works well for firms of the size and need. Show their competitors they can make more money, without cannibalizing other opportunity, by adding that distinct segment to their model and offering corresponding plans.

Companies don’t owe each other features.

They get what they bargain for.

Your thoughts and feedback are always welcome by e-mail.

back to topedit on GitHubrevision history