In my experience SSO is high-touch. Sure there are self-service portals and control panes but big company IT departments are ticket processing machines, and it becomes a game of broken telephone to make changes. When something doesn't work, what do you do?
Offering SSO as part of an enterprise SKU offering implies there is a high-touch relationship out of the gate, and that there is a higher chance of success and adoption, including getting SSO set up right.
Furthermore many large behemoth corporations have strange SSO configurations and it's not unusual to require bespoke configuration let alone debugging time.
People are currently implementing a simple self-service for common SAML and OIDC providers, like O365 and such. This will be free and recommended for all customers to use, because I believe in providing actual security for our customers.
And then you can order a consulting project on top to figure out a good way to import user groups, user identities and such into the platform, and ideally to integrate our preferred group structures with a customers existing approval and group structures. This also includes help to initially connect us to the IDP. This is priced at a relatively cheap consultant level.
And then there is a second tier of consulting projects if the customer is using a non-standard IDP and can't do it on their own. Like, we have one customer that has an in-house developed SAML provider, but the original people who worked on it aren't there anymore. That was an interesting project and I learned way more stuff about SAML than I ever wanted, and also fixed a bug in their SAML provider code. This is priced right between "subject matter experts" and "no".
That's what I consider a very fair split. Simple SSO for everyone, especially on standard providers. And if you want to save a day or two of your identity and authentication teams, you can hand us some cash to do so. Smaller customers generally won't need this, they usually just have 1-2 groups they want to push and that's easy to do, but large customers with complex directories and many users in different departments like these projects a lot.
Go ahead, make SAML, Kerberos, LDAP, whatever custom solution paid. But OIDC should be free, ideally even with my own Keycloak. Go ahead and put all the customizations in the paid tier, again, fine. If I want user/role mapping, I can set it up in keycloak.
But it's silly paying more than a FTE's salary just for the SSO tax when you've got 5 people.
Offering SSO as part of an enterprise SKU offering implies there is a high-touch relationship out of the gate, and that there is a higher chance of success and adoption, including getting SSO set up right.
Furthermore many large behemoth corporations have strange SSO configurations and it's not unusual to require bespoke configuration let alone debugging time.