SSO Expected at Launch
Michael Grinich, CEO of WorkOS, on AI startups getting enterprise-ready at launch
SSO has shifted from a late stage enterprise add on into a standard buying requirement for mid market SaaS deals. The practical change is that a 50 to 100 seat customer now expects employees to log in through Okta or Microsoft Entra on day one, not after a long security review, so vendors need self serve setup flows, admin portals, and automated provisioning early or they stall out on expansion and churn prevention.
-
WorkOS built around this exact workflow. Instead of a vendor hand configuring each identity provider, its Admin Portal lets a customer IT admin verify a domain, connect SAML or OIDC, and turn on directory sync without filing support tickets. That is what makes it possible to offer SSO in lower priced plans, not just top enterprise tiers.
-
The pricing model shows why the feature moved downstream. Identity vendors increasingly charge B2B apps by enterprise connection rather than by huge platform contracts, because the economic event is landing one more business customer that demands SSO. Stytch describes this directly, and WorkOS uses per connection pricing for SSO and directory sync.
-
This also fits the broader shift in SaaS go to market. New products are launching enterprise ready from the start, with SSO and admin controls much earlier than the Dropbox and Slack era. In that world, missing SSO no longer just blocks Fortune 500 procurement, it breaks the hybrid self serve to sales motion for modern software companies.
The next step is that SSO becomes the entry point, then vendors layer on SCIM, audit logs, fine grained permissions, and agent identity. As more AI native products sell into regulated teams from their first year, identity infrastructure will spread further downmarket, and the winning platforms will be the ones that make enterprise grade controls feel as easy to turn on as a payment API.