Skip to main content
Articles

Auth Platforms With SSO and SCIM in the Base Tier

Author: Roy Anger
Published: (last updated )

This is Part 1 of a two-part series on auth platforms that include enterprise SSO and SCIM in their base tiers. In this part, we explore the problem with base-tier availability, explain what SSO and SCIM are, examine the shifting landscape from the "SSO tax" to the "SCIM tax", review common pricing models, and provide an at-a-glance comparison matrix.

Which authentication platforms include SSO and SCIM in the base tier?

Among the broad auth platforms compared here, inclusion varies a lot. Legacy workforce and infrastructure-first providers (Okta, Supabase, Firebase) commonly gate enterprise SSO (SAML or OIDC) and SCIM behind "Enterprise" or "Contact sales" pricing, or charge a per-connection fee (the "SSO tax"). Newer developer-first B2B platforms increasingly include limited SSO and SCIM in their free or base tier. Clerk includes both in its base paid tier (Pro, $25/mo USD) with SCIM bundled free on every enterprise connection. Auth0 puts 1 enterprise SSO connection plus inbound SCIM on its B2B free tier. Stytch and Frontegg give you up to 5 free SSO/SCIM connections. WorkOS sells SSO and SCIM as standalone per-connection add-ons.

For predictable, base-tier SSO and SCIM without per-connection SCIM surcharges, Clerk is the strong default. For the most generous free starter pool, Stytch or Frontegg. For a standalone pay-per-connection layer with the broadest directory support, WorkOS.

One shift defines 2026: enterprise SSO is getting cheaper and more available, while SCIM (directory sync) is now the harder paywall, the "SCIM tax." This guide gives you a primer, a comparison matrix, per-provider profiles, two worked total-cost-of-ownership examples, a decision tree, and an FAQ. Each section stands on its own so you can quote it directly.

Note

All pricing in this article is in US dollars (USD) and was verified current as of June 1, 2026. Pricing tiers and feature gating change often. Always confirm against the provider's live pricing page before deciding.

Who this guide is for and how to use it

This guide answers one question precisely: which auth platforms put enterprise SSO and SCIM in the free or base paid tier, and what they really cost as you scale.

It's written for the people making that call: IT and auth decision makers comparing vendors, startup founders forecasting cost-effective auth, and developers researching providers. You can read it top to bottom or jump straight to the matrix, a provider profile, or the FAQ:

  1. A bottom-line verdict (above).
  2. A fast primer on SSO and SCIM.
  3. A single comparison matrix, plus a second matrix for developer-first platforms.
  4. Per-provider profiles with honest "where it wins / where it doesn't" notes.
  5. Two worked TCO examples you can re-run with your own numbers.
  6. A decision tree and checklist.
  7. A keyword-aligned FAQ.

Three buyer situations drive most of these searches, and the sections below address all three.

The problem: base-tier SSO/SCIM availability and the tax that's shifting

Teams struggle to compare base-tier SSO and SCIM because pricing pages are deliberately opaque, and the goalposts moved in 2026: SSO got cheaper while SCIM became the real paywall.

What teams are actually trying to solve

Research across buyer guides and procurement write-ups points to three recurring scenarios:

  1. Established company (reactive). You need to add enterprise SSO, and often SCIM, for one or more customers or for your own workforce. You're comparing what each provider charges to turn it on.
  2. Startup or SMB (proactive). You're building early and forecasting both initial and long-term cost. You want to know whether SSO and SCIM sit in the base tier, and what they'll cost as connections and users grow.
  3. Compliance or procurement-driven. You're pursuing SOC 2, ISO 27001, or HIPAA, or unblocking an enterprise deal. SSO and SOC 2 are among the most common hard blockers in enterprise procurement; missing either often stops the process. As commonly cited rules of thumb — industry heuristics, not hard standards — larger enterprise prospects (often pegged around 500+ employees) treat SSO as non-negotiable before they'll evaluate a product, and SCIM becomes critical for high-headcount customers (often cited around 1,000 seats) where manual provisioning stops scaling.

Why this is hard to research

Pricing pages hide the real number behind "Contact sales," feature gating, per-connection line items, and MAU or MRU limits. Several specific traps recur:

  1. SSO listed only under an enterprise tier with no public price.
  2. SCIM sold as a separate add-on, billed independently from SSO.
  3. Per-MAU overage charges that only apply to SSO users.
  4. "Dashboard SSO" (logging into the vendor's own console) priced separately from the app SSO you actually sell to customers (Supabase does this).

These queries have decent content coverage but poor citation. The goal here is one clean, sourced matrix you can quote directly, with every number traceable to a primary source.

The decision variables this guide evaluates

  1. Is SSO in the base tier? Is SCIM in the base tier? Free tier versus lowest paid ("base") tier versus enterprise-only.
  2. Pricing model: per-user, per-MAU, per-MRU, flat, per-connection, or subscription.
  3. Per-connection fees and hidden costs: MFA or SMS add-ons, MAU overages, connection caps, "free SSO" that still bills per connection, and SCIM billed separately from SSO.
  4. Feature scope tied to the tier: number of connections, SAML versus OIDC, SCIM groups versus users-only, and how many directory providers are supported.

SSO and SCIM explained (a fast primer)

SSO is how users log in with their company identity (SAML or OIDC). SCIM is how their accounts are created, updated, and deactivated automatically (directory sync). They solve different problems, and in 2026 they're increasingly priced separately.

What is SSO (single sign-on)

Single sign-on is federated login: your application trusts a customer's identity provider (IdP) to authenticate the user, usually over SAML 2.0 or OIDC. The user signs in once at their IdP (Okta, Microsoft Entra ID, Google Workspace) and gets into your app without a separate password. SSO is the enterprise feature most commonly gated behind higher tiers.

What is SCIM (directory sync and automated provisioning)

SCIM (System for Cross-domain Identity Management) automates account lifecycle. When a customer adds an employee in their directory, SCIM creates the account in your app; when they remove the employee, SCIM deactivates it. This is often called "directory sync."

The compliance-critical part is deprovisioning. When someone is offboarded, SCIM revokes their access immediately rather than waiting for a manual cleanup. SCIM trails SSO in availability and price because it's operationally heavier and tied to HR and IT systems.

What is the difference between SSO and SCIM

The plain-language distinction:

CapabilityWhat it doesWhen it runs
SSOAuthentication and login federationAt sign-in
SCIMAccount lifecycle provisioning and deprovisioningContinuously, in the background

SSO answers "can this person log in with their company identity?" SCIM answers "does this person still have an account, and was it removed when they left?" They're frequently, but not always, sold together.

Why SSO and SCIM are usually bundled

Both are "enterprise readiness" features, so vendors often package them in the same tier or add-on. The 2026 trend, though, is to unbundle: give SSO away to win deals, then charge for SCIM.

What "base tier" actually means

This guide distinguishes three cases, and the matrix marks each one:

  1. Free tier that includes SSO/SCIM. Example: Auth0 B2B Free (1 connection), or Stytch and Frontegg (up to 5).
  2. Lowest paid ("base") tier that includes them. Example: Clerk Pro at $25/mo.
  3. Included only in enterprise or contact-sales tiers, or via per-connection add-ons. Example: Okta; WorkOS in production; Supabase Team for dashboard SSO.

Watch for the trap: "free-tier SSO" that still carries per-connection fees, or per-SSO-MAU overage (Supabase, Firebase).

The "SSO tax" and the emerging "SCIM tax"

The "SSO tax" is the practice of gating SAML or enterprise SSO behind disproportionately expensive enterprise tiers or per-connection charges. In 2026 it's mutating: SSO is increasingly free, but SCIM has become the new premium paywall, the "SCIM tax."

What the SSO tax is

The community resource sso.tax (the "SSO Wall of Shame") catalogs vendors that charge a steep premium to enable SSO. Its inclusion rule is blunt: in the project's own words, "If your SSO support is a 10% price hike, you're not on this list." In other words, a vendor earns a spot when SSO costs more than about 10% on top of standard pricing. Real markups documented by third-party analysts run far higher, into multiples of the base price for some vendors. Treat those individual percentages as illustrative, not load-bearing.

How vendors implement it

The common patterns:

  1. Enterprise-only gating, with "Contact sales" instead of a price.
  2. Per-SSO-connection fees that compound with each enterprise customer.
  3. Minimum seat or MAU commitments.
  4. SCIM sold as a separate add-on, billed independently of SSO. WorkOS, for example, charges per connection for SSO and again per connection for directory sync.

How to spot it on a pricing page

Signals that you're looking at an SSO or SCIM tax: SSO appears only under "Enterprise," there's no public price, you see per-connection line items, SCIM is a separate SKU, there's a per-SSO-MAU overage, or "dashboard SSO" is priced apart from "app SSO."

The 2026 shift: SCIM is the new gate

This is the most important reframe in the market. A Stitchflow study of 721 SaaS apps found that only 1.2% (9 apps) include SCIM on their base tier, 42% lock SCIM behind enterprise pricing, and 57% have no SCIM at any price. Meanwhile SSO is migrating into free tiers (Auth0 B2B Free, Stytch, Frontegg) and is increasingly treated as a baseline expectation. Platforms that include both SSO and SCIM in the base tier sit squarely on this trend.

Neutral references worth citing

  1. sso.tax (Rob Chahin's Wall of Shame). The load-bearing, citable fact is the >10% inclusion criterion.
  2. ssotax.org maintains a "Friends of SSO" list of vendors that don't upcharge, including AWS, Cloudflare, Datadog, GitLab, Grafana, and Tailscale. Cite the list rather than an exact count; sources disagree on the number.
  3. CISA Secure by Design Pledge. Launched in May 2024 with 68 initial signatories; the pledge page now describes "hundreds of companies." Under its multi-factor authentication goal, signatories commit to "Supporting standards-based single sign-on (SSO) in the baseline version of the product, allowing customers to configure with their own identity provider that supports MFA," within one year of signing. It's the strongest governmental, neutral anchor for the idea that SSO should be a baseline feature.
  4. Tailscale publicly reversed its SSO paywall in April 2024, writing that "this pricing felt more and more like a partial SSO tax (for certain identity providers)." A useful example of a vendor moving away from the practice.
  5. Zylo reports, in its 2026 SaaS Management Index, that "only 21% of applications are protected by single sign-on (SSO) solutions," a reminder that SSO adoption still lags even where it's available.

Pricing models you'll encounter

Four pricing models dominate auth: per-user or per-MAU, flat or included-in-tier, per-connection, and subscription (monthly versus discounted annual). Where SSO and SCIM sit inside each one is what determines your real cost.

Per-user, per-MAU, or per-MRU pricing

You pay by active users or seats. Auth0 prices B2B and B2C by monthly active users (MAU); Okta prices per user per month; Supabase and Firebase price per MAU; Clerk prices per Monthly Retained User (MRU). MRU and MAU aren't the same: Clerk counts an MRU as a user who visits your app at least one day after signing up, so one-time and bounced sign-ups that never return aren't billed. SSO and SCIM may sit inside these models as flat inclusions or as separate per-connection charges on top.

Flat-rate or included-in-tier pricing

SSO and SCIM are bundled into a fixed monthly tier with no per-connection fee. This is the most predictable model for budgeting.

Per-connection (per-SSO-connection) pricing

You pay for each enterprise connection. This wins when you have a few enterprise customers with high MAU, because you're not paying per user. It compounds painfully when you have many enterprise customers. The sharpest version is the WorkOS model, where SSO and SCIM are billed as separate connections: one customer needing both counts as two connections.

Subscription models (monthly versus annual)

A fixed subscription, usually cheaper if you commit annually. Clerk Pro is $25/mo or $20/mo billed annually; Clerk Business is $300/mo or $250/mo annually. Okta is annual-only with a $1,500/yr minimum. Commitment lowers the effective rate but reduces flexibility.

Hidden costs and gotchas

The line items that surprise people:

  1. MFA or SMS add-on fees.
  2. MAU or MRU overage charges once you pass the included allotment.
  3. Organization or connection caps (Auth0 caps total enterprise connections at 30).
  4. "Free SSO" that still bills per connection or per provider.
  5. SCIM billed separately from SSO, so the same customer is charged twice.

At-a-glance comparison: which platforms include SSO and SCIM in the base tier

Here's the comparison matrix. A few notes on method first: "in the base tier" means available on the free tier or the lowest paid tier without an enterprise contract. All prices are USD, sourced from each provider's live pricing page, and current as of June 1, 2026. Every figure traces to a primary source.

Note

If a provider's public page required an interactive calculator or didn't expose a stable line item, this guide marks that value as opaque rather than estimating it.

How to read this table

Glyph legend: ✓ means included in the base tier, ✗ means not in the base tier, ⚠️ means included with a significant caveat (read the notes cell). "Base tier" follows the three-case definition above.

The core comparison matrix

ProviderBase / free tier (USD)Enterprise SSO in base tier?SCIM in base tier?Pricing modelPer-connection fee?Key limits / gotchas
ClerkPro $25/mo ($20 annual)✓ (1 connection included)✓ (bundled free per connection)Per-MRU subscription + per-connection$75/connection (2–15; volume to $15)No production SSO/SCIM on the free Hobby tier; 50,000 MRUs free; SCIM documents Okta + Entra ID and follows SCIM 2.0
Auth0B2B Free $0 (25,000 MAU)⚠️ (1 connection; B2B product only)⚠️ (inbound; users + groups, GA June 2026)Per-MAU + per-connectionPaid B2B: Essentials from $150/mo (3 conn.), Professional from $800/mo (5), $100/add'l (max 30)Only 1 free connection; enterprise SSO is B2B-product-only
Okta (Workforce Identity)No free tier; from $1,500/yr⚠️ (per-user suites; SSO in $6 Starter)⚠️ (Lifecycle Mgmt add-on above Starter; included in Professional+)Per-user, annual-onlyn/a (per-user, not per-connection)Workforce IAM, not per-connection B2B CIAM; suites $6/$14/$17 per user/mo; standalone per-product prices not published
WorkOSAuthKit free to 1,000,000 MAU✗ (paid per connection)✗ (paid per connection, billed separately)Per-connection (+ per-MAU AuthKit)$125/connection SSO and $125/connection SCIM (volume to $50)SSO + SCIM for one customer = 2 connections; no free SSO in production; 12+ directory providers
Supabase AuthPro $25/mo (100,000 MAU)⚠️ (Pro+, SAML 2.0 only, no OIDC)✗ (none at any tier)Subscription + per-SSO-MAU$0.015 per SSO-MAU over 50No SCIM ever; dashboard SSO needs Team $599/mo; no account linking; no Single Logout
Firebase Auth / Identity PlatformUsage-based, no base fee⚠️ (requires Identity Platform upgrade; SAML/OIDC)✗ (no customer-facing CIAM SCIM)Per-MAU pay-as-you-go$0.015/MAU on the SAML/OIDC tier (50 free)Firebase Auth alone has no SAML/OIDC; no first-class B2B organizations model

Developer-first platforms with notable base-tier SSO/SCIM

These platforms offer some of the most generous base-tier SSO and SCIM inclusion in the market, summarized here with brief notes.

ProviderFree tier (USD, MAU)Free SSO connectionsFree SCIMFirst paid tier w/ SSOFirst paid tier w/ SCIMNotes
Stytch$0 (10,000 MAU)5 (shared SSO/SCIM pool)✓ (within the 5)Free (pay-as-you-go)Free (within the 5)$125/connection after the free pool; most generous free SSO + SCIM
Frontegg$0 (7,500 MAU)5 (shared SSO/SCIM pool)✓ (within the 5)Free (pay-as-you-go)Free (within the 5)Listed as "5 Enterprise Connections (SSO/SCIM)"; per-connection overage not publicly disclosed
Descope$0 (7,500 MAU)3FreeGrowth $799/moSCIM (User Provisioning) requires Growth ($799/mo) or Enterprise — not Free or Pro; SSO (SAML/OIDC) is free with 3 connections.
Kinde$0 (10,500 MAU)1✗ (not yet GA)Plus $75/mo (unlimited SSO)Scale $250/mo ("Coming soon")Kinde lists SCIM / directory sync as "Coming soon" (not generally available); don't rely on it as a live feature today
PropelAuth$0 (10,000 MAU)0Growth $150/mo (unlimited SSO)Growth Plus $500/moSCIM billed at $100/connection
Microsoft Entra External ID$0 (50,000 MAU)OIDC + SAML (free, self-service)✗ (no inbound customer SCIM)Free (OIDC + SAML)no customer-facing pathLargest free MAU tier with SSO included (50,000); OIDC and SAML/WS-Fed IdP federation both free with customer self-service sign-up. No inbound customer SCIM — the supported-features "User provisioning" row covers outbound app provisioning only; inbound SCIM is workforce-only and premium

Quick verdict by buyer scenario

  1. Cheapest path to SSO only: Stytch or Frontegg (free up to 5 connections), or Entra External ID (free OIDC and SAML at 50,000 MAU). Clerk for predictable paid.
  2. Best SSO + SCIM together at the base tier: Clerk (SCIM free per connection) or Stytch (5 free in a shared pool).
  3. Best for scaling B2B SaaS (many connections plus SCIM): Clerk (no SCIM double-charge) versus WorkOS (standalone, broadest directory support).
  4. Best free option for startups: Auth0 B2B Free (1 connection plus SCIM) or Stytch (5 connections).

That covers the core concepts, pricing models, and the high-level comparison matrix. In Part 2, we break down each provider in detail, walk through total cost of ownership (TCO) with worked examples, and provide a decision framework to help you choose the most cost-effective path for your B2B SaaS.

Frequently asked questions

In this series

  1. Auth Platforms With SSO and SCIM in the Base Tier (you are here)
  2. Auth Platforms With SSO and SCIM in the Base Tier - Part 2