This is the strategy we're adopting at work.

People are currently implementing a simple self-service for common SAML and OIDC providers, like O365 and such. This will be free and recommended for all customers to use, because I believe in providing actual security for our customers.

And then you can order a consulting project on top to figure out a good way to import user groups, user identities and such into the platform, and ideally to integrate our preferred group structures with a customers existing approval and group structures. This also includes help to initially connect us to the IDP. This is priced at a relatively cheap consultant level.

And then there is a second tier of consulting projects if the customer is using a non-standard IDP and can't do it on their own. Like, we have one customer that has an in-house developed SAML provider, but the original people who worked on it aren't there anymore. That was an interesting project and I learned way more stuff about SAML than I ever wanted, and also fixed a bug in their SAML provider code. This is priced right between "subject matter experts" and "no".

That's what I consider a very fair split. Simple SSO for everyone, especially on standard providers. And if you want to save a day or two of your identity and authentication teams, you can hand us some cash to do so. Smaller customers generally won't need this, they usually just have 1-2 groups they want to push and that's easy to do, but large customers with complex directories and many users in different departments like these projects a lot.

See the "Free SSO providers" column at https://ssotax.org.

Go ahead, make SAML, Kerberos, LDAP, whatever custom solution paid. But OIDC should be free, ideally even with my own Keycloak. Go ahead and put all the customizations in the paid tier, again, fine. If I want user/role mapping, I can set it up in keycloak.

But it's silly paying more than a FTE's salary just for the SSO tax when you've got 5 people.