> as most security certifications require SSO as a best practice, manually syncing users from different tools won't cut it
Having taken a couple companies through SOC2, I can say that's not true.
Lots of apps being used by enterprises don't even have support for SSO at all, even if you were willing to pay the tax. Audits can't require you to use something that does not exist. Thus, the manual syncing and comparing is a frequent ritual of audit compliance (and to be fair, is something that should be done regularly even if no auditor is asking for it).
> Also, implementing SAML-based SSO from scratch isn't that difficult, I did it for our enterprise product and it's barely 500 lines of code.
That's not the problem though, the issue is third party apps that don't want/care to support SSO. You can't go and modify their code.
Having taken a couple companies through SOC2, I can say that's not true.
Lots of apps being used by enterprises don't even have support for SSO at all, even if you were willing to pay the tax. Audits can't require you to use something that does not exist. Thus, the manual syncing and comparing is a frequent ritual of audit compliance (and to be fair, is something that should be done regularly even if no auditor is asking for it).
> Also, implementing SAML-based SSO from scratch isn't that difficult, I did it for our enterprise product and it's barely 500 lines of code.
That's not the problem though, the issue is third party apps that don't want/care to support SSO. You can't go and modify their code.