The High Cost of Authentication
Authentication is one of those problems that seems simple until you start implementing it. Rolling your own auth is dangerous (security vulnerabilities, session management, password hashing). Using a dedicated auth provider is expensive.
Let's look at the major options:
| Provider | Free Tier | Paid Starts At |
|---|---|---|
| Auth0 | 7,500 MAU | $23/month |
| Okta | 100 MAU | $2/user/month |
| WorkOS | None (enterprise-only) | $49/month |
| Clerk | 5,000 MAU | $25/month |
| Firebase Auth | 10,000/month | Pay-per-use |
| PandaStack SSO | ❌ | Included in $12 Starter |
For B2B SaaS applications that need SAML-based enterprise SSO, WorkOS charges $49/month minimum and Auth0's enterprise SSO add-on is $130+/month.
What PandaStack SSO Supports
PandaStack SSO is included on all paid plans (Starter $12/month and above). It supports:
- SAML 2.0 — enterprise identity providers (Okta, Azure AD, OneLogin, Google Workspace)
- OIDC/OAuth 2.0 — modern SSO protocols
- Social logins — Google, GitHub, Microsoft
- Magic links — passwordless email authentication
- MFA — TOTP and WebAuthn (passkeys)
Setting Up SSO in PandaStack
Step 1: Enable SSO for Your Project
- 1Go to your project dashboard
- 2Navigate to Security → Authentication
- 3Toggle Enable SSO → On
You'll see your project's SSO configuration:
- SSO URL:
https://auth.pandastack.io/your-project-id/sso - Entity ID:
https://auth.pandastack.io/your-project-id - ACS URL:
https://auth.pandastack.io/your-project-id/saml/callback
Step 2: Configure Your Identity Provider
For Okta:
- 1Log into your Okta admin console
- 2Create a new SAML 2.0 application
- 3Set Single Sign On URL to your PandaStack ACS URL
- 4Set Audience URI to your Entity ID
- 5Map attributes:
email,first_name,last_name - 6Download the metadata XML
- 7Upload to PandaStack under SAML Metadata
For Google Workspace:
- 1Go to Admin Console → Apps → Web and mobile apps
- 2Click Add App → Add custom SAML app
- 3Enter your PandaStack SSO URL and Entity ID
- 4Download the IdP metadata and upload to PandaStack
For Azure AD:
- 1Azure Portal → Enterprise Applications → New Application
- 2Set up custom SAML integration
- 3Configure the Entity ID and Reply URL (ACS URL)
- 4Assign users/groups
- 5Download Federation Metadata XML
Step 3: Protect Your Application
PandaStack SSO integrates with your deployed applications. You can protect routes at the infrastructure level — no code changes required:
In your project settings, under Route Protection:
Protected paths: /admin/*, /dashboard/*, /api/internal/*
Login redirect: /auth/login
Post-login redirect: /dashboard
Allow unauthenticated: /*, /api/public/*Any request to /admin/* will be intercepted at the edge and redirected to your SSO login page if the user isn't authenticated.
Step 4: Handle Auth in Your Application
If you need to access user data in your app, PandaStack injects auth headers into requests:
// In your Express middleware
app.use((req, res, next) => {
const user = {
id: req.headers['x-panda-user-id'],
email: req.headers['x-panda-user-email'],
name: req.headers['x-panda-user-name'],
groups: req.headers['x-panda-user-groups']?.split(','),
};
req.user = user;
next();
});Or use the PandaStack SDK:
import { getUser } from '@pandastack/sdk';
app.get('/api/profile', async (req, res) => {
const user = await getUser(req);
res.json({ user });
});Using SSO with Next.js
For Next.js applications, PandaStack provides a helper that works with both App Router and Pages Router:
// middleware.js
import { withPandaAuth } from '@pandastack/next';
export const middleware = withPandaAuth({
protectedPaths: ['/dashboard', '/admin'],
loginPage: '/login',
});Pricing Comparison for SSO
A team of 50 employees using SSO:
| Provider | Cost/Month |
|---|---|
| Auth0 (Professional) | $240/month |
| Okta (Workforce) | $4/user = $200/month |
| WorkOS | $49/month |
| Clerk (Pro) | $25/month |
| PandaStack SSO | Included in plan |
For a 50-person team, you'd pay $2,400-$2,880/year with Auth0. With PandaStack, SSO is included in your $12-$29/month subscription alongside all your other infrastructure.
Multi-Tenant SSO for SaaS
If you're building a B2B SaaS product and want to offer each customer their own SSO connection (so their employees can log in with their company's Okta/Azure AD), PandaStack supports per-organization SSO connections:
- 1Each organization in your app gets a unique SSO connection ID
- 2You configure the IdP metadata programmatically via API
- 3Users are routed to the correct IdP based on their email domain
This is the feature WorkOS charges $49+/month for. On PandaStack, it's included in Business plan.
Conclusion
SSO authentication is no longer a luxury reserved for enterprises with six-figure tooling budgets. PandaStack makes it accessible for any team, included in a $12/month subscription.
[Enable SSO on PandaStack →](https://dashboard.pandastack.io)