Who needs SSO in a CRM
Single sign-on stops being a nice-to-have the moment your CRM holds real customer data and your headcount crosses the point where you can't remember who has a login. IT and security teams want one identity provider — Okta, Azure AD / Entra ID, Google Workspace — to be the single front door: one place to enforce MFA, one place to cut access when someone leaves, one audit trail. Without SAML, offboarding means someone manually remembering to disable a CRM seat, and "we deprovision within 24 hours" turns into a finding on your next SOC 2 or ISO 27001 report. SCIM takes it further: instead of admins creating and deleting CRM users by hand, the IdP pushes provisioning and, critically, deprovisioning automatically — a leaver's access dies the instant HR flips their status.
The catch is the "SSO tax." Almost every CRM gates SAML behind its top pricing tier, so the feature your security team considers table stakes is bundled with a per-seat price built for enterprises. You rarely buy SSO on its own; you buy the Enterprise plan and SSO comes along for the ride. That makes "which tier unlocks SAML" the real buying question, because the answer can triple your per-seat cost.
What to consider
- Best for enterprise IT depth → Salesforce. SAML 2.0 and delegated authentication are available across Salesforce editions (My Domain is required), and it's a full identity provider in its own right, not just a consumer. SCIM provisioning, just-in-time user creation, and Okta/Azure AD/Ping integrations are all first-class. The cost signal is the platform itself — Enterprise runs $165/seat/mo — but SSO is not the thing you pay extra for here.
- Best for polished mid-market → HubSpot. SSO (SAML via Okta, Azure AD, Google, OneLogin) is gated to the Enterprise tiers — Sales Hub Enterprise is $150/seat/mo. SCIM user provisioning is supported on Enterprise. Below that tier there is no SAML at all, which is HubSpot's SSO tax in its purest form: you upgrade the whole hub to get one security control.
- Best for Microsoft shops → Microsoft Dynamics 365. Authentication runs through Entra ID (Azure AD) natively, so SSO, conditional access, and MFA come from the identity platform you already run rather than a CRM setting. SCIM provisioning flows through Entra, and if your org already lives in Microsoft 365 this is the lowest-friction option on the list. Sales Enterprise is around $105/seat/mo.
- Best for value at scale → Zoho CRM. SAML SSO is supported and, unusually, available well below the top tier — Zoho exposes SAML on its higher CRM plans and across Zoho One, with IdP support for Okta, Azure AD, and Google. At roughly $40–52/seat/mo for the upper CRM editions, it's the cheapest way to get enforced SAML without an enterprise contract. SCIM support is more limited than Salesforce or Dynamics.
- Best for modern startups → Attio. SAML SSO and SCIM provisioning land on Attio's higher tiers (Pro and Enterprise), with clean Okta / Google / Azure AD setup and a modern admin surface. For a fast-growing startup that wants enforced SSO without a legacy-CRM price tag, it's the most contemporary implementation here — Pro is $69/seat/mo, Enterprise is quote-based.
- Best for lean sales teams → Pipedrive. SAML SSO is an Enterprise-tier feature (~$99/seat/mo), supporting the usual Okta/Azure AD/Google IdPs. SCIM is limited, so provisioning stays semi-manual. If your only requirement is "log in through our IdP and enforce MFA," Pipedrive Enterprise covers it — but you're buying the top tier to get there.
The technical layer that actually matters
SAML 2.0 vs OIDC. Most CRMs implement enterprise SSO with SAML 2.0 — the XML-based standard IdPs like Okta, Entra ID, and Ping speak natively. Some newer platforms also support OpenID Connect (OIDC), the OAuth 2.0-based protocol that's lighter and more API-friendly. For a CRM, SAML is the safe assumption; confirm OIDC only if your IdP standardizes on it. Either way, "Sign in with Google" social login is not the same as SAML SSO — social login is a convenience feature, not a security control, and it won't satisfy an auditor.
SCIM auto-provisioning and deprovisioning. SAML handles authentication (who can log in); SCIM handles lifecycle (who has an account at all). Without SCIM, an admin still creates and deletes CRM users manually. With it, the IdP pushes new hires into the CRM with the right role and — the part security actually cares about — revokes access automatically when someone is offboarded. If instant deprovisioning is a compliance requirement, SCIM is non-negotiable, and it's a meaningfully smaller club than SAML: Salesforce and Dynamics do it well, HubSpot and Attio support it on Enterprise, Zoho and Pipedrive are thinner here.
Enforced vs optional SSO. Turning SAML on isn't the same as requiring it. Optional SSO leaves the native email-and-password login live in parallel, so a user can bypass your IdP (and your MFA policy) entirely. Enforced SSO disables password login and forces everyone through the IdP — that's what closes the loophole and what auditors look for. Check that your CRM lets you enforce, not just enable, SSO before you consider the control real.
JIT provisioning, sessions, and MFA. Just-in-time provisioning creates a user record on their first SSO login instead of pre-staging accounts — convenient, but it's not deprovisioning, so pair it with SCIM if leavers must lose access automatically. Session lifetime and re-authentication are usually inherited from the IdP, which is the point: enforce MFA, conditional access, and session timeouts once at the identity layer and every SAML-connected app obeys, CRM included.
How to choose
Start with your identity provider and your compliance clock. If you already run Microsoft 365, Dynamics 365 through Entra ID is the least friction you'll find. If you're standardized on Okta or Google and want the deepest provisioning story, Salesforce is the safe enterprise answer. If the SSO tax is the problem — you need enforced SAML but can't justify a $150/seat Enterprise jump — Zoho CRM and Attio are the value plays, with Attio the more modern build and Zoho the cheapest path to real SAML.
Then pressure-test three things before you sign: can you enforce SSO (not just enable it), does SCIM handle automatic deprovisioning, and which exact tier unlocks both. The gap between "supports SSO" on a marketing page and "enforced SAML plus SCIM deprovisioning on the plan we can afford" is where most CRM security evaluations quietly go wrong.