> Adding support for OIDC is not that difficult. I prefer OIDC over SAML anyway, but neither is that difficult.

Since it seems that you know what you are doing (and you've done it before), how about a blog post detailing the steps one would go through when writing some SaaS app for a client who wants SSO?

The issue isn’t writing the code. It’s everything that comes after in terms of user support. The systems are relatively easy to integrate with libraries or products like Auth0.

> It’s everything that comes after in terms of user support.

That's the detail that I need, actually

In which case, I’d look at the documentation that companies put out for SSO to get a feel for the types of issues your customers will face. Make sure your system logs everything (or pay Auth0) and provide this as a feature. It’ll cut down a lot of support calls.

Budget in time for your engineers to sit on support calls and directly work through them with customers. Document every issue you see for your support team. If you can, hire a semi technical person to do this support (especially if you want to scale up). It’ll take a load off your engineers.

If your permission system allows it, enable IDP-initiated login as a must have.

Have a strategy for if a customer locks themselves out with a bad configuration. You’ll need either to force they have a password account or a way to reach out to Support to turn it off for them to try again.

After that, honestly, the issues will be a grab bag of things. They’re generally one-off issues per customer but they can take time while you resolve them.

Finally, most customers are great and get it. Some are great and don’t get it. The last group think they know more than you and clearly don’t. They’ll eat up most of your time.

If it requires configuration on the user’s end then it’s no better than SAML from the vendor's perspective. We’d much rather choose specific providers to hook into, based on the likelihood of increasing sign-ups.