> The average employee likely has 10-20 (hopefully) different sets of credentials that they must maintain and update as necessary
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.
We rely on all kinds of industry-specific applications that only support username/password (and SMS OTP if we're lucky). After that, there are a bunch of services that do offer SSO but only if you pay stupid money. For example, we spend about $100/month on Twilio but their SSO plan starts at $15k/month.
This is nice until you consider the network effects. People can often get away with the $5/user/month plan, until they need SSO, in which case it always becomes $30k a year.
SSO seems like the only way SaaS companies can make money, and what this HN post tells me is that even enterprises with 10k employees (!) still find that to be a little out of their price range. The state of the industry is kind of crazy, but that's why people are looking for an enterprise 1password account. Cheaper to pay them once than to pay 1000% markup on every SaaS you use.
Sorry should have clarified - we are a government organization that interacts with a number of other government agencies. It's simply not feasible for us to implement SSO for all of our own internal applications (many different units/teams), let alone the external apps/systems we are consumers of.
Then don't give your business to them. Let them very clearly know "we will not purchase your services until you support SSO at a reasonable price". Otherwise they'll never learn.
I think you're greatly overestimating the influence IT departments have over purchasing decisions at large companies. Not only does management rarely consider their input, it's common for IT departments to simply be told "oh, by the way we just bought X, get it running."
I'll try that reasoning with my PCI/DSS auditors next time. Let's see what they think about that.
If you think I'm being hyperbolic, I'm not. Our org has recently gone through a PCI/DSS audit, and there was a lot of frustration about the amount of required changes with regards to locking down access policies, tracking suspicious activity, enforcing 2FA and such, but most of the stuff that I saw change was stuff that feels like it really should be entirely obligatory in the first place.
There is a great tradition in IT to teach yourselves using free (as well as free-of-charge) software, but when you're in the business of IT, there should be much stricter regulation. If you're a civil engineer and the bridge you design collapses because you did your math wrong, you are criminally liable for the damage. But if you're a software "architect" and you negligently put an instance of database-du-jour on the internet without proper access controls or a vulnerability tracking process, you most often get away by just saying "whoopsie-daisy" and giving a flimsy apology to the millions of customers that had their personal data stolen. Worst case scenario, you get a fee of a few percent of your earnings. That has to end.
That's your red flag right there. All identities that are tied to individual people should be connected to SSO in some way, then there will be no juggling of passwords at all on the individual-person level. Then you only need some 2FA solution on top in your identity provider, for instance TOTP or FIDO, and you're all set. (Corollary: If at all possible, only pick external services that can plug into your company's own SSO.)
For credentials not tied to individual people, e.g. root passwords on devices, my org uses HashiCorp Vault, and we're mostly satisfied with it. It's a bit of a struggle to configure the policies so that each group of (human/technical) users only has access to the secrets that they actually need, but I won't put the blame for that on Vault.