Enterprise SaaS Features: SSO, SAML, Multi-Tenancy, RBAC & Compliance
What Enterprise Buyers Expect
Security Requirements
- SSO/SAML — Single Sign-On is the number one enterprise requirement. If you don't have it, you won't pass procurement.
- Encryption — Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
- SOC 2 Type II — Third-party audit proving your security controls work over time, not just on paper.
- Penetration Testing — Annual pen tests by a reputable third party, with documented remediation of findings.
Operational Requirements
- 99.9%+ Uptime SLAs — Contractual guarantees with financial penalties for downtime.
- Dedicated Support — Named account managers, priority response times, and escalation paths.
- Data Export/Portability — Enterprises need to know they can leave. Ironically, providing easy export makes them more likely to stay.
- Custom Contracts and Invoicing — Enterprise procurement teams need MSAs, DPAs, and NET-30/60 invoicing rather than credit card billing.
You don't need all of these on day one. Start with SSO and basic compliance — those two alone unlock the enterprise conversation.
SSO and SAML Implementation
How SAML Works
- User enters their company email on your login page.
- Your app redirects the user to their Identity Provider (IdP) — Okta, Azure AD, Google Workspace, etc.
- The user authenticates with the IdP, typically with MFA.
- The IdP sends a signed SAML assertion back to your app.
- Your app validates the assertion signature and creates a session.
Build vs Buy
Building SAML from scratch is painful and error-prone. Use a dedicated provider instead:
- WorkOS — Enterprise-ready SSO used by Vercel, Loom, and others. Clean API, quick integration.
- Auth0 — Full authentication platform with SAML, OIDC, and social login. More comprehensive but heavier.
- Clerk — Modern auth with pre-built UI components. Great developer experience and fast time-to-market.
All three handle the complexity of supporting dozens of IdPs so you don't have to.
Multi-Tenancy Architecture
How you isolate customer data is one of the most important architectural decisions for enterprise SaaS:
Shared Database, Shared Schema
Every tenant's data lives in the same tables, separated by a tenant_id column. This is the cheapest and simplest approach, but requires careful query scoping — a missing WHERE clause can leak data across tenants.
Shared Database, Separate Schemas
Each tenant gets their own schema (set of tables) within a single database. Provides stronger isolation than shared schema with moderate complexity. Migrations need to run per-schema.
Separate Databases
Each tenant gets a completely isolated database. Maximum isolation and the easiest to reason about security-wise, but the most expensive to operate and maintain.
Most SaaS companies start with shared database/shared schema for cost efficiency, then offer isolated infrastructure as an enterprise upsell for customers with strict data residency or compliance requirements.
Role-Based Access Control (RBAC)
Enterprise customers need granular control over who can do what within your application. A standard role hierarchy:
- Owner — Full access to everything, including billing and account deletion.
- Admin — Full access to features and user management, but no billing access.
- Editor — Read/write access to content and data, but no user management capabilities.
- Viewer — Read-only access. Can see everything but change nothing.
The critical implementation detail: check permissions at both the API layer and the UI layer. Hiding a button in the UI is not security — users can call your API directly. Every API endpoint must verify the requesting user has the required role before executing the action.
Audit Logging
Enterprise buyers need to know who did what, when, and from where. Audit logs are non-negotiable for compliance and incident response.
Authentication Events
- Successful and failed login attempts
- Password changes and resets
- MFA enrollment and verification
Data and Admin Actions
- Create, read, update, and delete operations on sensitive resources
- Role changes and permission modifications
- Data exports and bulk operations
- Settings and configuration changes
What to Store
Each audit log entry should include: actor ID (who), action (what), resource (on what), timestamp (when), and IP address (from where).
Store audit logs immutably — once written, they should never be modified or deleted. Provide a searchable log viewer in your admin panel so enterprise admins can investigate incidents without contacting your support team.
Compliance Frameworks
SOC 2
The most commonly requested compliance framework for SaaS. SOC 2 audits evaluate your security, availability, and privacy controls over a defined period. Type I is a point-in-time snapshot; Type II covers 3-12 months of operation and carries more weight. Cost: $20K–$100K+ depending on scope and auditor. Tools like Vanta and Drata automate evidence collection and can cut preparation time significantly.
GDPR
Required if you handle data from EU residents. Key obligations:
- Explicit consent for data collection and processing.
- Right to deletion — users can request complete removal of their data.
- 72-hour breach notification — you must notify authorities within 72 hours of discovering a data breach.
HIPAA
Required if your SaaS handles Protected Health Information (PHI). Key requirements:
- Encryption of PHI at rest and in transit.
- Access controls limiting who can view patient data.
- Audit trails for all PHI access.
- Business Associate Agreements (BAAs) required with every vendor that touches PHI.
Enterprise Pricing Strategy
Enterprise pricing is fundamentally different from self-serve pricing. Common models:
- Per-Seat — $X/user/month, like Slack. Simple to understand, scales with adoption. Works best when every user gets clear value.
- Platform + Usage — Base platform fee plus usage-based charges. Works well for infrastructure and API products where consumption varies widely.
- Custom/Value-Based — Price based on the value delivered to the customer rather than your costs. The highest-margin approach but requires deep understanding of each customer's business.
A "Contact Sales" button on your enterprise tier isn't laziness — it lets you understand each prospect's specific needs and price accordingly. Enterprise deals are consultative, not transactional.
Annual contracts are the norm in enterprise sales. They improve your cash flow (collect 12 months upfront), reduce churn (harder to cancel mid-contract), and make your revenue more predictable for planning and fundraising.