It's not that small companies don't want it, it's that they're capable of not getting it. Larger companies aren't: one thing their SOC2 auditors will actually be able to evaluate is whether all their vendors do SSO.