The headline IdP price isn't what you'll pay.
Identity Provider pricing pages publish per-user-per-month figures. The end-to-end Year-1 cost is materially higher across every IdP in this cohort because of category-specific hidden cost lines: SAML tax (SSO behind enterprise tier), MAU-based pricing surprises (Auth0), audit-log retention overhead, MFA upgrade tiers, and migration cost on exit.
This memo walks the 8 enterprise IdPs in the 2026 buyer cohort and surfaces the actual end-to-end cost. For the vendor list-pricing comparison view, see idppricing.com. This site is the buyer-lens companion — same vendors, framed around what the procurement / security team actually budgets for over 3 years.
1.Year-1 TCO by IdP
Representative buyer: 200 employees · 30 SaaS apps · full SAML + MFA + lifecycle automation + 90-day audit retention.
| IdP | Headline list (per-user-mo) | Year-1 TCO | Hidden cost |
|---|---|---|---|
| Okta Workforce Identity | $6 | $42K- | The $1,500/yr annual minimum is the structural cost trap... |
| Microsoft Entra ID | $6 | $0- | The M365 bundling math is the entire hidden cost story... |
| JumpCloud | $3 | $31K- | Module stacking is the structural cost driver... |
| Auth0 | Quote | $17K | MAU-based pricing is the structural surprise... |
| OneLogin | $3 | $19K- | Post-acquisition uncertainty is the structural risk... |
| Ping Identity | $3 | $50K- | Enterprise-only pricing model... |
| Duo (Cisco) | $3 | $22K | Cisco SecureX integration is the silent cost driver... |
| Authentik | $5 | $0- | Self-host ops cost is the hidden cost... |
2.The four hidden cost categories every IdP touches
SAML tax. Most IdPs gate SAML SSO behind an enterprise tier — even when the lower tiers are advertised for "small business". Auth0's tier jump to Enterprise (where SAML lives) is approximately 3x the per-MAU cost. Okta's Starter ($6) doesn't include full SAML; Core Essentials ($14) does. The SAML tax exists because IdPs know SSO-enabled enterprise app vendors charge their own SSO tax — IdP pricing tracks that pattern. Deep dive: the SAML tax
MAU-based pricing surprise. Auth0 charges per monthly active user, not per seat. For B2C deployments with traffic spikes, this drives unexpected bill volatility. Other IdPs (Okta, Entra, JumpCloud) charge per provisioned user, which is more predictable but typically more expensive at low MAU/seat ratios. The choice between MAU and seat pricing matters more than the headline rate.
Audit log retention. Default retention is short (7-30 days) across most IdPs. Compliance-driven retention (SOX, HIPAA, GDPR) requires upgrade. Entra default retention is 7 days on the free tier, 30 days on P1/P2, longer via Log Analytics (separate Azure cost). Okta 90 days default, longer requires Workforce Identity Cloud upgrade. Audit retention cost math
Migration cost. Switching IdPs runs $50K-$400K for a 200-employee + 30-app deployment depending on custom automation depth. Okta's Workflows and Auth0's Rules / Actions are the most expensive migration components because they don't port to other IdPs. Migration cost deep-dive
3.3-year TCO matters more than Year-1
IdP procurement is typically a 3-year decision because of (a) integration cost amortisation, (b) typical enterprise contract length, and (c) migration cost on exit. Year-1 TCO understates total commit because tier upgrades, MAU growth, and add-on modules accumulate. 3-year TCO deep-dive walks the math for each IdP at three buyer profiles (SMB / mid-market / enterprise).
4.Buyer profiles — which IdP fits which buyer
- M365-native (already on E3/E5): Entra ID is already paid. Marginal cost zero for P1/P2 features. Don't over-engineer.
- SMB <100 seats: JumpCloud module stack or Entra (M365 dependency). Okta priced out by $1,500/yr minimum.
- Mid-market 100-500 seats: Okta Core Essentials or JumpCloud full stack. Compare 3-year TCO including renewal escalation.
- Enterprise 500+ seats: Okta Workforce Identity Cloud, Ping Identity, or Entra ID P2 (already paid via M365 E5). Migration cost dominates decision.
- B2C app: Auth0 if MAU is predictable; alternative IdP if MAU is highly variable.
5.The lens that's missing from idppricing.com
idppricing.com presents what each IdP publishes. This site presents what each IdP actually costs. The two views are complementary — IT directors comparing vendors generally want the vendor list-pricing comparison; engineering and security leaders budgeting for 3-year IdP spend need the end-to-end cost view. Both audiences exist; both lenses are valid.