Authentik
live verifiedAuthentik Security · Per-internal-user. External users (B2B / customer-facing federation) priced at $0.02/external-user/mo.
Open-source, self-hosted by default. Free Community tier covers all core IdP features. Enterprise adds dedicated support; Enterprise Plus adds FIPS and multi-instance for regulated industries. Below ~30 internal seats, self-hosted Community is the cheapest credible IdP. Above that, the operational burden usually justifies a commercial alternative.
1.Year-1 TCO breakdown
Representative buyer: 200 employees, 30 SaaS apps, full SAML + MFA + lifecycle automation, 90-day audit retention.
2.The hidden cost category for this IdP
**Self-host ops cost is the hidden cost.** Authentik's open-source model genuinely costs $0 in licensing but requires meaningful ops investment: ~0.25-0.5 FTE for a 200-employee deployment, plus infrastructure ($200-$800/mo). All-in ops cost $40K-$80K/yr — comparable to Okta licensing. Self-host makes sense for buyers with strong DevOps capabilities and security teams; not for buyers without that infrastructure.
3.Migration cost out of Authentik
Migration off Authentik to a SaaS IdP runs $30K-$90K — simpler than commercial-to-commercial migrations because Authentik's SAML implementation is fully standards-compliant.
4.The negotiation lever
Self-host vs Enterprise. The lever isn't on price (it's open source) — it's the build-vs-buy decision. Have a frank internal conversation about DevOps capacity before committing to self-host; switching from self-host to Enterprise mid-deployment is a meaningful migration cost.
5.Vendor tier reference
| Tier | Per-user (USD/mo) | Features |
|---|---|---|
| Community (self-host) | $0 | Free, all core features. Ops cost is real ($200-400/mo hosting + admin time). |
| Enterprise (self-host or SaaS) | $5 | Dedicated support, advanced policies, role-based admin |
| Enterprise Plus | Quote | FIPS compliance, multi-instance, $20k/yr floor |