OneLogin
live verifiedOne Identity · Per-user tiered (Basic $3, Essentials $6, Business $10, Enterprise quote). No annual minimum stated on the page.
Now owned by One Identity. Unlimited SAML and OIDC SSO is included in every tier — even Basic at $3/user/mo — so there is no SAML tax; MFA is available across tiers but requires an SSO plan as a prerequisite. Cheaper than Okta at the entry point and supports passkeys (WebAuthn including device-bound, synced, and cross-device passkey flows).
1.Year-1 TCO breakdown
Representative buyer: 200 employees, 30 SaaS apps, full SAML + MFA + lifecycle automation, 90-day audit retention.
2.The hidden cost category for this IdP
**Post-acquisition uncertainty is the structural risk.** One Identity acquired OneLogin in 2021; OneLogin remains a distinct product but roadmap clarity has been thin. Some functionality has been deprioritised in favour of One Identity's broader IGA suite. The hidden cost: buyers committing to OneLogin in 2026 face roadmap risk that could force migration in 2027-2028.
3.Migration cost out of OneLogin
Migration off OneLogin runs $50K-$140K for 200-employee deployment. SAML reconfiguration per app, SCIM rebuild. Simpler than Okta migration because OneLogin doesn't have the same custom-workflow complexity.
4.The negotiation lever
Acquisition-uncertainty discount. OneLogin sales acknowledges the One Identity acquisition has created customer hesitation; multi-year commits get steeper discounts (25-35% off list) than they would have pre-acquisition. The lever: leverage the roadmap uncertainty to negotiate aggressively at signing.
5.Vendor tier reference
| Tier | Per-user (USD/mo) | Features |
|---|---|---|
| Basic | $3 | Unlimited SAML/OIDC SSO + MFA; identity lifecycle limited to 5 apps |
| Essentials | $6 | Adds advanced directory + broader lifecycle automation |
| Business | $10 | Adds SmartFactor auth, custom branding, advanced policies |
| Enterprise | Quote | Quote-only — Desktop MFA, threat-aware MFA, custom SLA |