Migration cost out of an IdP.
Switching identity providers is the most-expensive change-management project in enterprise IT after ERP migrations. The headline cost for a 200-employee + 30-app deployment runs $50K-$400K depending on the source IdP (custom automation depth), the target IdP (integration tooling), and the audit / compliance requirements (data export retention).
This cost is rarely modelled at IdP procurement time. Most IdP RFPs focus on per-user pricing and feature parity; migration cost on exit appears at renewal time when the buyer's leverage is gone. Modelling exit cost up-front changes the IdP evaluation calculus.
1.Migration cost components
Per-app SAML reconfiguration ($500-$5K per app). Each SaaS app integrated with the old IdP must be reconfigured against the new IdP. Standard SaaS apps (Salesforce, ServiceNow, GitHub) take 1-2 hours each. Custom or legacy apps with bespoke SAML attributes can take 2-3 days each. For 30 apps, expect $20K-$60K of integrator time.
SCIM connector rebuilds ($2K-$15K per connector). User provisioning automation via SCIM must be rebuilt for the new IdP. Standard connectors are quick; custom connectors (for older apps not in the new IdP's catalog) require engineering work.
MFA enrollment migration ($5K-$30K). Users with MFA enrolled in the old IdP must re-enroll. For 200 users, this is a meaningful change-management effort — communication, helpdesk surge, edge cases. Some IdPs support MFA token import; most don't.
Custom automation rebuild ($30K-$200K). The biggest variable. Okta Workflows, Auth0 Rules / Actions, Entra Conditional Access policies — these don't port between IdPs. Buyers who built meaningful custom automation must rebuild it in the new IdP's automation framework. This is where migration cost compounds for Okta and Auth0 specifically.
Audit log export ($5K-$25K). Compliance often requires retaining historical audit logs from the old IdP for 7+ years. Exporting and archiving these is a real engineering task — typically $5K-$25K depending on log volume.
Internal change management ($10K-$50K). Helpdesk surge during migration (user confusion, password reset spikes), security team review, vendor SOW, internal communication. Often underestimated.
2.Migration cost by source IdP
| From | Migration cost range | Main cost driver |
|---|---|---|
| Okta | $80K-$250K | Workflows custom automation rebuild |
| Entra ID | $50K-$150K | Conditional access policy rebuild + M365 integration unwind |
| Auth0 | $100K-$400K | Custom Rules / Actions don't port; B2C user flows require redesign |
| JumpCloud | $60K-$180K | MDM device management policy rebuild |
| OneLogin | $50K-$140K | Standard SAML; migration is among the simpler in cohort |
| Ping Identity | $150K-$500K | On-prem PingFederate customisation depth; cloud-only PingOne is simpler |
| Duo | $40K-$120K | Standard SAML; Cisco SecureX integration unwind |
| Authentik | $30K-$90K | Standards-compliant SAML; main cost is rebuilding any custom flows |
3.How to reduce migration cost on exit
- Use standards-based protocols (SAML, OIDC, SCIM) where possible. Avoid IdP-proprietary automation frameworks for production critical paths.
- Document custom Workflows / Rules / Actions thoroughly. Migration cost compounds when nobody on the team can explain what the custom automation does.
- For audit retention, export logs to your own SIEM / data warehouse (Splunk, Datadog, Snowflake) rather than relying solely on IdP retention. This decouples audit retention from IdP choice.
- Negotiate IdP contract length carefully. 1-year contracts let you migrate without penalty; 3-year contracts lock you in but typically come with 15-25% discount. Match contract length to migration risk tolerance.
4.Audit retention cost math (referenced from homepage)
Default audit retention across IdPs is short: Entra Free 7 days, Entra P1/P2 30 days, Okta 90 days, Auth0 30 days, JumpCloud 365 days. Compliance frameworks (SOX, HIPAA, GDPR, SOC 2) typically require 7-year retention. Bridging the gap costs.
Option 1: upgrade the IdP tier. Quote-only at most IdPs; typical +$8-15K/yr for extended retention. Option 2: export to your own SIEM or data warehouse. Engineering cost $5-15K to set up; ongoing $200-$1,000/mo storage. Option 3: do nothing and accept the compliance gap (most common, also the highest-risk).