3-year IdP TCO.
IdP procurement decisions are typically 3-year commitments — integration cost amortises over multiple years, enterprise contracts run 24-36 months, and migration cost on exit is meaningful. Year-1 TCO understates the actual commit.
Across the cohort, 3-year cumulative TCO is typically 30-60% higher than 3x Year-1 because of (a) tier upgrades triggered by feature requirements that emerge in production, (b) MAU growth for usage-based pricing, (c) audit retention upgrades after first compliance audit, and (d) module additions as the deployment matures.
1.3-year TCO by buyer profile
Three representative buyer profiles. All figures USD, 3-year cumulative, for the headline-tier IdPs in each category.
SMB profile · 50 employees · 15 apps
| IdP | Year-1 | 3-year cumulative | Notes |
|---|---|---|---|
| Entra ID Free (M365 E1 included) | $0 | $0 | Already paid via M365 |
| JumpCloud full stack | $7,800 | $26,000 | ~$13/user × 50 × 36 + escalation |
| Okta Core Essentials | $8,400 | $28,000 | $1,500/yr minimum makes Okta workable at this size; escalation typical 8-10%/yr |
| Authentik self-host | $3,000 (ops) | $10,000 (ops) | Mostly ops cost; licensing is $0 |
Mid-market profile · 200 employees · 30 apps
| IdP | Year-1 | 3-year cumulative | Notes |
|---|---|---|---|
| Entra ID P1 (added on) | $14,400 | $48,000 | If not already on M365 E3 |
| Okta Core Essentials | $33,600 | $130,000 | Tier upgrade to Essentials in year 2-3 typical (+$8K/yr) + audit upgrade |
| JumpCloud full stack | $31,200 | $108,000 | Module additions in year 2-3 (e.g. PAM) push cumulative higher |
| Auth0 (B2B Enterprise) | $17,000 | $95,000 | MAU growth + tier upgrade for advanced features |
Enterprise profile · 1,500 employees · 60 apps
| IdP | Year-1 | 3-year cumulative | Notes |
|---|---|---|---|
| Entra ID P2 (M365 E5 already) | $0 | $0 | If M365 E5 is the standard |
| Entra ID P2 standalone | $162,000 | $540,000 | If not on E5 |
| Okta Workforce Identity Cloud | $250,000+ | $900,000+ | Quote-only; advanced governance, identity threat protection |
| Ping Identity | $200,000+ | $700,000+ | Multi-product bundle typical at this scale |
2.What drives the 30-60% Year-1-to-3-year multiplier
Tier upgrades. Buyers start at the lowest SAML-enabled tier. Within 12-18 months, a security audit, compliance requirement, or feature ask triggers an upgrade to the next tier. Okta's Core Essentials → Essentials → Professional path typically traverses two tiers in 36 months for an engaged customer.
MAU / seat growth. Companies grow. 200 employees becomes 250-280 over 3 years for healthy mid-market companies. For Auth0's MAU model, organic traffic growth compounds the increase.
Audit retention upgrade. First compliance audit (typically 12-18 months into deployment) reveals the default retention is insufficient. Upgrade to extended retention adds $8-15K/yr.
Module additions. JumpCloud's modular pricing means modules accumulate. PAM ($5/user/mo), MDM ($3/user/mo), Cloud Directory ($3/user/mo) — buyers add 2-3 modules over 3 years.
Renewal escalation. Most IdP contracts escalate 8-12% annually unless contractually capped. Compounding over 3 years adds 18-25% over Year-1 rate.
3.How to budget more accurately
- Budget Year-1 at the SAML-enabled tier (not the headline / cheapest tier).
- Add 30-40% to 3x Year-1 for typical compounding (tier upgrades + retention + module additions + escalation).
- Add 50-60% for usage-based-pricing IdPs (Auth0) where MAU growth is uncertain.
- Negotiate contractual escalation cap at signing — most IdPs will cap at 5-7% if asked.
- Budget migration cost on exit as a 4th-year line item even if you don't plan to migrate — it's a real option value.