Skip to main content

The Okta Tax: How Much Are You Really Paying for Identity?

· 10 min read
Fletcher Heisler
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Keycloak, and Ping. Authentik Security is a public benefit company building on top of the open source authentik project.

When organizations evaluate Identity and Access Management (IAM) solutions, there are a lot of dimensions to consider: product capabilities, reliability, customer support, operational complexity, compliance, and more.

Practically, one major consideration for any organization considering an enterprise rollout is the total cost of ownership. And unfortunately, the "sticker price" is rarely the full story.

Once you start adding up common real-world requirements for a modern Identity Provider - basics, such as adaptive security, API access, support for workforce versus customer identity management, and the operational costs of integrating the platform, the true total cost can be substantially higher than expected.

At Authentik Security, we have a lot of conversations with customers who initially compare Okta's base "$X/user/month" price to our own Enterprise pricing when considering the cost of a new rollout. We have just as many conversations with long-time Okta users - those looking to migrate away from Okta - who have often found the true cost of ownership to be many multiples of their original quoted starting price.

Any sufficiently large enterprise contract will likely include some custom terms and volume discounting from any vendor, so the following is not meant to be an exact dollar-for-dollar comparison that can apply to any situation. But given the unexpected Okta pricing journey we've heard from many disgruntled customers over time, I felt it was worth attempting a fair comparison of costs in more detail than might be easily gleaned from a pricing page.

Let's break it down by category:

Okta Product Pricing: Base Cost + Add-Ons

Workforce Identity (Employees, Contractors)

On Okta's current pricing page, the Workforce Identity suite pricing is currently structured as per-user, per-month with annual billing:

  • Starter: $6/user/month
    • Includes SSO, MFA ("upgrade available"), Universal Directory, and 5 workflows.
  • Core Essentials: $14/user/month
  • Essentials: $17/user/month
    • Adds Adaptive MFA, Privileged Access, Lifecycle Management, Identity Governance, and up to 50 workflows.
  • Professional: pricing by quote.
    • Adds Device Access, Threat Detection, up to 2 Security Posture Management integrations, and unlimited workflows.
  • Enterprise: pricing by quote.
    • Adds API Access Management, Secure Partner Access, Access Gateway.

As "Starter" would imply, basic security capabilities like adaptive MFA are not included in the basic plan. And these tiered suites mask a deeper reality:

Feature-by-Feature Pricing

Many key IAM capabilities, like adaptive security, API protection, identity governance, workflows, and lifecycle management, are only included at higher tiers or via optional add-ons. Third-party estimates for standalone feature pricing (outside the suite bundles) suggest:

  • SSO: $2-$4/user/month
  • Adaptive MFA: $3-$6/user/month
  • Universal Directory: $2/user/month
  • Lifecycle Management: $4-$8/user/month
  • Identity Governance: $9-$15/user/month

Put together, a mid-sized organization wanting SSO + MFA + full lifecycle automation + identity governance could easily be paying $18-$25 per user per month, even before adding more 'advanced' functionality such as API security or device access.

Customer Identity (CIAM)

Auth0, Okta's Customer Identity platform, is entirely separate from Okta's Workforce Identity, and priced separately. There is too much complexity here to summarize in a single post, but a few points worth mentioning in comparing the Essential, Professional, and Enterprise plans from Okta:

  • Fees scale with Monthly Active Users (MAUs) and API usage, which can often mean multiple thousands of dollars more per year depending on volume and features.
  • For a 99.99% SLA, you must be on a custom Enterprise plan.
  • Machine-to-machine tokens and adaptive MFA are separate add-ons.

The total base cost is often the first shock for organizations expecting simple per-MAU billing, but API limits and the associated increasing costs of needing to access and update your own data at scale are often what surprises customers down the line.

While this next point is anecdotal, we have also had many customers come to us from Auth0 stating a surprise 3x or 4x hike upon their Auth0 renewal, causing them to seek alternatives and attempt a rushed migration. These same customers have often already spent many engineering hours working around Auth0's API limits in an attempt to keep growing usage bills at bay.

Auth0 and Dual-Stack Complexity

Even though Okta now owns Auth0, the products remain separate. Customers have to learn and run two different systems with separate configs, dashboards, IAM flows, documentation, and operational overhead. This also means additional compliance, reporting, and maintenance burdens.

When Okta Doesn't Do Enough: Integration and Extension Costs

While Okta has a broad set of prebuilt integrations, the inevitable edge use-cases push teams toward higher-tier plans in the best scenarios, and more often toward building their own custom integrations and extensions to get the data they need. This is inevitable from a closed SaaS product that charges per API request for customers to access their own data or in many cases doesn't even provide the needed API endpoints.

Custom Workflows and Add-Ons

Okta Workflows, which are used for process automation, are limited in the Starter tier and often require costly higher-tier licenses to unlock substantial capacity. While automation and infrastructure as code are essential for a good security posture, customers are left with either very limited capabilities or costly add-ons for scaling their process automation.

APIs, SDKs, and Limits

Using Okta's APIs for provisioning, SCIM, or custom login flows isn't typically included in basic tiers. For example, automated onboarding/offboarding via SCIM is only available at an enterprise tier, forcing manual processes or custom scripts if you stay at a lower level.

Building Missing Features Yourself

As we help enterprises migrate from Okta, we have often found a collection of internal services that they have needed to create and maintain to fill Okta's functionality gaps. For example:

  • A database of user attributes or entitlement policies not natively supported.
  • Customized audit event aggregation.
  • Adaptive logic that Okta's built-in options can't express.
  • Custom feature extensions when an Okta integration doesn't provide the required functionality.

These tools cost engineering time, documentation, and long-term maintenance, none of which are counted in the vendor price, but are very real budget items.

The Operational Hidden Costs: Beyond Subscription Fees

Maintenance Overhead

Managing Okta as a service and Auth0 for an organization's end customers often means:

  • Two IAM admin teams
  • Separate dashboards, logs, and ticket processes
  • Double the documentation, training, and compliance reports

Engineering and security team time adds up. A conservative organization with just a couple admins spending ~10 hours/month in maintenance and updates could easily cost many thousands or tens of thousands of dollars annually in direct headcount time alone.

Manual Deployments versus Infrastructure as Code

Okta's console is largely manual, even for complex identity flows. A manual setup instead of running automated Infrastructure as Code means added time updating data and the repeated possibility for human error to be introduced in policy configurations, resulting in lost time as well as potentially more costly security misconfigurations.

Service Outages and Business Risk

Outages and degradations of Okta services can mean your entire organization's access collapses and business grinds to a halt. This risk isn't priced in, but it's real and can cost tens or hundreds of thousands if services become unreachable. A 99.99% "guaranteed uptime" could still mean complete unavailability for up to 53 minutes each year, not including service degradations, all of which is entirely out of your organization's control.

How authentik's Pricing and Model Compare

authentik offers both open source and paid enterprise plans:

  • Open Source - free forever: all core IAM capabilities - OIDC, SAML, SCIM, LDAP, RADIUS, adaptive MFA, advanced policies, M2M and service accounts, and full API access - are available at no cost. No limits on access, number of users, or automations.
  • Enterprise Self-Hosted: $5/internal user/month + $0.02/external user/month. Includes additional integrations and compliance features.
  • Enterprise Plus: FIPS compliance checks, invoicing and custom contracting, and volume discounting for larger enterprise customers.

Both workforce and customer identities live in the same platform, removing the need to purchase, learn, and maintain two separate systems.

The costs of creating and maintaining separate services to extend functionality are avoided thanks to built-in functionality like source property mapping, custom expression policies, and API endpoints for everything. The API and Terraform provider help support Infrastructure as Code setups, avoiding the cost of error-prone manual configuration.

Infrastructure Costs for Self-Hosting

Self-hosting does mean paying directly for compute, storage, and network usage. Most larger organizations will have their own discounted cloud provider contracts in place or may even host on-prem. However, a generic, very conservative example using AWS for an installation that easily handles 80+ concurrent logins at any time could be:

  • 2 x c7g.2xlarge instances (for high availability): ~$260/month
  • RDS database instance - db.m6gd.large (for storage and config): ~$200/month
  • Load balancer + Networking: ~$20/month

So a production-ready authentik setup might cost ~$480/month on AWS ($5,760/year), a fraction of SaaS IAM subscriptions for mid-sized organizations. In practice, this is likely to be lower if you include multi-year upfront payment discounts, run an auto-scaling Kubernetes cluster, etc. Crucially, this is also a much more predictable cost over time.

How to Have Reliable IAM

What if you need the highest reliability and availability possible - for instance, to continue with critical business functions as usual even when your IAMaaS provider has a service disruption or outage?

Your only option to improve on Okta's reliability would be to add (and pay for) a separate, second identity provider, and potentially another separate "identity orchestration" layer. With authentik, some of our customers choose to host in the cloud with an on-prem failover, and most of our larger rollouts choose to set up multi-region deployments so that even if an entire cloud provider region goes down, their identity provider can continue to provide service.

The Total Cost Tradeoff

Cost ComponentOkta SaaS IAMauthentik (Self-Hosted)
Base IAM FeesOften $6–$17+/user/moFree (OSS) / $5/user/mo
CIAM Base$3,000+/month~$0.02/external user/mo
Add-Ons (MFA, API, Workflows)Add'l $ per user / bundleIncluded
Workforce + CIAMTwo separate systemsOne unified system
Engineering TimeManual & split between toolsAutomated IaC & unified
Cloud HostingN/AAWS recurring cost
Risk of OutagesDependent on provider SLASelf-managed redundancy

In practice, Okta's base subscription is only the starting point. Okta's subscription costs + feature add-ons + dual-system overhead + operational effort often far exceed initial expectations by as much as 2-3x. The Okta Tax becomes a recurring, opaque expense that shows up in your bill, your backlog, and your team's time.

Conclusion

The Okta Tax - the combination of per-feature billing, separate customer identity pricing, internal extension costs, dual system maintenance, and operational overhead - can dwarf initial per-user quoted prices.

By contrast, with authentik's model, the economics are straightforward: open source core, modest all-inclusive per-user pricing, combined workforce + CIAM support, full access to a flexible and automatable platform, and a single self-hosted stack that can easily be deployed anywhere - offers a significantly lower cost for your team.

When choosing between them, organizations should look beyond sticker prices to the total cost, including engineering time, systems complexity, and risk, to make the best long-term decision.

When choosing between them, the right comparison isn't sticker price, it's the total cost of ownership: base fees as well as the all-in cost of required features, engineering time, reliability and risk, to make the best long-term decision.