Businesses have been using Okta as an identity and access management (IAM) solution with crucial compliance features like SSO, MFA, and lifecycle management. Although Okta’s upfront cost is low, there are other costs to consider, such as implementation, training, maintenance, and more. But most importantly, you’ll likely need to upgrade your software and/or your SaaS subscriptions — this post explores what this means for businesses and IT admins.
Businesses need to consider all the factors affecting the true cost of Okta, in order to make an informed decision.
Decoding Okta’s Pricing Model
The Okta pricing model is modular, with each service incurring an additional cost. Although this provides flexibility, determining the exact cost for your specific needs can prove difficult. The average per-user cost will typically fall somewhere between $12 and $18 per month, but this can vary depending on the size and needs of your organization.
For example, Okta’s pricing tiers include different features with their own prices:
Single Sign-On (SSO): $2 per month per user; $5 per month per user for “adaptive SSO”
Multi-Factor Authentication (MFA): $3 per month per user; $6 per month per user for “adaptive MFA”
Lifecycle Management: $4 per month per user
API Access Management: $2 per month per user
Identity Governance: Between $9 and $11 per month per user (depending on the amount of included flows)
There are also multiple hidden costs when using Okta. For instance, some SaaS vendors charge a premium to connect a third-party SSO provider — known as the “SSO tax.” Also, the time and complexity involved in setting up and maintaining Okta’s features may add to the overall cost.
To illustrate the true cost of Okta, we’ll look at a fictional case study of a company — Dev Inc. — and explore how the costs stack up, then we’ll explore the non-monetary costs associated with using Okta, such as increased complexity in provisioning and deprovisioning processes, and the sunk cost fallacy.
Understanding Okta: An Overview of SSO, SCIM, and SAML
It’s crucial to understand some essential concepts related to IAM, like SSO, SCIM, and SAML, before delving deeper into Okta’s pricing. If you’re already familiar with these terms, feel free to skip to the next section.
If not, here’s an overview of the three technologies:
Single Sign-On (SSO) is a user authentication service allowing the use of one set of login credentials to access multiple applications, eliminating the need to remember multiple passwords and reducing the risk of password theft.
System for Cross-domain Identity Management (SCIM) is a protocol for the automated provisioning and deprovisioning of user identities across different systems and applications. This can save organizations time and resources by eliminating the need for them to manually manage user identities in each system.
Security Assertion Markup Language (SAML) is an XML-based standard allowing for authentication and authorization data to be exchanged between different systems. This can be used to implement SSO, as well as other security features like multi-factor authentication.
How do SSO, SCIM, and SAML work with Okta?
Okta is an IAM solution that supports SSO, SCIM, and SAML. This allows organizations to use Okta to simplify user authentication, automate user provisioning and deprovisioning, and implement other security features.
For example, Okta can be used to implement SSO for a variety of applications, including Salesforce, Slack, and Notion, allowing users to log in to all of these applications with a single set of credentials. Okta can also be used to automate user provisioning and deprovisioning for these applications via SCIM, so that user identities are automatically added and removed from Okta when they are added or removed from the organization.
SSO, SCIM, and SAML can be valuable tools for managing user identities and access, but each has its own set of limitations. For example, SSO does not handle authorization — which determines what access an authenticated user has — meaning that organizations may need to implement additional security measures to properly control user access.
SCIM, on the other hand, can be complex to set up and maintain. Additionally, not all applications support SCIM, which can lead to inconsistencies in user identity data across different systems.
Finally, SAML is a complex standard that can be difficult to implement correctly. Misconfigurations can lead to security vulnerabilities, and debugging SAML issues can be challenging, due to the standard’s complexity.
SSO, SCIM, and SAML are important tools; however, it’s important to consider their limitations before implementing them.
Okta Pricing: Beyond the Sticker Price
One of the biggest hidden costs of Okta is the “SSO tax.” This is a premium that some SaaS vendors charge for customers to connect their SSO provider. This can significantly increase the cost of your SaaS subscriptions, making SSO prohibitively expensive for smaller organizations.
How the “SSO Tax” Affects Your SaaS Budget
Let’s say you’re using a SaaS tool that costs $10 per user per month. If the vendor charges an additional $4 per user per month to use your SSO provider, you end up paying an SSO tax of 40%. When you multiply this by the number of SaaS tools and then by the number of users in your organization, the costs can quickly add up. It’s also important to mention that the SSO tax can be anywhere between 15% and 6,000% percent. Although 6,000% may be on the extreme end, it’s not uncommon to see at least a 100% increase from the original price.
In addition to the SSO tax, some vendors offer SSO and SCIM only with their more expensive enterprise plans, effectively locking you into higher-priced subscriptions.
But you’re not only paying more for your SaaS subscriptions. To use SCIM with Okta, you’ll also need to buy the Lifecycle Management product for $4 per month per user — this is a crucial feature for organizations that want to automate user provisioning and deprovisioning.
The True Cost of Okta: A Fictional Case Study
To fully understand the true cost, let’s explore what it would cost for the fictional company, Dev Inc.:
Mid-sized tech company with 100 employees.
Uses 80 SaaS tools.
Logins managed in Google Workspace.
Aims to automate user provisioning and deprovisioning.
Requires IGA, due to SOC 2 Type 2 certification.
First of all, let’s establish the cost of Okta itself.
At this stage, the cost would be $16 per user per month, or $19,200 annually for Dev Inc.
But, this post is about the true cost of Okta, which really adds up when you consider the SSO tax. Here’s a table of examples, based on some of the most widely used SaaS tools:
As you can see, the additional costs for just these five tools add up to $72,900, bringing the total cost so far to $92,100 annually.
However, if we assume that 40 tools — half of Dev Inc.’s toolset — have to be managed through Okta, with an average annual cost of $5,000 (which is on the low end), the true cost of Okta for Dev Inc. is $219,200. This is more than 10 times the sticker price of Okta, and there’s a high likelihood of your cost being even higher.
Non-Monetary Costs and the Sunk Cost Fallacy
The “sunk cost fallacy” is a common cognitive bias, referring to situations where individuals or organizations continue a behavior (or endeavor) because of previously invested resources, even if it’s no longer the best course of action. These ‘resources’ may be one of or a combination of:
Time
Money
Effort
For example, you might spend a significant amount of time and resources setting up Okta, integrating it with your existing systems, only to discover later that another IAM solution would be more cost-effective or better suited to their needs. But you might be reluctant to switch because of the resources you’ve already invested in Okta.
Mitigating the Limitations of SSO and SCIM
While SSO and SCIM can offer numerous benefits, they’re not without their limitations. For instance, SSO handles only authentication, not authorization, which means managing access permissions is still a manual task. Although this is in part solved by SCIM, by automating the exchange of user identity data, it still requires a large number of engineering hours to set up and maintain.
One possible solution is to stick with Google Workspace, adding a specific tool for provisioning and access requests/approvals. This can provide the core features of an IdP without the complexity and cost of a more comprehensive solution like Okta — mitigating the limitations of SSO without replacing SSO.
