Text PJ · 858-461-8054
Operator-honest · Siren-based ranking · 2026-05-11

Okta · Auth0 (Okta) · OneLogin (One Identity) · Ping Identity · Microsoft Entra ID · JumpCloud · Saviynt.
One question: which one is right for your stage?

Honest 7-way comparison of Enterprise IAM Vendors — Pricing, TCO, and Per-Seat Economics (Okta · Auth0 · OneLogin · Ping · Microsoft Entra · JumpCloud · Saviynt) platforms. No vendor sponsorship. Calling Matrix by buyer persona below — operator's siren-based read on which one to pick when you're forced to pick.

The 7 platforms · what each is actually best at.

Honest read on positioning, ideal customer, and where each one is the wrong call. No vendor sponsorship, no affiliate links — operator-grade signal.

1. Okta Public · Enterprise IAM market leader

Enterprise per-seat tiered pricing — the default IAM line item on the CFO's spreadsheet. Tiered SKUs (SSO · Adaptive MFA · Lifecycle Management · Identity Governance) stacked on top of each other. List pricing is published but real deals are negotiated; expect $6-15/user/mo for SSO+MFA, climbing fast as you add Lifecycle and Governance.

✓ Strongest atBroadest app integration network (7,000+), procurement-defensible, mature enterprise support SLA, deep partner ecosystem.
✗ Wrong forSub-100-employee shops without a dedicated IT/security buyer. Teams that don't need the full SKU stack (you'll still pay platform fees).
Pick Okta if: you're at 500+ seats, need broad SSO coverage, and procurement wants the market-leader brand on the contract.

2. Auth0 (Okta) Acquired by Okta · CIAM-first per-MAU pricing

Separate per-MAU pricing model — built for customer identity, not workforce. Free tier covers small dev projects, then ramps by Monthly Active Users + feature tier (B2C Essentials → Professional → Enterprise). Workforce SSO exists but Okta Workforce Identity is the sibling product — Auth0 is the CIAM rail.

✓ Strongest atCustomer-facing auth (login, MFA, social logins) at scale, developer DX, broadest IDP integration list for end users.
✗ Wrong forInternal workforce SSO (use Okta Workforce or Entra). Tight budgets at high MAU counts — bill scales fast past 10K MAU.
Pick Auth0 if: you need CIAM (customer identity) and per-MAU economics fit your funnel.

3. OneLogin (One Identity) Acquired by One Identity · per-seat enterprise pricing

Per-seat enterprise pricing with simplified tiers — the leaner alternative to Okta. Advertised list pricing typically lower than Okta at equivalent SKU. Tiers: Starter / Advanced / Professional, with SSO + MFA + Directory included earlier in the stack.

✓ Strongest atMid-market price-sensitive buyers who want enterprise IAM features without Okta's price tag, simpler SKU bundling.
✗ Wrong forBleeding-edge integration needs (smaller app catalog than Okta). Buyers who need a Gartner-leader brand on the contract.
Pick OneLogin if: you want Okta-class IAM at lower per-seat cost and can live with a smaller integration catalog.

4. Ping Identity Private (Thoma Bravo) · enterprise sales motion

Custom pricing typical — quote-driven enterprise sales motion, no public per-seat list. Modular product stack (PingOne · PingFederate · PingAccess · PingID · PingDirectory) sold à la carte or bundled. Strong in regulated verticals (financial services, healthcare, government).

✓ Strongest atHybrid on-prem + cloud deployments, regulated industries with deep customization needs, federation-heavy environments.
✗ Wrong forSmall companies that need transparent pricing. SaaS-only stacks (you're paying for hybrid/on-prem capability you won't use).
Pick Ping if: you're a regulated enterprise with hybrid identity needs and your procurement team likes negotiated contracts.

5. Microsoft Entra ID Bundled with M365 · 'free' if you have E3/E5

Bundled with M365 (P1/P2) — effectively 'free' if you already have E3/E5 licenses. Entra ID Free comes with every Azure/M365 tenant. P1 (~$6/user/mo standalone, included in M365 E3) unlocks SSO to non-MS apps + conditional access. P2 (~$9/user/mo standalone, included in E5) adds Identity Protection + PIM. The 'free' framing is real for shops already on E3/E5; standalone it's competitive with Okta.

✓ Strongest atMicrosoft-shop default, zero net-new cost if you have E3/E5, deep Azure/M365 integration, Conditional Access maturity.
✗ Wrong forNon-Microsoft stacks (you'll fight integrations). Buyers who don't have E3/E5 already (standalone Entra is competitive but no longer 'free').
Pick Entra ID if: you have M365 E3/E5 — the marginal cost is near zero and the capability is enterprise-grade.

6. JumpCloud Private · per-user with device management bundled

Per-user pricing with cross-platform device + identity included — the SMB-to-mid-market sweet spot. Single per-user fee bundles SSO + MFA + Directory + MDM (Mac/Windows/Linux device management) + RADIUS. Often replaces 3-4 vendors at 10-20 person shops. Tiered packages around $9-19/user/mo all-in.

✓ Strongest atSMBs and mid-market replacing AD + Jamf + Okta + RADIUS with one bill, cross-platform device fleets, lean IT teams.
✗ Wrong forLarge enterprises that need IGA/PAM depth (Saviynt/SailPoint/CyberArk territory). Heavy on-prem AD migration shops with deep AD dependencies.
Pick JumpCloud if: you're 20-500 employees, want one bill for identity + device, and don't need full IGA/PAM.

7. Saviynt Private · enterprise IGA-tier pricing — highest end

Enterprise sales · IGA-tier pricing · the highest-end of this list. Identity Governance & Administration platform — access certifications, segregation of duties, privileged access governance, SOX/SOC 2/HIPAA workflows. Six-figure annual contracts are normal; sold to CISOs and identity governance teams, not IT admins.

✓ Strongest atIdentity governance at scale (5,000+ employees), regulated industries needing audit-defensible access certifications, complex SoD requirements.
✗ Wrong forAnything under 1,000 employees. Teams that need basic SSO/MFA (use Okta/Entra/JumpCloud — Saviynt sits above them).
Pick Saviynt if: you're 5,000+ employees in a regulated vertical and your auditors require formal IGA workflows.

The Calling Matrix · siren-based ranking by who you are.

Most comparison sites refuse to forced-rank because their revenue depends on staying neutral. SideGuy ranks because it doesn't take vendor money. Here's the call by buyer persona.

🌱 If you're a Startup under $10/user/month IAM budget

Your problem: You're a 20-person startup. You can't afford Okta's enterprise tier. You need SSO + provisioning + MFA without a $50K/yr line item before product-market fit.

  1. JumpCloud — per-user bundles SSO + MFA + device management — often $9-15/user/mo all-in
  2. Microsoft Entra ID — if you already have M365 Business Premium, P1 is bundled — effectively free for IAM
  3. OneLogin — starter tier is the price-sensitive Okta alternative
  4. Okta — Workforce Identity Starter exists but list pricing climbs fast past basic SSO
  5. Auth0 — wrong product — CIAM not workforce; only relevant if you also need customer login
If forced to one pick: JumpCloud — one bill for identity + device + MFA at the lowest realistic per-seat all-in.

📈 If you're a Series B / scale-up at $10-25/user/month IAM budget

Your problem: You're 100-500 employees. You can spend on identity but per-seat math is real. You need an IDP that scales to 500+ apps without per-app fees that explode the bill.

  1. Microsoft Entra ID — P1 ($6/user/mo standalone or bundled in E3) covers most scale-up needs at the lowest marginal cost
  2. Okta — Workforce Identity SSO + Adaptive MFA fits — verify per-app fees aren't in your SKU
  3. JumpCloud — still viable up to ~500 if device management consolidation matters
  4. OneLogin — Advanced tier is the value-tier alternative to Okta at this size
  5. Ping Identity — overkill unless you have hybrid/on-prem requirements at this stage
If forced to one pick: Microsoft Entra ID P1 — best per-seat economics if you're already on M365, scales to 500+ apps cleanly.

🏢 If you're a Mid-market at $25-50/user/month IAM budget

Your problem: You're 500-5,000 employees with 200+ SaaS apps. You need governance (IGA), conditional access, lifecycle automation. The math gets to $150K-500K/yr but ROI is real (license recovery + breach risk reduction).

  1. Okta — SSO + Adaptive MFA + Lifecycle Management stack is the mid-market default — negotiate hard
  2. Microsoft Entra ID — P2 (E5-bundled or $9/user/mo) adds Identity Protection + PIM for governance-lite at low marginal cost
  3. Ping Identity — competitive at this size if you have hybrid or regulated-industry requirements
  4. OneLogin — Professional tier is the value play if you can live with a smaller integration catalog
  5. Saviynt — premature unless your auditors are demanding formal IGA workflows now
If forced to one pick: Okta — the mid-market default; pair with Entra P2 if you're already on E5 to cover governance gaps.

🏛 If you're a Enterprise CISO at $50+/user/month IAM budget — total spend $1M+

Your problem: You're 5,000+ employees, multi-BU, regulated industry. You need IGA + PAM + customer IAM in one stack. Cost is secondary to consolidation, audit-defensibility, and 24/7 enterprise support SLA.

  1. Saviynt — the IGA layer for audit-defensible access certifications + SoD at enterprise scale
  2. Okta — Workforce Identity + Identity Governance is the consolidated-vendor play
  3. Ping Identity — strongest in regulated verticals (FS, healthcare, gov) with hybrid/on-prem needs
  4. Microsoft Entra ID — P2 is the foundation if you're an M365 shop — pair with Saviynt for IGA depth
  5. Auth0 — the CIAM rail for customer-facing identity — paired with workforce IDP, not replacing it
If forced to one pick: Okta + Saviynt for workforce IGA, Auth0 for CIAM — the consolidated enterprise stack at this budget tier.
⚠ Operator-honest read

These rankings are SideGuy's lived-data + observed-buyer-pattern read as of 2026-05-11. They're directional, not gospel. The right answer for YOUR specific situation may diverge — text PJ for a 10-min operator-honest read on your actual buying context.

Vendor pricing + features + market positioning shift quarterly. SideGuy may earn referral commissions from some of these vendors, but rankings are independent — affiliate relationships never change rank order. Sister doctrines: /open/ live operator dashboard · install packs · operator network.

FAQ · most asked questions.

Is Microsoft Entra ID actually free if I have M365?

Partially. Entra ID Free ships with every Azure/M365 tenant and covers basic user/group management + SSO to a handful of pre-integrated Microsoft apps. To get SSO to non-Microsoft SaaS apps, conditional access policies, and group-based licensing you need Entra ID P1 (~$6/user/mo standalone, bundled in M365 E3 and Business Premium). For Identity Protection + Privileged Identity Management you need P2 (~$9/user/mo standalone, bundled in E5). So 'free' is real if you already have E3/E5 — the marginal cost for IAM is near zero. If you only have M365 Business Basic/Standard, Entra is not actually free for the IAM use case.

What's the typical TCO beyond per-seat license?

Per-seat license is usually 40-60% of true IAM TCO. Add: implementation (6-figure SI engagement for Okta/Ping/Saviynt at enterprise scale, or 1-3 months internal time for JumpCloud/Entra), app integration build-out (every SAML/SCIM connection takes hours, sometimes days for legacy apps), ongoing admin time (1 FTE per ~2,000 users is typical), lifecycle workflow design (joiner/mover/leaver automation), MFA hardware tokens for high-assurance users (~$25-75/key), audit/compliance reporting effort, and renewal-cycle re-negotiation. Triple your per-seat list price as a planning multiplier for year-1 TCO.

Which vendor has the lowest entry-tier?

Three vendors cluster at the low end: JumpCloud (per-user bundles starting around $9-13/user/mo with SSO + MFA + device management included), Microsoft Entra ID (free tier exists; P1 bundled in M365 E3/Business Premium = effectively zero marginal cost if you have those licenses), and OneLogin (Starter tier published as the price-sensitive Okta alternative). For a 20-50 person shop with no existing M365 commitment, JumpCloud usually wins on all-in cost. For shops already on M365 E3/E5, Entra wins because the marginal IAM cost is near zero.

Does pricing change with app count?

Historically yes — Okta charged per-app for some legacy SKUs and a few competitors followed. As of 2026, most vendors moved to per-seat unlimited apps within a tier. But 'unlimited' has caveats: some integrations are gated to higher tiers (e.g. SCIM provisioning for certain apps requires Lifecycle Management SKU, not basic SSO), and custom SAML connections sometimes count separately from the catalog. Always verify before signing: ask for a written line on (1) is the app catalog truly unlimited at this tier, (2) does SCIM provisioning cost extra per app, (3) are custom SAML/OIDC integrations counted, (4) what happens to the price if you double your app count mid-contract.

Stuck choosing? Text PJ.

10-minute operator-honest read on your actual buying context. No deck, no demo call, no signup. If we're not the right fit, we'll say so.

📱 Text PJ · 858-461-8054

I'm almost positive I can help. If I can't, you don't pay.

No signup. No seminar. No bullshit.

PJ · 858-461-8054

PJ Text PJ 858-461-8054