Three Pricing Models, One Decision
Identity provider licensing is hard to compare because the three dominant platforms do not price the same thing the same way. Okta sells identity as a stack of modular per-user subscriptions; Microsoft Entra bundles identity into the wider Microsoft 365 estate so the marginal cost looks like zero; and Ping Identity quotes a low headline per-user rate behind a high minimum commitment. Comparing the sticker prices — $6, $9 and $3 a user — tells you almost nothing about which contract is cheapest at your scale. As with every layer of the cloud security stack, the model matters more than the rate.
The table below sets the three platforms on a common footing: entry rate, the realistic enterprise tier, and the structural catch that distorts the headline number.
| Platform | Entry Rate | Enterprise Tier | Structural Catch |
|---|---|---|---|
| Okta | Starter $6/user/mo | Essentials $17/user/mo | Governance, lifecycle, PAM each add up per user |
| Microsoft Entra | Free in M365 | P2 $9 / Entra Suite $12/user/mo | Governance not in E5 — paid uplift |
| Ping Identity | Workforce $3/user/mo | Workforce Plus $6/user/mo | 5,000-user minimum ≈ $180k/year floor |
Okta: Modular Suites and the Add-On Stack
Okta's Starter Suite begins at $6 per user per month and the Essentials Suite at $17, but the headline tiers are the start of the bill, not the end. Okta licenses Single Sign-On, Adaptive MFA, Universal Directory, Lifecycle Management, API Access Management and Identity Governance as separable lines, and the capability most enterprises actually want — governance and joiner-mover-leaver automation — sits in Okta Identity Governance at roughly $4–$11 per user per month on top of the base suite. Verified purchase data puts the median Okta customer at about $43,840 a year with an average negotiated discount of only 14% off list, which tells you most buyers accept the modular stack without challenging it. Map the modules you will genuinely deploy in year one and refuse to commit term on the speculative ones; the same discipline we apply to zero trust module creep applies directly to the Okta add-on menu.
The most common Okta mistake is buying the Essentials or Professional suite for governance the enterprise already owns through Microsoft 365 E5 — paying twice for conditional access and lifecycle automation that Entra P2 already enforces inside the estate.
Microsoft Entra: The Bundled Estate
For Microsoft-centric enterprises, the strongest identity position is usually already paid for. Entra ID Free ships with any Microsoft 365 subscription, and Entra P2 — which carries Identity Protection and risk-based conditional access — is included in Microsoft 365 E5 at no incremental cost, versus $9 per user per month standalone. The catch buyers miss is that identity governance is not in E5: full lifecycle workflows, access reviews and entitlement management require the Entra ID Governance add-on at $7 per user per month, the Entra Suite at $12, or the new Microsoft 365 E7 (generally available 1 May 2026), the first plan to bundle the complete Entra Suite. The decision is rarely Entra versus Okta in isolation — it is whether the Microsoft estate already funds the identity layer, a question that sits inside the broader Microsoft commercial relationship and the wider shared responsibility the contract assigns you.
Ping Identity: Low Rate, High Minimum
Ping publishes the lowest per-user rate of the three — PingOne for Workforce Essential at $3 per user per month — but the number is gated behind a 5,000-user minimum, which floors the annual commitment at roughly $180,000 regardless of how many users you actually onboard. Workforce Plus lists at $6 per user per month, and Ping's customer identity (CIAM) line starts at about $35,000 a year for Essential and $50,000 for Plus, with MAU-based pricing quoted only on application. For enterprises above 10,000 workforce users Ping is genuinely competitive, and large deployments land between $200,000 and $1,000,000 in annual contract value, but the minimum makes it an expensive choice for a mid-sized estate. Professional services and add-on modules routinely account for 20–40% of first-year cost — a line that belongs inside the licence negotiation, not a follow-on statement of work.
The SSO Tax Nobody Quotes
The largest hidden cost in an identity programme is not the identity provider at all — it is the SSO tax levied by the downstream applications you connect. Many SaaS vendors gate SAML and SCIM provisioning behind their most expensive tier, so enabling single sign-on across the portfolio can add 15% to more than 100% of each application's base cost. A 100-person estate running 80 SaaS tools can see a true identity cost climb past $220,000 once those upstream upgrades are counted, against a $20,000 sticker for the identity licence itself. Inventory which applications charge for SSO before you choose a platform, because that downstream bill dwarfs the per-user rate and is identical whichever provider you pick. The principle mirrors the duplicated-capability mapping in our CASB licensing analysis and the consolidation discipline behind any serious cloud contract framework.
Workforce vs Customer Identity: Two Different Contracts
Enterprises routinely conflate two products that price on entirely different units. Workforce identity covers employees and contractors and is priced per named user — Okta Essentials at $17 per user per month, Entra P2 at $9, Ping Workforce from $3 behind its 5,000-user minimum. Customer identity (CIAM) covers external users and is priced per monthly active user, where consumption is unpredictable and a marketing campaign or seasonal spike can multiply the bill overnight. Ping's customer line starts at roughly $35,000 a year for Essential and $50,000 for Plus, with MAU pricing quoted only on application, and Okta and Microsoft both run separate CIAM SKUs (Auth0 and Entra External ID) priced on MAU rather than seats.
The contract risk in CIAM is the MAU definition itself: whether an active user is counted once a month or once per authentication, whether dormant accounts drop off the count, and how a traffic spike is billed all swing the cost by a wide margin. Negotiate a clear MAU definition, a burst allowance, and a true-down right before signing a customer-identity contract, because the meter, not the per-unit rate, decides the bill — the same metric discipline that governs the vulnerability management asset count. Never let a workforce quote and a CIAM quote be bundled into a single undifferentiated per-user number; they are different risks and should be priced and committed separately.
Negotiation Levers That Work
The first lever is the bundled-estate alternative. Microsoft-heavy buyers should price the Entra Suite as a credible substitute and make clear they will fund identity through the Microsoft agreement rather than a standalone vendor; that single comparison resets an Okta or Ping quote faster than any volume argument. The second lever is the multi-year commitment: 24–36 month terms unlock 15–30% off list, and enterprise deals above 1,000 users reach 20–40%, with Ping buyers above 10,000 users at the top of that band. Commit term only on the modules you will deploy and keep governance, PAM and CIAM add-ons on annual flexibility. The third lever is owned-capability mapping — every control you can demonstrate you already licence through Entra P2 or your endpoint platform is a module you decline to pay for twice, the same logic that governs the rest of the security stack, from SIEM to endpoint to cloud WAF. To benchmark your identity provider licensing against current market rates, request a confidential briefing or read our price benchmarking research.