The Customer Identity and Access Management (CIAM) market is estimated to be as large as $8 Billion, and it is becoming more and more common to build the login box for an application by outsourcing to a CIAM vendor. But as the market grows rapidly, cracks are widening in the economics of scale offered by the larger vendors, like Auth0 by Okta.
IdP is shorthand for “identity provider.” It’s a service that manages and verifies user identity for other applications and websites. One type of IdP you will see regularly is “Login with Google” or “Login with Facebook” on your favorite website, that’s Google or Facebook acting as an IdP, otherwise known as a ‘social login’. But the less obvious, and many times more important, IdPs include Microsoft ActiveDirectory, or perhaps even a CRM tool, that stores usernames and passwords. These IdPs are a critical part of the login experience on any app you log into, and in terms of the backend architecture, they are non-negotiable. You will never be doing customer identity, or interacting with a login box that doesn’t involve an IdP in the background.
IdPs are critical for scalability, and can be a general proxy for user growth in your app, whether that means simply adding in more usernames and passwords or mergers and acquisitions that bring in completely separate IdPs. You will generally need more IdPs as you grow and obtain more users.
The Truth About IdP Tax
From a vendor perspective, charging extra for the number of connected IdPs is great business. By definition, they are present in every project involving login, usernames, passwords, or even machine to machine connections that only involve APIs.
But from the customer’s perspective, charging extra per IdP equates to an ‘IdP Tax’ hidden behind fancy names like “Enterprise Connections” which sound a bit more involved than a non-negotiable element of logging in. This IdP tax is not only an extra charge for IdPs, it forces you into a separate ‘tax bracket’ of sorts, because in order to get the number of required IdPs, you are forced to buy a plan full of features you don’t need.
Regardless of the size and stage of your business, having an open door to scalability is critical. An IdP tax limits the profit that increased scale could otherwise give to your business.
A Scary Tale of IdP Taxation
Gather round, folks. It’s story time. For security reasons, this company has asked us to avoid sharing their name. But they’re fine with us telling you about the problems that they needed solved. For the sake of the story, we’ll call them Acme.
The Acme company had a challenge. They had a piecemeal authentication solution that they had built themselves. While it was working fine, it was taking time away from their core product. The Acme folks knew that authentication wasn’t their core competency. So they turned to the experts in the auth world for help.
Acme, an education-focused communications platform, required authentication for 8,000 applications across 4,000 customers. Each customer needed separate logins for school staff and parents/students. Their authentication needs included traditional usernames and passwords, biometrics, SMS passcodes, and federated identity via Google and Microsoft.
However, under Auth0’s pricing structure, Acme’s need for multiple IdP connections per application led to projected annual costs exceeding $1 million—an unsustainable expense for a fundamental security feature. In fact, here’s a breakdown of what the costs could look like:
| Feature | Auth0 Cost Estimate | FusionAuth Cost (HIgh Availability cloud hosting, Enterprise plan) |
|---|---|---|
| Base Plan (80,000 Users) | $264,000/year | $68,100/year |
| IdP Connections (8,000) | $1,056,000/year | $0 |
| Total Cost | $1,320,000/year | $68,100/year |
Here’s how we came up with the numbers:
Auth0 B2B Professional plan: $16,500/year, up to 5k MAU. This plan is necessary because of the number of organizations (customers) that Acme will service. Auth0 does not have transparent pricing for the Pro plan beyond 5,000 MAU. The closest that we can get is to take their 10k MAU pricing and multiply it by 16 to reach the 80k that we need. This gives us a total of $264,000 for hosting and features.
Things get a little tricky when it comes to IdP (Enterprise) connections. The B2B Professional plan includes up to five. However, that only works if you’re counting a single connection as working across multiple customers. Given what we see in their user forums, it makes sense that they would instead allow five connections for a single organization (which is how Auth0 refers to customers). That being the case, we would actually need to move to an Enterprise plan. But keeping the apples to apples comparison, the best information we can find is that the enterprise connections would cost $11/month per connection (8,000 connections needed for 4,000 customers × 2 each) for a total of $1,056,000.
Nickels and Dimes
From an engineering perspective, once an IdP is integrated into a system, it becomes a “set it and forget it” feature. The initial development effort to support an IdP (whether it’s Google, Microsoft, or any other provider) is a one-time cost. After that, there is little to no ongoing expense for the authentication provider to maintain these connections. So why charge for them?
For businesses like Acme, which require thousands of IdP connections to serve their users across multiple applications, these fees can quickly spiral out of control, but on the side of the identity vendor the IdPs don’t cost a single extra dollar to connect (especially when they’re not even the ones hosting them!). Other companies do exist, with sustainable balance sheets, that include IdPs as part of their core offering, proving that, from a vendor-cost perspective, charging for table-stakes IdPs is simply unnecessary.
Tax Season is Here
Unfortunately, in the broader SaaS industry, there is some evidence that the IdP tax is being rolled over from IdPs to other consumers in the chain. Take a look at this wall of shame of companies that charge extra for SSO connections. The author posits that any company over 5 employees requires SSO as a key security requirement and lists, by name, the companies that charge more than twice the base regular product price for SSO. The author expresses the concern that this tax “disincentivizes its use and encourages poor security practices.”
Who do you think is providing the SSO for these companies, which in turn are then passing on costs to customers? In two of these cases, that is specifically documented…Auth0 by Okta.
SSO is generally provided in the base price for identity companies, including Okta. But by purchasing them, you’re buying into their pricing model which, as we described above, even if you only need SSO and a few IdPs, you have to buy a bunch of other features you maybe didn’t need, just to get the IdPs.
And when companies push back on this model, there is evidence that they face stiff penalties. See this example of a customer that was told their service would be canceled within four days of notice, because they disagreed with the $500k contract.
Where Will the Unnecessary Taxation Stop?
Machine to machine (M2M) connections are another area of consternation for pricing in the customer identity space. M2M communication is a critical feature for many modern applications, enabling devices, servers, or APIs to communicate without direct human interaction. Examples include IoT applications like smart thermostats, fleet management systems, or even apps that track and share location data between devices. In IoT applications like fleet tracking or smart home devices, delays in authentication can disrupt operations or compromise user experience.
Auth0 and Okta impose significant fees for this functionality. These charges can quickly add up for businesses with high-volume M2M interactions. By imposing these fees, large providers stifle competition and make it harder for smaller businesses to innovate or scale effectively.
The True Cost of Hidden Fees
The IdP tax, along with other hidden fees for essential features like M2M connections, MFA, and user management, disproportionately impact businesses that rely on scalability and flexibility, forcing them into unsustainable pricing models. Here are some other scenarios that are likely to see a significant impact:
- Consumer-facing apps with high user volume: Think of location-sharing apps, which often require federated identity for ease of use, as well as M2M connections to sync data across devices in real-time.
- Multi-tenant SaaS: Consider a SaaS company that provides services to thousands of businesses, each requiring separate logins for employees or customers.
- IoT and Smart Device: Often use M2M connections for real-time communication, and require high volume with low latency.
- Healthcare: Remote patient monitoring or telemedicine apps often rely on M2M communication.
For companies like Acme, which need thousands of IdP connections and high-volume M2M interactions, these fees can quickly balloon into millions of dollars annually. That’s money that could be reinvested into innovation or growth.
There’s a strong argument that the companies most impacted by these taxes are often smaller, upstart organizations. They have limited resources, scalability challenges, a high dependency on third-party services, and they’re often in innovation-focused industries.
What’s worse is that these fees often don’t reflect actual costs for the vendor. Features like IdPs and M2M connections are foundational elements of modern CIAM systems. Once implemented, they require minimal ongoing engineering effort. Charging for them is less about covering costs and more about maximizing profits at the expense of customers.
A Tax You Can Refuse to Pay
Given the pervasiveness of identity, and its application to all digital products, the customer identity industry should strive for pricing that doesn’t shut smaller companies and startups out of the market. Businesses deserve predictable costs that align with the value they receive. The good news? Businesses have the power to demand better. When evaluating authentication providers, companies should prioritize vendors with transparent, scalable pricing—ones that treat IdPs and M2M connections as core functionality, not premium add-ons. The push for fairer pricing starts with informed decisions. Tax season is enough for all of us without an IdP tax on top!
If you ask us, charging for IdPs and M2M connections is not just a bad idea; it’s bad business. We’re in a trust-driven industry. That’s why we focus on having fully transparent pricing. There are no hidden costs anywhere, and we don’t believe in “gotcha” being a feature. The way that we see it, IdP connections are table stakes. It doesn’t make sense to charge extra for them.
We carry that same philosophy across the entirety of our pricing and packaging. Someone using our free Community version probably doesn’t need advanced MFA or custom OAuth scopes. But it wouldn’t surprise us if a Starter version user needed them, so they’re included in the base price. Best of all? you can test out those features for free with a fully-custom proof of concept, guided by our Solutions Engineers.
How can we help you reach your goals? Drop us a line and let us know.
