Identity Management Without Per-User Nightmares

The Per-User Pricing Trap

Let me tell you about the worst surprise a CFO can get: the annual renewal notice for their identity management platform.

Scene: Every SaaS company, circa Q4 budget planning

CFO: "So, our identity management costs $15,000 this year. That's reasonable."

IT Manager: "Actually, we've grown from 50 to 150 employees. The new renewal is $45,000."

CFO: [Eye twitches] "We're paying $300 per person per year for... logins?"

This is the per-user pricing trap, and it's how companies like Okta, Auth0, and Azure AD have built billion-dollar businesses.

How Per-User Pricing Actually Works

Let's break down Okta's pricing model:

Okta Workforce Identity (2024 Pricing):

• Starter: $2 USD per user/month ($24/year) - Basic SSO only
• Workforce Identity: $5 USD per user/month ($60/year) - Standard features
• Workforce Identity Plus: $10 USD per user/month ($120/year) - Advanced features

Startup with 10 Employees: $600/year - "Not bad!"

Growing Company with 100 Employees: $6,000/year - "Okay, getting pricey..."

Mid-Sized Company with 500 Employees: $30,000/year - "Wait, what?"

Enterprise with 2,000 Employees: $200,000/year - "This costs more than our entire office lease."

The Growth Tax

Per-user pricing is essentially a tax on success. As your company grows:

• Hire 10 new people? Add $600/year
• Onboard seasonal workers? Pay for them even if they're only there 3 months
• Contractors and vendors need access? They count as users too
• Acquisition or merger? Double your identity costs overnight

What IAM/SSO Actually Does

The Core Problem: Identity Sprawl

Your 100-person company uses Google Workspace, Slack, GitHub, Jira, Salesforce, HubSpot, AWS, Monday.com, Zoom, and 20 other SaaS tools.

Without IAM/SSO:

• Each tool has its own username/password
• Employees reuse passwords across tools (security nightmare)
• When someone leaves, you have to remember to deactivate them in 30+ places
• Password resets generate 10+ help desk tickets per week

With IAM/SSO:

• One login for everything
• Strong, unique password for that one account
• When someone leaves, disable one account → access to everything revoked
• Enforced MFA for all services
• Centralized audit trail

Okta vs Keycloak Feature Showdown

Now that we understand what IAM/SSO should do, let's compare the industry leader (Okta) with the open-source champion (Keycloak).

Spoiler: They're remarkably similar in capability, wildly different in cost.

Key Feature Comparisons

• SSO (SAML, OIDC, OAuth): Both ✓
• Multi-Factor Authentication: Both ✓
• Custom Branding: Okta limited, Keycloak full control
• API Access: Okta limited by tier, Keycloak unlimited
• Deployment: Okta cloud-only, Keycloak anywhere
• Pricing for 300 users: Okta $18,000+, Keycloak $6,000

The No-Per-User-Fee Revolution

This is where the magic happens. Let's talk about how managed Keycloak eliminates the per-user pricing nightmare.

ThinSky's Managed Keycloak Pricing

Instead of charging per user, we charge based on service level:

• Small Business Tier: $2,000-$3,000/year (Up to 500 users - but could be 5,000)
• Professional Tier: $5,000-$8,000/year (Unlimited users, seriously)
• Enterprise Tier: $12,000-$18,000/year (Everything plus 24/7 support)

Let's Do the Math

500-Employee Company:

Okta Workforce Identity	$30,000/year
ThinSky Managed Keycloak	$8,000/year
Savings	$22,000/year (73%)

2,000-Employee Enterprise:

Okta Enterprise	$200,000/year
ThinSky Managed Keycloak	$18,000/year
Savings	$162,000/year (81%)

Real Migration Stories

Case Study: The SaaS Scale-Up

Client: B2B SaaS company, EdTech sector
Size: 280 employees
Previous Solution: Okta Workforce Identity at $16,800/year

The Problem: Growing 100+ employees per year. Projected to spend $48,000/year within three years.

The Migration: 7 weeks total, zero downtime

Results:

• Old cost: $16,800/year
• New cost: $6,000/year
• Savings: $10,800/year (64%)
• Three-Year Savings: $108,000

Conclusion

Identity management is critical infrastructure, but it shouldn't cost more than your actual infrastructure.

The per-user pricing model is a trap. It punishes growth, discourages security best practices, and extracts increasing value without delivering increasing benefits.

Keycloak breaks that model. You get enterprise-grade IAM/SSO without the enterprise price tag.