Pricing opacity: the SSO tax and the MAU trap.
Who feels it
engineeringproductlegal
What triggers the evaluation
a quote arrives 3-5x above the list price · security lists its requirements · a renewal
MAU pricing punishes the exact shape of business CIAM exists for. A retailer with 40 million registered users but 5 percent monthly activity still pays for the spike months, and the model rewards nobody for the dormant base it is storing. The trap is that the number on the pricing page is computed against a usage pattern that consumer identity rarely has.
Feature gating compounds it. The capabilities security will insist on, SSO, advanced MFA, and audit logs, are frequently pushed into enterprise tiers. This is the SSO tax: the login box is cheap, the security requirements are not, and the two are priced in different places. Buyers routinely report three-to-five-x gaps between the initial quote and the final contract once professional services are included.
The defense is to price the real configuration, not the demo. List the security requirements first, then get a quote with them enabled, and model billing against your actual activity rate and spike profile rather than the vendor's example. The capabilities mapped below are the ones most often discovered to be tier-gated. See the pricing models guide and model your own bands in the TCO calculator.
How teams recognize it
- A large registered base with low monthly activity still pays for spike months
- SSO, MFA, and audit logs turn out to be enterprise-tier only (the SSO tax)
- Initial quote and final contract differ by 3-5x once professional services are added
- Pricing is impossible to model without a sales call
How to evaluate vendors for this
The exact questions to put to vendors. Match each answer against the capabilities in the comparison below.
- 01Is pricing on registered users or monthly active, and how are spikes and dormancy billed?
- 02Which security features (SSO, adaptive MFA, audit logs) are gated into higher tiers?
- 03What does the price look like with our actual security requirements enabled?
- 04Are professional services required for launch, and what do they cost?
Capabilities that solve this
The vendors that cover the capabilities this pain maps to, scored on just those axes. See the full matrix on each vendor profile.
| Capability | Akamai Identity Cloud100% covered | Amazon Cognito100% covered | Auth0100% covered | CyberArk Identity100% covered | ForgeRock100% covered | IBM Verify100% covered | Microsoft Entra External ID100% covered | Oracle IAM Identity Domains100% covered |
|---|---|---|---|---|---|---|---|---|
| SAML SSO | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Adaptive MFA | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Audit logs | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |
| Proven at high scale (1M+ MAU) | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes | ✓ Yes |