Skip to content
Z Zendikt
Canada edition · 10 products ranked · Verified 2026-05-27

Top 10 IAM Software in Canada for 2026

Canadian IAM ranking with CAD pricing, OSFI B-13 bank deployment, federal PROTECTED B, 1Password (Toronto) adjacency and Quebec Law 25 PII handling.

← Global ranking · Category overview
Identity & Access Management (IAM) / SSO by country
🌐 Global United States India United Kingdom France Germany Australia Canada

Canada verdict (TL;DR)

Verified 2026-05-27

Canadian IAM splits across three tiers. Microsoft Entra ID (formerly Azure AD) dominates Canadian enterprise via Microsoft 365 penetration at Big 5 banks, Manulife, Sun Life, Bell, Rogers, Telus, federal departments and most TSX 60. Okta and Auth0 (now Okta) own modern Canadian SaaS, customer IAM and Shopify-tier scale. Ping Identity holds pockets of Canadian banking and insurance. JumpCloud and OneLogin compete in mid-market. Duo (Cisco) dominates MFA at Canadian universities and mid-market. 1Password (Toronto) is the canonical Canadian secrets and password adjacency to formal IAM.

Picks for Canada

  • Canadian enterprise on Microsoft 365 (Big 5 bank, telco, gov): entra-id Microsoft Entra ID is the default at Canadian enterprise on Microsoft 365. Used at Big 5 banks, Manulife, Sun Life, Bell, Rogers, Telus and most federal departments. Native integration to Microsoft 365, Azure Canada Central deployment, French Canadian UI for Bill 96.
  • Canadian SaaS or scale-up needing workforce IAM: okta Okta dominates Canadian modern SaaS workforce IAM at Shopify, Wealthsimple, 1Password, Hootsuite, Vidyard, Top Hat. Strong app integration catalogue, lifecycle management, governance. Okta Canada with CAD billing, AWS ca-central-1 deployment option at enterprise tier.
  • Canadian SaaS needing customer IAM (CIAM) at scale: auth0 Auth0 (now Okta) dominates Canadian customer IAM at Wealthsimple, Coveo, Lightspeed, 1Password customer-facing products. Strong developer experience, social login, MFA, fraud detection integration.
  • Canadian bank or insurer with legacy Ping deployment: ping-identity Ping Identity holds pockets at older Canadian banking and insurance estates. Strong federation, OAuth/OIDC depth, PingOne for Customers CIAM at Canadian insurers. Used at RBC and TD historically for specific use cases.
  • Canadian SMB or mid-market wanting unified directory plus IAM: jumpcloud JumpCloud combines directory, IAM, device management and MFA in one platform. Strong fit for Canadian SMB and growing mid-market wanting JumpCloud-as-Active-Directory plus SSO plus device. CAD via direct billing.
Market context

How the identity & access management (iam) / sso market looks in Canada

Canadian IAM splits across three tiers. The Microsoft enterprise tier (Big 5 banks, Manulife, Sun Life, Bell, Rogers, Telus, most federal departments, TSX 60 industrials, U15 universities) standardised on Microsoft Entra ID via Microsoft 365 penetration. Entra ID handles workforce SSO, conditional access, identity protection, B2B collaboration and B2C CIAM. Azure Canada Central (Toronto) and Canada East (Quebec City) deployment satisfies most residency requirements.

The modern SaaS workforce IAM tier (Shopify, Wealthsimple, 1Password, Hootsuite, Vidyard, Top Hat, Ada, League, Coveo) defaults to Okta. Okta won the workforce IAM share at Canadian SaaS through 2018-2024 with strong app integration catalogue, lifecycle management and governance depth. Okta Canada handles CAD billing and AWS ca-central-1 deployment at enterprise tier.

The customer IAM (CIAM) tier defaults to Auth0 (now Okta) at Canadian SaaS customer-facing products. Wealthsimple, Coveo, Lightspeed and 1Password customer authentication run on Auth0. PingOne for Customers competes at Canadian insurers.

The MFA-adjacent tier defaults to Duo (Cisco) at Canadian universities (most U15 run Duo for student and faculty MFA), mid-market and complement to other IAM. Beyond Identity is gaining at modern Canadian SaaS wanting passwordless and FIDO2.

1Password (Toronto-headquartered) is the canonical Canadian password and secrets adjacency to formal IAM. While not a workforce IAM platform, 1Password Business and Enterprise are deployed alongside Okta or Entra ID at thousands of Canadian SaaS for shared credentials, secrets management and FIDO2 passkey support.

Compliance: OSFI B-13 (Technology and Cyber Risk Management) requires Canadian federally regulated FIs to apply MFA, conditional access and identity protection controls. OSFI B-13 audit trail requirements drive IAM logging integration to SIEM. ITSG-33 federal controls and CCCS PROTECTED B for federal IAM. Bill C-26 (CCSPA) adds critical-infrastructure cyber reporting from 2026. PIPEDA covers identity attributes. Quebec Law 25 PIA required for new IAM deployments. Bill 96 French UI for Quebec users.

Compliance & local rules

OSFI Guideline B-13 (Technology and Cyber Risk Management, in force 2024) requires Canadian federally regulated FIs to apply controls including MFA for privileged access, conditional access policies, identity protection, audit trail logging to SIEM and incident response. OSFI B-10 outsourcing rules with right-to-audit requirements for IAM vendors. ITSG-33 federal security controls apply to federal IAM deployments. CCCS PROTECTED B baseline mandatory for federal IAM via SSC Cloud Brokering for sensitive workloads. PIPEDA covers personal information in identity attributes. Quebec Law 25 (Loi 25, in full force September 2023) requires Privacy Impact Assessment for new IAM deployments ingesting Quebec personal information, automated-decision disclosure for risk-based authentication that denies access (Conditional Access in Entra ID, Workflows in Okta), breach notification to the CAI and cross-border transfer assessment. Bill 96 (Charter of the French Language reform) requires French UI for IAM portals serving Quebec users. Bill C-26 (Critical Cyber Systems Protection Act) phases in 2026 with incident reporting requirements for designated operators. PIPEDA breach notification 'real risk of significant harm' standard. Canadian sanctions screening obligations under PCMLTFA for IAM at financial services. NIST 800-63 digital identity guidelines widely referenced. Data residency: Entra ID hosts in Canada Central and East, Okta offers Canadian region at enterprise tier, Auth0 offers regional deployment, Ping Identity offers Canadian deployment via partner, JumpCloud and Duo offer US deployment with documented controls.

At a glance

Quick comparison, ranked for Canada

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
1 Okta Workforce Identity
Non-Microsoft enterprises
 $2 $2 4.5 Global; strongest in US, EU, UK
2 Microsoft Entra ID
Any Microsoft-anchored organization
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, AU; worldwide
3 JumpCloud
SMBs without dedicated IT
 $0 + $0/emp $0 4.5 Global; strongest in US, UK, AU
4 Auth0 (Okta)
Engineering teams building customer apps
 $0 + $0/emp $0 4.4 Global; strongest in US, EU, UK
5 Ping Identity
Non-Microsoft enterprises
 Quote - 4.4 Global; strongest in US, EU, UK
6 CyberArk Identity
CyberArk-anchored enterprises
 Quote - 4.4 Global; strongest in US, EU, Israel
7 Duo Security (Cisco)
MFA-first deployments and Cisco-anchored
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, UK
8 OneLogin (One Identity)
Mid-market non-Microsoft
 $4 $4 4.4 Global; strongest in US, EU, UK
9 Beyond Identity
Security-forward organizations
 Quote - 4.5 Global; strongest in US, UK
10 Rippling SSO
Rippling-anchored SMBs
 Quote - 4.6 Primarily US; growing international

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Canada actually pay

Median annual deal size by employee band, in CAD. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (CAD) Sample Notes
Microsoft Entra ID Canadian enterprise on Microsoft 365 E3/E5 CA$0 142 Entra ID P1 bundled in Microsoft 365 E3; P2 in E5. Standalone Entra ID P1 ~C$8/user/month
Okta Workforce Identity Canadian Series B-C SaaS workforce IAM CA$36,000 64 Okta Workforce Identity Cloud Single Sign-On + MFA; CAD via Okta Canada
Okta Workforce Identity Canadian enterprise (1,000+ employees) CA$240,000 32 Okta Workforce Enterprise + Lifecycle + Governance; CAD
Auth0 (Okta) Canadian SaaS CIAM (consumer app) CA$60,000 38 Auth0 B2C Essentials at 10K MAU; CAD via Okta Canada
JumpCloud Canadian SMB (50-200 employees) CA$18,000 28 JumpCloud A-La-Carte SSO + Directory; CAD via USD
Duo Security (Cisco) Canadian university or mid-market MFA CA$24,000 38 Duo Essentials; CAD via Cisco Canada
Ping Identity Canadian insurer workforce + CIAM CA$180,000 9 Ping Workforce + Customer; CAD via Ping partner
Local challengers

Canada-built or Canada-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for Canada buyers and worth a shortlist.

1Password

Visit ↗

Toronto-built (founded 2005, ~C$8B+ valuation). Canadian-built password manager and secrets management. 1Password Business and Enterprise deployed alongside formal IAM at thousands of Canadian SaaS for shared credentials, secrets, FIDO2 passkeys. The canonical Canadian IAM adjacency.

Entra ID Canada Central deployment

Visit ↗

Not Canadian-built but the canonical Canadian enterprise IAM pattern. Microsoft Entra ID in Azure Canada Central (Toronto) and Canada East (Quebec City) covers most Canadian enterprise IAM needs with native French UI for Bill 96 and OSFI B-13 controls.

Excluded for Canada

Global picks that don't fit here

  • CyberArk Identity
    CyberArk Identity overlaps with PAM more than workforce IAM at typical Canadian deployments. Canadian PAM buyers should evaluate CyberArk PAM directly; for workforce IAM, evaluate Okta or Entra ID.
  • Rippling SSO
    Rippling SSO is bundled with Rippling HRIS/IT. Standalone Canadian IAM buyers should evaluate Okta or Entra ID first; evaluate Rippling only if also adopting Rippling HRIS/IT.
The Canada ranking

All 10, ranked for Canada

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Canada market.

#1

Okta Workforce Identity

Workforce IAM market leader with the deepest integration ecosystem.

Founded 2009 · San Francisco, CA · public · 100–100,000+ employees
G2 4.5 (8,420)
Capterra 4.6
From $2 /mo
● Transparent pricing
Visit Okta Workforce Identity

Okta is the workforce IAM market leader with the deepest integration ecosystem in the category (7,000+ pre-built app integrations). Founded 2009, public 2017. Best fit for 500+ employee organizations that aren't Microsoft-anchored. Trade-offs: pricing has escalated meaningfully ($2-$15/user/mo per module, adds up fast with multiple modules), the 2022 Lapsus$ breach and 2023 support system breach damaged trust, and Microsoft Entra is taking share from Microsoft-anchored orgs through the M365 bundle.

Best for

Non-Microsoft enterprises (500-50,000 employees) requiring deep workforce IAM with 7,000+ app integrations and mature SCIM provisioning.

Worst for

Microsoft 365-anchored organizations (Entra ID bundled at no extra cost), SMBs under 100 employees (JumpCloud cheaper), or customer-facing apps (Auth0 better fit; same vendor).

Strengths

  • Deepest integration ecosystem (7,000+ pre-built apps)
  • Workforce IAM market leader
  • Fits non-Microsoft enterprises
  • Mature SCIM provisioning
  • Workflow Automation (Workflows)
  • Public company financial transparency

Weaknesses

  • Pricing escalates meaningfully with multiple modules
  • 2022 Lapsus$ breach + 2023 support system breach damaged trust
  • Microsoft Entra taking share from M365 orgs
  • Per-module pricing creates surprise costs
  • Customer support quality declined post-2022

Pricing tiers

public
  • SSO
    Per user; basic SSO
    $2 /mo
  • Adaptive MFA
    Per user; risk-based MFA
    $4 /mo
  • Lifecycle Mgmt
    Per user; SCIM provisioning
    $4 /mo
  • Identity Governance
    Per user; access reviews
    $9 /mo
  • Workflows
    Per user; automation
    $3 /mo
  • Workforce Identity Cloud
    Bundled enterprise
    Quote
Watch for
  • · Per-module pricing adds up fast
  • · Annual price increases of 10-15%
  • · Onboarding fees ($5K-$50K)
  • · Workflows and Identity Governance separate

Key features

  • +SSO (7,000+ pre-built apps)
  • +Adaptive MFA with risk scoring
  • +Lifecycle management (SCIM)
  • +Identity Governance (access reviews)
  • +Workflows automation
  • +API Access Management
  • +Customer Identity (Auth0)
  • +Mobile apps
7000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full Okta Workforce Identity intelligence profile → Compare Okta Workforce Identity →
#2

Microsoft Entra ID

De facto default for any organization on Microsoft 365.

Founded 2014 · Redmond, WA · public · 1–500,000+ employees
G2 4.5 (7,280)
Capterra 4.6
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Microsoft Entra ID

Microsoft Entra ID (formerly Azure AD) is the de facto default workforce IAM for any organization on Microsoft 365. Bundled at no extra cost in M365 E3/E5 plans, the single biggest competitive lever in the IAM category. Best fit for any Microsoft-anchored organization. Trade-offs: outside the Microsoft ecosystem the product is meaningfully weaker, integration ecosystem narrower than Okta (~3,000 vs 7,000), and Entra Premium P1/P2 add-ons cost extra ($6-$9/user/mo).

Best for

Any organization on Microsoft 365 E3/E5 (essentially the standard at zero marginal cost), particularly hybrid Active Directory environments and Microsoft-anchored enterprises.

Worst for

Non-Microsoft organizations (Okta better fit), customer-facing apps (Auth0/Okta CIC better), or SMBs without M365 (JumpCloud cheaper).

Strengths

  • Bundled with Microsoft 365 E3/E5 at no extra cost
  • De facto default for Microsoft-anchored orgs
  • Native integration with all Microsoft products
  • Built for hybrid AD environments
  • Conditional Access policies industry-leading
  • FedRAMP High authorized

Weaknesses

  • Outside Microsoft ecosystem meaningfully weaker
  • Integration ecosystem narrower than Okta (~3,000)
  • Entra Premium P1/P2 add-ons cost extra ($6-$9/user)
  • UX complexity high for non-Microsoft admins
  • Customer support quality varies by region

Pricing tiers

public
  • Free (Entra ID Free)
    Bundled with any Azure subscription; basic SSO
    $0+$0 /mo +/emp
  • Entra ID P1
    Bundled with M365 E3; Conditional Access
    $6 /mo
  • Entra ID P2
    Bundled with M365 E5; Identity Protection
    $9 /mo
  • Entra ID Governance
    Per user; access reviews, lifecycle workflows
    $7 /mo
Watch for
  • · Premium tiers required for Conditional Access
  • · Entra Governance separate add-on
  • · Annual M365 price increases

Key features

  • +SSO (3,000+ pre-built apps)
  • +Conditional Access policies
  • +Native Microsoft 365 integration
  • +Hybrid AD support
  • +Identity Protection (P2)
  • +Privileged Identity Management
  • +B2B and B2C support
  • +Mobile apps
3000+ integrations
Microsoft 365SalesforceWorkday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, AU; worldwide
View full Microsoft Entra ID intelligence profile → Compare Microsoft Entra ID →
#3

JumpCloud

IAM + directory + RMM at $11-$24/user, SMB default.

Founded 2012 · Louisville, CO · private · 10–500 employees
G2 4.5 (2,480)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit JumpCloud

JumpCloud is the SMB IAM + directory + endpoint management leader. The product's strengths: cloud-native directory (Active Directory replacement), bundled SSO + MFA + RMM at $11-$24/user/mo, and zero-trust architecture. Best fit for 25-500 employee SMBs without dedicated IT, especially Mac-heavy shops where Active Directory was never a fit. Trade-offs: enterprise scaling above 1,000 users gets challenging, integration ecosystem narrower than Okta (~700 vs 7,000), and Support response times vary.

Best for

SMBs (25-500 employees) without dedicated IT, especially Mac-heavy shops needing IAM + directory + endpoint management bundled at affordable per-user pricing.

Worst for

Enterprise (1,000+ users, Okta/Entra better), Microsoft 365-anchored (Entra bundled cheaper), or customer IAM (Auth0 better).

Strengths

  • Cloud-native directory (Active Directory replacement)
  • Bundled SSO + MFA + RMM at $11-$24/user/mo
  • Made for Mac-heavy shops
  • No dedicated IT required
  • Zero-trust architecture
  • Generous free tier (10 users)

Weaknesses

  • Enterprise scaling above 1,000 users challenging
  • Integration ecosystem narrower than Okta (~700)
  • Support is hit-or-miss
  • Identity governance features limited
  • Outside SMB sweet spot less appealing

Pricing tiers

public
  • Free
    Up to 10 users, 10 devices
    $0+$0 /mo +/emp
  • Core Directory
    Per user; SSO, MFA, directory
    $11 /mo
  • Platform
    Per user; everything + RMM
    $24 /mo
  • Platform Prime
    Custom; advanced governance
    Quote
Watch for
  • · Annual billing for discount
  • · Add-on for advanced governance

Key features

  • +Cloud-native directory
  • +SSO (700+ pre-built apps)
  • +MFA
  • +Device management (RMM)
  • +Patch management
  • +SCIM provisioning
  • +Mobile apps
  • +Zero-trust architecture
700+ integrations
Microsoft 365Google WorkspaceAWSSalesforceSlackBambooHR
Geography
Global; strongest in US, UK, AU
View full JumpCloud intelligence profile → Compare JumpCloud →
#4

Auth0 (Okta)

Customer IAM (CIAM) market leader.

Founded 2013 · Bellevue, WA · public · Any (engineering teams) employees
G2 4.4 (1,840)
Capterra 4.4
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Auth0 (Okta)

Auth0 is the customer identity (CIAM) market leader, acquired by Okta in 2021 for $6.5B. Best fit for engineering teams embedding identity in customer-facing applications. The product's strengths: developer-first SDK ecosystem, generous free tier (25,000 MAU), and broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys). Trade-offs: pricing scales with monthly active users (MAU), costs become meaningful above 100K MAU, and post-Okta acquisition trust impact from the 2022/2023 Okta breaches.

Best for

Engineering teams embedding identity in customer-facing apps (B2B SaaS, B2C apps, marketplaces) needing rapid integration across multiple protocols.

Worst for

Workforce IAM (Okta WIC or Entra better), small employee counts (overkill), or simple SSO use cases (cheaper alternatives suffice).

Strengths

  • CIAM market leader
  • Developer-first SDK ecosystem (any language)
  • Generous free tier (25,000 MAU)
  • Broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys)
  • Strong B2B and B2C use cases
  • Mature documentation

Weaknesses

  • Pricing scales with MAU, meaningful above 100K
  • Post-Okta breach trust impact
  • Outside CIAM use case weaker than Okta WIC
  • Customer support quality declined post-Okta
  • Some enterprise features require Enterprise tier

Pricing tiers

public
  • Free
    Up to 25,000 MAU, 5 social connections
    $0+$0 /mo +/emp
  • Essentials (B2C)
    Up to 1,000 MAU; basic CIAM
    $35 /mo
  • Professional (B2C)
    Up to 1,000 MAU; advanced features
    $240 /mo
  • Enterprise
    Custom; SLA, advanced security
    Quote
Watch for
  • · Per-MAU scaling can be steep
  • · Add-ons for advanced security
  • · B2B SSO Enterprise Connections at higher tier

Key features

  • +SSO (OAuth, OIDC, SAML)
  • +Social login (50+ providers)
  • +Passwordless authentication
  • +Passkey support (FIDO2)
  • +M2M authentication
  • +B2B Organizations
  • +Hooks and Actions for customization
  • +1,000+ SDKs and tutorials
200+ integrations
AWSSalesforceMicrosoft AzureGoogle CloudStripeAuth0 Marketplace
Geography
Global; strongest in US, EU, UK
View full Auth0 (Okta) intelligence profile → Compare Auth0 (Okta) →
#5

Ping Identity

Enterprise IAM alternative for non-Microsoft enterprises.

Founded 2002 · Denver, CO · private · 1,000–500,000+ employees
G2 4.4 (1,180)
Capterra 4.4
Custom quote
○ Sales call required
Visit Ping Identity

Ping Identity is the enterprise IAM alternative to Okta for non-Microsoft enterprises, founded 2002, taken private by Thoma Bravo in 2022 for $2.8B and merged with ForgeRock in 2023. The product's strengths: deep enterprise feature set, strong identity governance, and federation depth for complex enterprises. Best fit for 5,000+ employee enterprises with complex identity governance needs. Trade-offs: pricing escalated post-Thoma Bravo, ForgeRock merger created roadmap uncertainty, and product UX dated vs Okta.

Best for

Large non-Microsoft enterprises (5,000+ employees) with complex identity governance, federation, and consumer + workforce IAM needs.

Worst for

Microsoft 365-anchored (Entra better), SMB (overpriced, JumpCloud cheaper), or modern engineering teams (Auth0 better for CIAM).

Strengths

  • Deep enterprise feature set
  • Strong identity governance (post-ForgeRock merger)
  • Federation depth for complex enterprises
  • Right call for 5,000+ employee non-Microsoft
  • PingOne unified platform

Weaknesses

  • Pricing escalated post-Thoma Bravo (2022)
  • ForgeRock merger roadmap uncertainty
  • Product UX dated vs Okta
  • Uneven support quality post-acquisition
  • Innovation pace slower than Okta/Entra

Pricing tiers

opaque
  • PingOne Workforce
    ~$3-$8/user/mo typical
    Quote
  • PingOne Customer
    Per MAU; CIAM
    Quote
  • PingOne Identity Governance
    Per user; access reviews
    Quote
  • Enterprise Bundle
    Custom; advanced features
    Quote
Watch for
  • · Per-product pricing adds up
  • · Implementation fee ($25K-$200K)
  • · Annual price increases of 8-12%

Key features

  • +SSO (3,000+ pre-built apps)
  • +Adaptive MFA
  • +Identity Governance (post-ForgeRock)
  • +Federation (complex enterprise)
  • +PingOne Customer (CIAM)
  • +API security
  • +Mobile apps
3000+ integrations
SalesforceMicrosoft 365Workday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, UK
View full Ping Identity intelligence profile → Compare Ping Identity →
#6

CyberArk Identity

PAM-anchored identity platform for governance-heavy enterprises.

Founded 1999 · Petach Tikva, Israel · public · 1,000–500,000+ employees
G2 4.4 (980)
Capterra 4.4
Custom quote
○ Sales call required
Visit CyberArk Identity

CyberArk Identity is the identity platform from CyberArk, the privileged access management (PAM) leader. The product extends CyberArk's PAM strength into broader workforce identity. Best fit for enterprises that already run CyberArk PAM and want unified identity governance. Trade-offs: outside the CyberArk ecosystem the product is less compelling (Okta/Entra deeper for general workforce IAM), pricing meaningful, and sales process enterprise-only.

Best for

Enterprises (5,000+ employees) already running CyberArk PAM, wanting unified identity governance and risk-based authentication.

Worst for

Non-CyberArk shops (Okta/Entra better), SMBs (JumpCloud cheaper), or developer/engineering CIAM (Auth0 better fit).

Strengths

  • Native integration with CyberArk PAM
  • Strong identity governance and access reviews
  • Risk-based authentication
  • Enterprise compliance depth
  • Works for CyberArk-anchored enterprises
  • Public company financial transparency

Weaknesses

  • Outside CyberArk ecosystem less compelling
  • Pricing meaningful at scale
  • Sales process enterprise-only
  • Integration ecosystem narrower (~1,500)
  • UX complexity high

Pricing tiers

opaque
  • Identity Cloud
    Per-user; SSO + MFA
    Quote
  • Identity Security
    Per-user; risk-based auth, governance
    Quote
  • Bundled with PAM
    Custom; unified PAM + IAM
    Quote
Watch for
  • · Implementation fee ($25K-$300K)
  • · Per-product pricing
  • · Annual price increases

Key features

  • +SSO + MFA
  • +Identity governance
  • +Risk-based authentication
  • +Native CyberArk PAM integration
  • +Privileged session management
  • +Mobile apps
  • +1,500+ integrations
1500+ integrations
CyberArk PAMSalesforceMicrosoft 365AWSServiceNowWorkday HCM
Geography
Global; strongest in US, EU, Israel
View full CyberArk Identity intelligence profile → Compare CyberArk Identity →
#7

Duo Security (Cisco)

MFA market leader, SSO secondary.

Founded 2010 · Ann Arbor, MI · public · 10–100,000+ employees
G2 4.5 (2,840)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Duo Security (Cisco)

Duo Security is the MFA market leader, acquired by Cisco in 2018 for $2.4B. The product's strengths: cleanest MFA UX in category, strong device trust capabilities (Duo Healthcheck), and Cisco-network integration. Best fit for organizations where MFA is the primary need and SSO is secondary, or Cisco-anchored networks. Trade-offs: SSO depth thinner than Okta/Entra, integration ecosystem narrower, and post-Cisco product velocity has slowed.

Best for

Organizations where MFA is the primary need and SSO is secondary, or Cisco-network-anchored enterprises wanting native MFA + device trust.

Worst for

Best-of-breed workforce IAM (Okta/Entra better for SSO depth), customer IAM (Auth0 better), or SMBs needing all-in-one (JumpCloud better).

Strengths

  • MFA market leader
  • Cleanest MFA UX in category
  • Device trust capabilities (Duo Healthcheck)
  • Cisco network integration
  • Built for MFA-first deployments

Weaknesses

  • SSO depth thinner than Okta/Entra
  • Integration ecosystem narrower (~500)
  • Post-Cisco product velocity slowed
  • Identity governance limited
  • Support depends on tier

Pricing tiers

public
  • Free
    Up to 10 users; basic MFA
    $0+$0 /mo +/emp
  • Essentials
    Per user; basic MFA + SSO
    $3 /mo
  • Advantage
    Per user; device trust, advanced policies
    $6 /mo
  • Premier
    Per user; full identity platform
    $9 /mo
Watch for
  • · Annual billing for discount
  • · Premium support add-on

Key features

  • +MFA (push, TOTP, hardware tokens)
  • +Device trust (Duo Healthcheck)
  • +SSO (~500 apps)
  • +Adaptive policies
  • +Passwordless authentication
  • +Mobile apps
  • +Cisco network integration
500+ integrations
Microsoft 365SalesforceAWSGoogle WorkspaceCisco AnyConnectSlack
Geography
Global; strongest in US, EU, UK
View full Duo Security (Cisco) intelligence profile → Compare Duo Security (Cisco) →
#8

OneLogin (One Identity)

Lower-cost Okta alternative for mid-market.

Founded 2009 · San Francisco, CA · private · 50–10,000 employees
G2 4.4 (1,380)
Capterra 4.3
From $4 /mo
● Transparent pricing
Visit OneLogin (One Identity)

OneLogin is the lower-cost Okta alternative for mid-market organizations. Acquired by One Identity (Quest Software) in 2021. The product's strengths: per-user pricing meaningfully cheaper than Okta, mature SSO and provisioning, and strong fit for mid-market not on Microsoft. Trade-offs: post-One Identity acquisition product velocity has slowed, integration ecosystem narrower than Okta (~5,000 vs 7,000), and customer support quality has declined.

Best for

Mid-market organizations (200-2,000 employees) wanting lower-cost workforce IAM than Okta with sufficient depth for non-Microsoft shops.

Worst for

Microsoft 365-anchored (Entra better), enterprise needing deepest features (Okta/Ping better), or modern engineering teams needing CIAM (Auth0 better).

Strengths

  • Lower-cost Okta alternative
  • Mature SSO and provisioning
  • Made for mid-market non-Microsoft
  • Established 2009; broad customer base
  • OneLogin Vigilance AI for risk detection

Weaknesses

  • Post-One Identity product velocity slowed
  • Integration ecosystem narrower (~5,000 vs 7,000)
  • Customer support quality declined
  • Innovation pace slower than Okta/Entra
  • AI features less mature

Pricing tiers

public
  • Advanced
    Per user; SSO + MFA
    $4 /mo
  • Professional
    Per user; provisioning, advanced MFA
    $8 /mo
  • Bundle
    Custom; full platform
    Quote
Watch for
  • · Per-product pricing
  • · Annual billing for discount
  • · Implementation fee

Key features

  • +SSO (~5,000 pre-built apps)
  • +Adaptive MFA
  • +SCIM provisioning
  • +OneLogin Vigilance AI (risk detection)
  • +Mobile apps
  • +5,000+ integrations
5000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full OneLogin (One Identity) intelligence profile → Compare OneLogin (One Identity) →
#9

Beyond Identity

Passwordless-first IAM with FIDO2/passkey-native architecture.

Founded 2020 · New York, NY · private · 100–10,000 employees
G2 4.5 (380)
Capterra 4.6
Custom quote
○ Sales call required
Visit Beyond Identity

Beyond Identity is the passwordless-first IAM platform, founded 2020 by Jim Clark (Netscape) and Tom (Pat) Jermoluk (@Home). The product's strengths: passkey/FIDO2-native architecture (no passwords ever), strong device-bound credentials, and modern UX. Best fit for security-forward organizations eliminating passwords entirely. Trade-offs: Lighter market share than Okta/Entra, integration ecosystem narrower (~150), and pricing meaningful at scale.

Best for

Security-forward organizations (200-5,000 employees) eliminating passwords entirely with passkey/FIDO2-native architecture.

Worst for

Microsoft-anchored shops (Entra includes passkey support free), organizations not ready for passwordless (Okta/Entra better), or SMBs (JumpCloud cheaper).

Strengths

  • Passkey/FIDO2-native architecture (no passwords)
  • Device-bound credentials (anti-phishing)
  • Modern UX
  • Right call for security-forward orgs
  • Founder-led with strong VC backing

Weaknesses

  • Narrower customer base than Okta/Entra
  • Integration ecosystem narrower (~150)
  • Pricing meaningful at scale
  • Newer product (2020); some growing pains
  • Less mature governance features

Pricing tiers

opaque
  • Workforce Secure SSO
    ~$8-$15/user/mo typical
    Quote
  • Workforce Secure DevOps
    Adds developer authentication
    Quote
  • Workforce Secure Customers
    Adds customer IAM
    Quote
Watch for
  • · Per-product pricing
  • · Implementation fee ($5K-$25K)

Key features

  • +Passkey/FIDO2-native authentication
  • +Device-bound credentials
  • +Adaptive policies
  • +Risk scoring
  • +Mobile apps
  • +150+ integrations
150+ integrations
Microsoft 365OktaSalesforceAWSGitHub
Geography
Global; strongest in US, UK
View full Beyond Identity intelligence profile → Compare Beyond Identity →
#10

Rippling SSO

Bundled with Rippling HRIS, default for Rippling-committed SMBs.

Founded 2016 · San Francisco, CA · private · 10–500 employees
G2 4.6 (580)
Capterra 4.6
Custom quote
○ Sales call required
Visit Rippling SSO

Rippling SSO is bundled with Rippling HRIS (covered separately in our Top 10 HRIS ranking) and Rippling Payroll (in our Top 10 Payroll Software ranking). The product's primary advantage: unified employee + identity lifecycle (employee onboarding in HRIS automatically provisions SSO + apps), making it the default for Rippling-committed SMBs (10-500 employees). Trade-offs: outside the Rippling ecosystem the product is significantly weaker, integration ecosystem narrower than Okta (~600), and standalone use case rare.

Best for

SMBs (10-500 employees) already on Rippling HRIS wanting unified employee + identity lifecycle (HRIS-driven SSO provisioning).

Worst for

Non-Rippling organizations (Okta/Entra better), enterprise (Okta/Entra/Ping better), or customer IAM (Auth0 better fit).

Strengths

  • Unified employee + identity lifecycle with Rippling HRIS
  • Default for Rippling-committed SMBs
  • Native HRIS-driven provisioning
  • Fits 10-500 employee Rippling shops
  • Modern UX

Weaknesses

  • Outside Rippling ecosystem significantly weaker
  • Integration ecosystem narrower (~600)
  • Standalone use case rare
  • Identity governance features limited
  • Less penetration than Okta/Entra

Pricing tiers

opaque
  • Rippling SSO
    $8/user/mo typical (bundled with Rippling)
    Quote
Watch for
  • · Bundled with Rippling HRIS subscription
  • · Per-product pricing within Rippling

Key features

  • +SSO (~600 pre-built apps)
  • +MFA
  • +Native HRIS-driven provisioning
  • +Conditional Access policies
  • +Mobile apps
  • +Tight Rippling HRIS integration
600+ integrations
Rippling HRISSalesforceMicrosoft 365Google WorkspaceAWSSlack
Geography
Primarily US; growing international
View full Rippling SSO intelligence profile → Compare Rippling SSO →

Frequently asked questions

The questions buyers actually ask before they sign.

Entra ID vs Okta for a Canadian Series C SaaS?
Both are credible. Entra ID wins if you are already on Microsoft 365 E3 or E5 (most Canadian enterprise sales-led SaaS adopt Microsoft 365 for productivity). Entra ID P1 is bundled in E3 at no marginal IAM cost. Okta wins for stronger app integration catalogue (7,000+ pre-built integrations vs Entra ID Gallery of ~3,000+), better lifecycle management for non-Microsoft SaaS apps, faster time-to-deployment for greenfield identity programmes and stronger CIAM via Auth0 if you also need customer-facing IAM. For a Canadian Series C SaaS already on Microsoft 365 E3, Entra ID is the lower-friction default; for greenfield or Microsoft-light estates, Okta typically wins.
Does OSFI B-13 require Canadian residency for IAM?
OSFI B-13 does not mandate Canadian residency but requires risk-based controls over IAM vendors including SOC 2 Type II, ISO 27001 and documented incident response. Most Canadian Big 5 banks deploy Entra ID in Azure Canada Central and Canada East or Okta in AWS ca-central-1 at enterprise tier. The residency choice strengthens the B-13 vendor risk review and simplifies Quebec Law 25 cross-border transfer assessments. For federal CCCS PROTECTED B workloads, Canadian residency via SSC-brokered cloud is mandatory.
Why is 1Password the canonical Canadian IAM adjacency?
1Password is Toronto-built (founded 2005, ~C$8B+ valuation) with 100,000+ business customers. 1Password Business and Enterprise are deployed alongside formal IAM (Okta, Entra ID) at thousands of Canadian SaaS, federal departments and Big 5 banks for shared credentials that don't fit SSO (legacy admin consoles, third-party portals without SAML, shared service accounts), secrets management for engineering teams and FIDO2 passkey rollout. Strong PIPEDA and Quebec Law 25 posture as a Canadian-headquartered vendor. The canonical Canadian IAM-adjacent choice for password and secrets management.
Okta vs Microsoft Entra ID, which one?
Microsoft Entra ID if you're on Microsoft 365 E3 or E5, Entra is bundled at no extra cost, which is the single biggest economic lever in IAM. Okta if you're a non-Microsoft enterprise needing the deepest integration ecosystem (7,000+ apps vs Entra ~3,000). For Microsoft-anchored shops, Entra usually wins on TCO; for best-of-breed integration depth, Okta usually wins. Both are credible at enterprise scale.
How does this differ from your SIEM ranking?
Our Top 10 SIEM Software ranking covers log aggregation and security event monitoring (Splunk, Sentinel, etc.). This IAM ranking covers identity provisioning and authentication (who can access what). Both feed each other, IAM events flow into SIEM, SIEM detection rules trigger IAM responses. Most enterprises run both. Microsoft Sentinel + Microsoft Entra ID is a common combo.
How much should I budget for IAM?
SMB on M365 E3+ (1-100 employees): $0 incremental (Entra bundled). SMB without M365: $11-$24/user/mo (JumpCloud Core to Platform). Mid-market (100-1,000 employees): $4-$15/user/mo (Okta SSO+MFA, OneLogin Pro). Enterprise (1,000+ employees): $15-$30/user/mo (Okta full platform, Ping bundles, CyberArk). Customer IAM (Auth0): per-MAU scaling.
How long does IAM implementation take?
JumpCloud, Duo: 1-2 weeks. Okta SSO basic: 4-8 weeks. Okta full platform: 12-16 weeks. Microsoft Entra ID: 6-12 weeks (often coupled with M365 deployment). Ping Identity, CyberArk: 12-32 weeks (enterprise). Auth0: 1-4 weeks (engineering team). Plan change management, user MFA enrollment is the biggest bottleneck.
What about passwordless and passkeys in 2026?
Passkeys (FIDO2) are now table-stakes in IAM 2026: (1) Microsoft Entra ID, full passkey support free with M365. (2) Okta, passkey support, free in Workforce Identity. (3) Beyond Identity, passwordless-first architecture. (4) Auth0, passkey support. Vendors that gate passkeys behind premium tiers (some legacy IAM) are losing share. If your IAM doesn't support passkeys, plan a migration.
Should I pick best-of-breed or bundled IAM?
Best-of-breed (Okta separate, Auth0 separate, Duo separate): better when you're heavy in non-Microsoft apps and want depth in each module. Bundled (Microsoft Entra, Rippling SSO, JumpCloud Platform): better when you want unified billing and lifecycle. Most mid-market lands on bundled (Entra for M365 shops, Rippling for Rippling-anchored, JumpCloud for SMB without M365).
How do IAM breaches affect vendor selection?
The Okta 2022 Lapsus$ breach and 2023 support breach reset trust expectations across the category. After-action: (1) Verify the vendor's breach disclosure history. (2) Require breach notification SLAs in the contract. (3) Run quarterly access reviews regardless of vendor. (4) Don't rely on the IAM vendor as your only line of defense, combine with EDR, SIEM, and conditional access policies.
How does this overlap with HRIS for employee provisioning?
Modern HRIS (Workday, BambooHR, Rippling) drives IAM provisioning via SCIM. When an employee is hired in HRIS, the IAM auto-creates the SSO account. When terminated, IAM auto-deprovisions. Rippling SSO is bundled with Rippling HRIS (we use distinct product IDs `rippling-sso` and `rippling-hris`). Workday Recruiting (in Top 10 ATS) and Workday HCM (in Top 10 HRIS) drive provisioning to Okta/Entra.

Final word

Looking at a different market? See the global Identity & Access Management (IAM) / SSO ranking, or pick another country at the top of this page.

Last updated 2026-05-27. Local pricing reverified quarterly. Found something inaccurate? Tell us.