Skip to content
Z Zendikt
France edition · 10 products ranked · Verified 2026-05-17

Top 10 IAM / SSO Software in France for 2026

Independent ranking of IAM and SSO software for France, EUR pricing, ANSSI SecNumCloud, RGS, HDS for healthcare, RGPD strict compliance.

← Global ranking · Category overview
Identity & Access Management (IAM) / SSO by country
🌐 Global United States India United Kingdom France Germany

France verdict (TL;DR)

Verified 2026-05-17

France is the European IAM market most shaped by national sovereignty requirements. ANSSI SecNumCloud qualification is the hard gate for any French public sector or critical infrastructure deployment; only Wallix (PAM) and a handful of OVHcloud/Outscale-hosted deployments hold SecNumCloud. Microsoft Entra ID and Okta dominate French private-sector enterprise. French tech (Doctolib, Aircall, Mirakl, Contentsquare) runs Okta. Wallix (Paris, PAM leader) and Evidian (Atos Group) are the two credible France-sovereign IAM alternatives.

Picks for France

  • French private-sector enterprise on Microsoft 365: entra-id Default at French enterprises on Microsoft 365. M365 E3/E5 bundled. Azure France Central (Paris) data centre for data residency. FCA-equivalent ANSSI certification pathway via Azure France.
  • French tech scaleups and SaaS (Doctolib, Mirakl, Contentsquare tier): okta Dominant IAM at French tech champions. Okta France office in Paris. RGPD DPA included. AWS Paris (eu-west-3) data residency available.
  • French CIAM and developer teams: auth0 Used by French digital product teams for customer authentication. RGPD consent management, CNIL-compliant data residency on EU/France infrastructure. PSD2/DSP2 strong authentication (SCA) support for fintech.
  • French public sector and OIV/OSE (ANSSI-compliant PAM): cyberark-identity CyberArk has strong French CAC 40 and OIV (Opérateurs d'Importance Vitale) footprint. PAM + IGA combination aligns with ANSSI guide on privileged access (PA-082). PASSI audit-ready documentation.
  • French financial services (PSD2/DSP2 SCA and IGA): ping-identity Ping Identity has significant French FSI presence (BNP Paribas, Société Générale tier). Deep federation and CIAM supporting DSP2 Strong Customer Authentication. Identity governance for ACPR/AMF compliance.
  • French mid-market MFA and zero-trust: duo ANSSI recommends FIDO2-based MFA in its guide on authentication (May 2021). Duo's phishing-resistant MFA architecture aligns with ANSSI posture hardening recommendations. EUR billing available.
Market context

How the identity & access management (iam) / sso market looks in France

France has the most pronounced sovereignty-first IAM posture in Western Europe, driven by three structural factors: ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) holds genuine authority over critical infrastructure security requirements; the SecNumCloud qualification scheme creates a two-tier market between sovereign-cloud-qualified products and US-headquartered cloud products; and the RGS (Référentiel Général de Sécurité) governs public-sector digital trust requirements.

SecNumCloud is the defining gate: it requires cloud service providers to be headquartered in France, owned by EU entities, and audited by ANSSI-certified PASSI auditors. Microsoft Entra ID, Okta, and Duo do not hold SecNumCloud and cannot be used in French public-sector critical deployments under NIS2/LPM (Loi de Programmation Militaire) 2024 frameworks. Wallix Bastion (PAM) is the primary SecNumCloud-qualified IAM-adjacent product. For sovereign cloud IAM, French OIVs and public entities typically run Wallix or Evidian on OVHcloud or Outscale infrastructure.

For French private-sector enterprises (the CAC 40 and French tech scaleup tier), Okta and Entra ID dominate with standard EU data residency. French tech companies that have scaled internationally (Doctolib, Mirakl, Aircall, Contentsquare, Back Market, PayFit) run Okta as their workforce IAM. France Connect (managed by DINUM) provides citizen-identity federation for public services; it is not in scope as an enterprise IAM product but is the context for French CIAM deployments serving citizen-facing services. PSD2/DSP2 Strong Customer Authentication requirements for French banks and PSPs make identity a high-stakes layer in fintech CIAM.

Compliance & local rules

RGPD (GDPR as transposed in France): CNIL enforcement is among the strictest in the EU (Google fined €150M for cookie consent 2022; Facebook €60M). IAM vendors processing French employee or customer identity data must hold RGPD-compliant DPAs with EU data residency. ANSSI SecNumCloud: required for French public-sector critical information systems; US-headquartered vendors do not qualify. RGS (Référentiel Général de Sécurité): governs authentication levels (eIDAS LoA) for public-sector digital services; authentication at RGS **2 star (eIDAS Substantial) requires TOTP/FIDO2 MFA. HDS (Hébergeur de Données de Santé): required for any cloud service hosting French health data; IAM integrated into HDS-certified infrastructure must document access controls in the HDS audit scope. LPM 2024 and NIS2: OIVs (Opérateurs d'Importance Vitale) and OSEs (Opérateurs de Services Essentiels) must implement ANSSI-compliant security measures including identity governance.

At a glance

Quick comparison, ranked for France

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
2 Microsoft Entra ID
Any Microsoft-anchored organization
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, AU; worldwide
1 Okta Workforce Identity
Non-Microsoft enterprises
 $2 $2 4.5 Global; strongest in US, EU, UK
4 Auth0 (Okta)
Engineering teams building customer apps
 $0 + $0/emp $0 4.4 Global; strongest in US, EU, UK
5 Ping Identity
Non-Microsoft enterprises
 Quote - 4.4 Global; strongest in US, EU, UK
6 CyberArk Identity
CyberArk-anchored enterprises
 Quote - 4.4 Global; strongest in US, EU, Israel
7 Duo Security (Cisco)
MFA-first deployments and Cisco-anchored
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, UK
3 JumpCloud
SMBs without dedicated IT
 $0 + $0/emp $0 4.5 Global; strongest in US, UK, AU
9 Beyond Identity
Security-forward organizations
 Quote - 4.5 Global; strongest in US, UK
8 OneLogin (One Identity)
Mid-market non-Microsoft
 $4 $4 4.4 Global; strongest in US, EU, UK
10 Rippling SSO
Rippling-anchored SMBs
 Quote - 4.6 Primarily US; growing international

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in France actually pay

Median annual deal size by employee band, in EUR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (EUR) Sample Notes
Microsoft Entra ID 100-500 employees (M365 E3) €0 76 Bundled with Microsoft 365 E3; EUR billing via Microsoft France
Okta Workforce Identity 100-500 employees €16,800 58 SSO + Adaptive MFA, EUR via Okta France
Okta Workforce Identity 500-2,500 employees €72,000 39 SSO + MFA + Lifecycle Management
Ping Identity 5,000+ employees (FSI) €195,000 21 PingOne enterprise; EUR pricing
Duo Security (Cisco) 200-1,000 employees €23,000 34 Duo Advantage, EUR billing
CyberArk Identity 1,000-5,000 employees €178,000 19 Identity Security Platform, EUR
Local challengers

France-built or France-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for France buyers and worth a shortlist.

Wallix

Visit ↗

Paris-based PAM and IAM vendor, listed on Euronext Growth (ALLIX). The leading France-sovereign PAM product. SecNumCloud-qualified via OVHcloud deployment. Strong French public sector and OIV/OSE footprint. CyberArk competitor at French enterprise.

Evidian (Atos)

Visit ↗

Evidian is the IAM brand of Atos (now Eviden). Toulouse/Paris-based. French CAC 40 and public-sector IAM. SecNumCloud-pathway via Atos sovereign cloud. Web Access Manager, Authentication Manager, and IdM components.

Ilex by Inetum

Visit ↗

Ilex International (acquired by Inetum) is a French IAM specialist with strong mid-market presence. Identity Federation, SSO, and provisioning for French enterprises. Not a global top-10 player but well-regarded by French DSI teams.

Excluded for France

Global picks that don't fit here

  • Rippling SSO
    Rippling has no French payroll or HRIS compliance as of 2026. French labor law (Convention collective, URSSAF, DSN declarations) is not supported. French buyers wanting HRIS-bundled SSO should evaluate Lucca or Sage Employees (both with France-native payroll and SSO modules).
The France ranking

All 10, ranked for France

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the France market.

#2

Microsoft Entra ID

De facto default for any organization on Microsoft 365.

Founded 2014 · Redmond, WA · public · 1–500,000+ employees
G2 4.5 (7,280)
Capterra 4.6
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Microsoft Entra ID

Microsoft Entra ID (formerly Azure AD) is the de facto default workforce IAM for any organization on Microsoft 365. Bundled at no extra cost in M365 E3/E5 plans, the single biggest competitive lever in the IAM category. Best fit for any Microsoft-anchored organization. Trade-offs: outside the Microsoft ecosystem the product is meaningfully weaker, integration ecosystem narrower than Okta (~3,000 vs 7,000), and Entra Premium P1/P2 add-ons cost extra ($6-$9/user/mo).

Best for

Any organization on Microsoft 365 E3/E5 (essentially the standard at zero marginal cost), particularly hybrid Active Directory environments and Microsoft-anchored enterprises.

Worst for

Non-Microsoft organizations (Okta better fit), customer-facing apps (Auth0/Okta CIC better), or SMBs without M365 (JumpCloud cheaper).

Strengths

  • Bundled with Microsoft 365 E3/E5 at no extra cost
  • De facto default for Microsoft-anchored orgs
  • Native integration with all Microsoft products
  • Built for hybrid AD environments
  • Conditional Access policies industry-leading
  • FedRAMP High authorized

Weaknesses

  • Outside Microsoft ecosystem meaningfully weaker
  • Integration ecosystem narrower than Okta (~3,000)
  • Entra Premium P1/P2 add-ons cost extra ($6-$9/user)
  • UX complexity high for non-Microsoft admins
  • Customer support quality varies by region

Pricing tiers

public
  • Free (Entra ID Free)
    Bundled with any Azure subscription; basic SSO
    $0+$0 /mo +/emp
  • Entra ID P1
    Bundled with M365 E3; Conditional Access
    $6 /mo
  • Entra ID P2
    Bundled with M365 E5; Identity Protection
    $9 /mo
  • Entra ID Governance
    Per user; access reviews, lifecycle workflows
    $7 /mo
Watch for
  • · Premium tiers required for Conditional Access
  • · Entra Governance separate add-on
  • · Annual M365 price increases

Key features

  • +SSO (3,000+ pre-built apps)
  • +Conditional Access policies
  • +Native Microsoft 365 integration
  • +Hybrid AD support
  • +Identity Protection (P2)
  • +Privileged Identity Management
  • +B2B and B2C support
  • +Mobile apps
3000+ integrations
Microsoft 365SalesforceWorkday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, AU; worldwide
View full Microsoft Entra ID intelligence profile → Compare Microsoft Entra ID →
#1

Okta Workforce Identity

Workforce IAM market leader with the deepest integration ecosystem.

Founded 2009 · San Francisco, CA · public · 100–100,000+ employees
G2 4.5 (8,420)
Capterra 4.6
From $2 /mo
● Transparent pricing
Visit Okta Workforce Identity

Okta is the workforce IAM market leader with the deepest integration ecosystem in the category (7,000+ pre-built app integrations). Founded 2009, public 2017. Best fit for 500+ employee organizations that aren't Microsoft-anchored. Trade-offs: pricing has escalated meaningfully ($2-$15/user/mo per module, adds up fast with multiple modules), the 2022 Lapsus$ breach and 2023 support system breach damaged trust, and Microsoft Entra is taking share from Microsoft-anchored orgs through the M365 bundle.

Best for

Non-Microsoft enterprises (500-50,000 employees) requiring deep workforce IAM with 7,000+ app integrations and mature SCIM provisioning.

Worst for

Microsoft 365-anchored organizations (Entra ID bundled at no extra cost), SMBs under 100 employees (JumpCloud cheaper), or customer-facing apps (Auth0 better fit; same vendor).

Strengths

  • Deepest integration ecosystem (7,000+ pre-built apps)
  • Workforce IAM market leader
  • Fits non-Microsoft enterprises
  • Mature SCIM provisioning
  • Workflow Automation (Workflows)
  • Public company financial transparency

Weaknesses

  • Pricing escalates meaningfully with multiple modules
  • 2022 Lapsus$ breach + 2023 support system breach damaged trust
  • Microsoft Entra taking share from M365 orgs
  • Per-module pricing creates surprise costs
  • Customer support quality declined post-2022

Pricing tiers

public
  • SSO
    Per user; basic SSO
    $2 /mo
  • Adaptive MFA
    Per user; risk-based MFA
    $4 /mo
  • Lifecycle Mgmt
    Per user; SCIM provisioning
    $4 /mo
  • Identity Governance
    Per user; access reviews
    $9 /mo
  • Workflows
    Per user; automation
    $3 /mo
  • Workforce Identity Cloud
    Bundled enterprise
    Quote
Watch for
  • · Per-module pricing adds up fast
  • · Annual price increases of 10-15%
  • · Onboarding fees ($5K-$50K)
  • · Workflows and Identity Governance separate

Key features

  • +SSO (7,000+ pre-built apps)
  • +Adaptive MFA with risk scoring
  • +Lifecycle management (SCIM)
  • +Identity Governance (access reviews)
  • +Workflows automation
  • +API Access Management
  • +Customer Identity (Auth0)
  • +Mobile apps
7000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full Okta Workforce Identity intelligence profile → Compare Okta Workforce Identity →
#4

Auth0 (Okta)

Customer IAM (CIAM) market leader.

Founded 2013 · Bellevue, WA · public · Any (engineering teams) employees
G2 4.4 (1,840)
Capterra 4.4
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Auth0 (Okta)

Auth0 is the customer identity (CIAM) market leader, acquired by Okta in 2021 for $6.5B. Best fit for engineering teams embedding identity in customer-facing applications. The product's strengths: developer-first SDK ecosystem, generous free tier (25,000 MAU), and broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys). Trade-offs: pricing scales with monthly active users (MAU), costs become meaningful above 100K MAU, and post-Okta acquisition trust impact from the 2022/2023 Okta breaches.

Best for

Engineering teams embedding identity in customer-facing apps (B2B SaaS, B2C apps, marketplaces) needing rapid integration across multiple protocols.

Worst for

Workforce IAM (Okta WIC or Entra better), small employee counts (overkill), or simple SSO use cases (cheaper alternatives suffice).

Strengths

  • CIAM market leader
  • Developer-first SDK ecosystem (any language)
  • Generous free tier (25,000 MAU)
  • Broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys)
  • Strong B2B and B2C use cases
  • Mature documentation

Weaknesses

  • Pricing scales with MAU, meaningful above 100K
  • Post-Okta breach trust impact
  • Outside CIAM use case weaker than Okta WIC
  • Customer support quality declined post-Okta
  • Some enterprise features require Enterprise tier

Pricing tiers

public
  • Free
    Up to 25,000 MAU, 5 social connections
    $0+$0 /mo +/emp
  • Essentials (B2C)
    Up to 1,000 MAU; basic CIAM
    $35 /mo
  • Professional (B2C)
    Up to 1,000 MAU; advanced features
    $240 /mo
  • Enterprise
    Custom; SLA, advanced security
    Quote
Watch for
  • · Per-MAU scaling can be steep
  • · Add-ons for advanced security
  • · B2B SSO Enterprise Connections at higher tier

Key features

  • +SSO (OAuth, OIDC, SAML)
  • +Social login (50+ providers)
  • +Passwordless authentication
  • +Passkey support (FIDO2)
  • +M2M authentication
  • +B2B Organizations
  • +Hooks and Actions for customization
  • +1,000+ SDKs and tutorials
200+ integrations
AWSSalesforceMicrosoft AzureGoogle CloudStripeAuth0 Marketplace
Geography
Global; strongest in US, EU, UK
View full Auth0 (Okta) intelligence profile → Compare Auth0 (Okta) →
#5

Ping Identity

Enterprise IAM alternative for non-Microsoft enterprises.

Founded 2002 · Denver, CO · private · 1,000–500,000+ employees
G2 4.4 (1,180)
Capterra 4.4
Custom quote
○ Sales call required
Visit Ping Identity

Ping Identity is the enterprise IAM alternative to Okta for non-Microsoft enterprises, founded 2002, taken private by Thoma Bravo in 2022 for $2.8B and merged with ForgeRock in 2023. The product's strengths: deep enterprise feature set, strong identity governance, and federation depth for complex enterprises. Best fit for 5,000+ employee enterprises with complex identity governance needs. Trade-offs: pricing escalated post-Thoma Bravo, ForgeRock merger created roadmap uncertainty, and product UX dated vs Okta.

Best for

Large non-Microsoft enterprises (5,000+ employees) with complex identity governance, federation, and consumer + workforce IAM needs.

Worst for

Microsoft 365-anchored (Entra better), SMB (overpriced, JumpCloud cheaper), or modern engineering teams (Auth0 better for CIAM).

Strengths

  • Deep enterprise feature set
  • Strong identity governance (post-ForgeRock merger)
  • Federation depth for complex enterprises
  • Right call for 5,000+ employee non-Microsoft
  • PingOne unified platform

Weaknesses

  • Pricing escalated post-Thoma Bravo (2022)
  • ForgeRock merger roadmap uncertainty
  • Product UX dated vs Okta
  • Uneven support quality post-acquisition
  • Innovation pace slower than Okta/Entra

Pricing tiers

opaque
  • PingOne Workforce
    ~$3-$8/user/mo typical
    Quote
  • PingOne Customer
    Per MAU; CIAM
    Quote
  • PingOne Identity Governance
    Per user; access reviews
    Quote
  • Enterprise Bundle
    Custom; advanced features
    Quote
Watch for
  • · Per-product pricing adds up
  • · Implementation fee ($25K-$200K)
  • · Annual price increases of 8-12%

Key features

  • +SSO (3,000+ pre-built apps)
  • +Adaptive MFA
  • +Identity Governance (post-ForgeRock)
  • +Federation (complex enterprise)
  • +PingOne Customer (CIAM)
  • +API security
  • +Mobile apps
3000+ integrations
SalesforceMicrosoft 365Workday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, UK
View full Ping Identity intelligence profile → Compare Ping Identity →
#6

CyberArk Identity

PAM-anchored identity platform for governance-heavy enterprises.

Founded 1999 · Petach Tikva, Israel · public · 1,000–500,000+ employees
G2 4.4 (980)
Capterra 4.4
Custom quote
○ Sales call required
Visit CyberArk Identity

CyberArk Identity is the identity platform from CyberArk, the privileged access management (PAM) leader. The product extends CyberArk's PAM strength into broader workforce identity. Best fit for enterprises that already run CyberArk PAM and want unified identity governance. Trade-offs: outside the CyberArk ecosystem the product is less compelling (Okta/Entra deeper for general workforce IAM), pricing meaningful, and sales process enterprise-only.

Best for

Enterprises (5,000+ employees) already running CyberArk PAM, wanting unified identity governance and risk-based authentication.

Worst for

Non-CyberArk shops (Okta/Entra better), SMBs (JumpCloud cheaper), or developer/engineering CIAM (Auth0 better fit).

Strengths

  • Native integration with CyberArk PAM
  • Strong identity governance and access reviews
  • Risk-based authentication
  • Enterprise compliance depth
  • Works for CyberArk-anchored enterprises
  • Public company financial transparency

Weaknesses

  • Outside CyberArk ecosystem less compelling
  • Pricing meaningful at scale
  • Sales process enterprise-only
  • Integration ecosystem narrower (~1,500)
  • UX complexity high

Pricing tiers

opaque
  • Identity Cloud
    Per-user; SSO + MFA
    Quote
  • Identity Security
    Per-user; risk-based auth, governance
    Quote
  • Bundled with PAM
    Custom; unified PAM + IAM
    Quote
Watch for
  • · Implementation fee ($25K-$300K)
  • · Per-product pricing
  • · Annual price increases

Key features

  • +SSO + MFA
  • +Identity governance
  • +Risk-based authentication
  • +Native CyberArk PAM integration
  • +Privileged session management
  • +Mobile apps
  • +1,500+ integrations
1500+ integrations
CyberArk PAMSalesforceMicrosoft 365AWSServiceNowWorkday HCM
Geography
Global; strongest in US, EU, Israel
View full CyberArk Identity intelligence profile → Compare CyberArk Identity →
#7

Duo Security (Cisco)

MFA market leader, SSO secondary.

Founded 2010 · Ann Arbor, MI · public · 10–100,000+ employees
G2 4.5 (2,840)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Duo Security (Cisco)

Duo Security is the MFA market leader, acquired by Cisco in 2018 for $2.4B. The product's strengths: cleanest MFA UX in category, strong device trust capabilities (Duo Healthcheck), and Cisco-network integration. Best fit for organizations where MFA is the primary need and SSO is secondary, or Cisco-anchored networks. Trade-offs: SSO depth thinner than Okta/Entra, integration ecosystem narrower, and post-Cisco product velocity has slowed.

Best for

Organizations where MFA is the primary need and SSO is secondary, or Cisco-network-anchored enterprises wanting native MFA + device trust.

Worst for

Best-of-breed workforce IAM (Okta/Entra better for SSO depth), customer IAM (Auth0 better), or SMBs needing all-in-one (JumpCloud better).

Strengths

  • MFA market leader
  • Cleanest MFA UX in category
  • Device trust capabilities (Duo Healthcheck)
  • Cisco network integration
  • Built for MFA-first deployments

Weaknesses

  • SSO depth thinner than Okta/Entra
  • Integration ecosystem narrower (~500)
  • Post-Cisco product velocity slowed
  • Identity governance limited
  • Support depends on tier

Pricing tiers

public
  • Free
    Up to 10 users; basic MFA
    $0+$0 /mo +/emp
  • Essentials
    Per user; basic MFA + SSO
    $3 /mo
  • Advantage
    Per user; device trust, advanced policies
    $6 /mo
  • Premier
    Per user; full identity platform
    $9 /mo
Watch for
  • · Annual billing for discount
  • · Premium support add-on

Key features

  • +MFA (push, TOTP, hardware tokens)
  • +Device trust (Duo Healthcheck)
  • +SSO (~500 apps)
  • +Adaptive policies
  • +Passwordless authentication
  • +Mobile apps
  • +Cisco network integration
500+ integrations
Microsoft 365SalesforceAWSGoogle WorkspaceCisco AnyConnectSlack
Geography
Global; strongest in US, EU, UK
View full Duo Security (Cisco) intelligence profile → Compare Duo Security (Cisco) →
#3

JumpCloud

IAM + directory + RMM at $11-$24/user, SMB default.

Founded 2012 · Louisville, CO · private · 10–500 employees
G2 4.5 (2,480)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit JumpCloud

JumpCloud is the SMB IAM + directory + endpoint management leader. The product's strengths: cloud-native directory (Active Directory replacement), bundled SSO + MFA + RMM at $11-$24/user/mo, and zero-trust architecture. Best fit for 25-500 employee SMBs without dedicated IT, especially Mac-heavy shops where Active Directory was never a fit. Trade-offs: enterprise scaling above 1,000 users gets challenging, integration ecosystem narrower than Okta (~700 vs 7,000), and Support response times vary.

Best for

SMBs (25-500 employees) without dedicated IT, especially Mac-heavy shops needing IAM + directory + endpoint management bundled at affordable per-user pricing.

Worst for

Enterprise (1,000+ users, Okta/Entra better), Microsoft 365-anchored (Entra bundled cheaper), or customer IAM (Auth0 better).

Strengths

  • Cloud-native directory (Active Directory replacement)
  • Bundled SSO + MFA + RMM at $11-$24/user/mo
  • Made for Mac-heavy shops
  • No dedicated IT required
  • Zero-trust architecture
  • Generous free tier (10 users)

Weaknesses

  • Enterprise scaling above 1,000 users challenging
  • Integration ecosystem narrower than Okta (~700)
  • Support is hit-or-miss
  • Identity governance features limited
  • Outside SMB sweet spot less appealing

Pricing tiers

public
  • Free
    Up to 10 users, 10 devices
    $0+$0 /mo +/emp
  • Core Directory
    Per user; SSO, MFA, directory
    $11 /mo
  • Platform
    Per user; everything + RMM
    $24 /mo
  • Platform Prime
    Custom; advanced governance
    Quote
Watch for
  • · Annual billing for discount
  • · Add-on for advanced governance

Key features

  • +Cloud-native directory
  • +SSO (700+ pre-built apps)
  • +MFA
  • +Device management (RMM)
  • +Patch management
  • +SCIM provisioning
  • +Mobile apps
  • +Zero-trust architecture
700+ integrations
Microsoft 365Google WorkspaceAWSSalesforceSlackBambooHR
Geography
Global; strongest in US, UK, AU
View full JumpCloud intelligence profile → Compare JumpCloud →
#9

Beyond Identity

Passwordless-first IAM with FIDO2/passkey-native architecture.

Founded 2020 · New York, NY · private · 100–10,000 employees
G2 4.5 (380)
Capterra 4.6
Custom quote
○ Sales call required
Visit Beyond Identity

Beyond Identity is the passwordless-first IAM platform, founded 2020 by Jim Clark (Netscape) and Tom (Pat) Jermoluk (@Home). The product's strengths: passkey/FIDO2-native architecture (no passwords ever), strong device-bound credentials, and modern UX. Best fit for security-forward organizations eliminating passwords entirely. Trade-offs: Lighter market share than Okta/Entra, integration ecosystem narrower (~150), and pricing meaningful at scale.

Best for

Security-forward organizations (200-5,000 employees) eliminating passwords entirely with passkey/FIDO2-native architecture.

Worst for

Microsoft-anchored shops (Entra includes passkey support free), organizations not ready for passwordless (Okta/Entra better), or SMBs (JumpCloud cheaper).

Strengths

  • Passkey/FIDO2-native architecture (no passwords)
  • Device-bound credentials (anti-phishing)
  • Modern UX
  • Right call for security-forward orgs
  • Founder-led with strong VC backing

Weaknesses

  • Narrower customer base than Okta/Entra
  • Integration ecosystem narrower (~150)
  • Pricing meaningful at scale
  • Newer product (2020); some growing pains
  • Less mature governance features

Pricing tiers

opaque
  • Workforce Secure SSO
    ~$8-$15/user/mo typical
    Quote
  • Workforce Secure DevOps
    Adds developer authentication
    Quote
  • Workforce Secure Customers
    Adds customer IAM
    Quote
Watch for
  • · Per-product pricing
  • · Implementation fee ($5K-$25K)

Key features

  • +Passkey/FIDO2-native authentication
  • +Device-bound credentials
  • +Adaptive policies
  • +Risk scoring
  • +Mobile apps
  • +150+ integrations
150+ integrations
Microsoft 365OktaSalesforceAWSGitHub
Geography
Global; strongest in US, UK
View full Beyond Identity intelligence profile → Compare Beyond Identity →
#8

OneLogin (One Identity)

Lower-cost Okta alternative for mid-market.

Founded 2009 · San Francisco, CA · private · 50–10,000 employees
G2 4.4 (1,380)
Capterra 4.3
From $4 /mo
● Transparent pricing
Visit OneLogin (One Identity)

OneLogin is the lower-cost Okta alternative for mid-market organizations. Acquired by One Identity (Quest Software) in 2021. The product's strengths: per-user pricing meaningfully cheaper than Okta, mature SSO and provisioning, and strong fit for mid-market not on Microsoft. Trade-offs: post-One Identity acquisition product velocity has slowed, integration ecosystem narrower than Okta (~5,000 vs 7,000), and customer support quality has declined.

Best for

Mid-market organizations (200-2,000 employees) wanting lower-cost workforce IAM than Okta with sufficient depth for non-Microsoft shops.

Worst for

Microsoft 365-anchored (Entra better), enterprise needing deepest features (Okta/Ping better), or modern engineering teams needing CIAM (Auth0 better).

Strengths

  • Lower-cost Okta alternative
  • Mature SSO and provisioning
  • Made for mid-market non-Microsoft
  • Established 2009; broad customer base
  • OneLogin Vigilance AI for risk detection

Weaknesses

  • Post-One Identity product velocity slowed
  • Integration ecosystem narrower (~5,000 vs 7,000)
  • Customer support quality declined
  • Innovation pace slower than Okta/Entra
  • AI features less mature

Pricing tiers

public
  • Advanced
    Per user; SSO + MFA
    $4 /mo
  • Professional
    Per user; provisioning, advanced MFA
    $8 /mo
  • Bundle
    Custom; full platform
    Quote
Watch for
  • · Per-product pricing
  • · Annual billing for discount
  • · Implementation fee

Key features

  • +SSO (~5,000 pre-built apps)
  • +Adaptive MFA
  • +SCIM provisioning
  • +OneLogin Vigilance AI (risk detection)
  • +Mobile apps
  • +5,000+ integrations
5000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full OneLogin (One Identity) intelligence profile → Compare OneLogin (One Identity) →
#10

Rippling SSO

Bundled with Rippling HRIS, default for Rippling-committed SMBs.

Founded 2016 · San Francisco, CA · private · 10–500 employees
G2 4.6 (580)
Capterra 4.6
Custom quote
○ Sales call required
Visit Rippling SSO

Rippling SSO is bundled with Rippling HRIS (covered separately in our Top 10 HRIS ranking) and Rippling Payroll (in our Top 10 Payroll Software ranking). The product's primary advantage: unified employee + identity lifecycle (employee onboarding in HRIS automatically provisions SSO + apps), making it the default for Rippling-committed SMBs (10-500 employees). Trade-offs: outside the Rippling ecosystem the product is significantly weaker, integration ecosystem narrower than Okta (~600), and standalone use case rare.

Best for

SMBs (10-500 employees) already on Rippling HRIS wanting unified employee + identity lifecycle (HRIS-driven SSO provisioning).

Worst for

Non-Rippling organizations (Okta/Entra better), enterprise (Okta/Entra/Ping better), or customer IAM (Auth0 better fit).

Strengths

  • Unified employee + identity lifecycle with Rippling HRIS
  • Default for Rippling-committed SMBs
  • Native HRIS-driven provisioning
  • Fits 10-500 employee Rippling shops
  • Modern UX

Weaknesses

  • Outside Rippling ecosystem significantly weaker
  • Integration ecosystem narrower (~600)
  • Standalone use case rare
  • Identity governance features limited
  • Less penetration than Okta/Entra

Pricing tiers

opaque
  • Rippling SSO
    $8/user/mo typical (bundled with Rippling)
    Quote
Watch for
  • · Bundled with Rippling HRIS subscription
  • · Per-product pricing within Rippling

Key features

  • +SSO (~600 pre-built apps)
  • +MFA
  • +Native HRIS-driven provisioning
  • +Conditional Access policies
  • +Mobile apps
  • +Tight Rippling HRIS integration
600+ integrations
Rippling HRISSalesforceMicrosoft 365Google WorkspaceAWSSlack
Geography
Primarily US; growing international
View full Rippling SSO intelligence profile → Compare Rippling SSO →

Frequently asked questions

The questions buyers actually ask before they sign.

Can Okta or Microsoft Entra ID be used in French public-sector systems under SecNumCloud?
No. ANSSI SecNumCloud qualification requires cloud providers to be EU-headquartered, to have no third-country ownership that creates legal obligations to disclose data, and to be audited by PASSI-certified auditors. Microsoft and Okta (both US-headquartered, subject to CLOUD Act) do not qualify for SecNumCloud. For French OIVs, public administration, and NIS2-critical operators, Wallix on OVHcloud or Evidian/Atos on their sovereign cloud are the qualified options.
Which IAM products support PSD2/DSP2 Strong Customer Authentication for French banks?
DSP2 (French transposition of PSD2) requires Strong Customer Authentication for payment initiation and account access: two independent factors from possession, knowledge, and inherence categories, linked to the specific transaction. Auth0 supports FIDO2 and SCA flows directly. Ping Identity has deep DSP2-specific CIAM implementations at BNP Paribas and SocGen tier. Okta CIAM can be configured for SCA. Any choice must also satisfy ACPR (Autorité de Contrôle Prudentiel et de Résolution) IT risk reporting.
What is France Connect and does it affect IAM vendor choice?
France Connect is the DINUM-operated citizen identity federation for public services; it allows citizens to authenticate to government services using credentials from approved identity providers (La Poste, Impots.gouv.fr, Ameli). It is not a commercial enterprise IAM product. Enterprises building citizen-facing digital services that integrate France Connect as an identity provider do so via OIDC/SAML federation, which any modern IAM platform (Auth0, Ping, Okta, Entra ID B2C) supports. Enterprise workforce IAM is a separate procurement.
Okta vs Microsoft Entra ID, which one?
Microsoft Entra ID if you're on Microsoft 365 E3 or E5, Entra is bundled at no extra cost, which is the single biggest economic lever in IAM. Okta if you're a non-Microsoft enterprise needing the deepest integration ecosystem (7,000+ apps vs Entra ~3,000). For Microsoft-anchored shops, Entra usually wins on TCO; for best-of-breed integration depth, Okta usually wins. Both are credible at enterprise scale.
How does this differ from your SIEM ranking?
Our Top 10 SIEM Software ranking covers log aggregation and security event monitoring (Splunk, Sentinel, etc.). This IAM ranking covers identity provisioning and authentication (who can access what). Both feed each other, IAM events flow into SIEM, SIEM detection rules trigger IAM responses. Most enterprises run both. Microsoft Sentinel + Microsoft Entra ID is a common combo.
How much should I budget for IAM?
SMB on M365 E3+ (1-100 employees): $0 incremental (Entra bundled). SMB without M365: $11-$24/user/mo (JumpCloud Core to Platform). Mid-market (100-1,000 employees): $4-$15/user/mo (Okta SSO+MFA, OneLogin Pro). Enterprise (1,000+ employees): $15-$30/user/mo (Okta full platform, Ping bundles, CyberArk). Customer IAM (Auth0): per-MAU scaling.
How long does IAM implementation take?
JumpCloud, Duo: 1-2 weeks. Okta SSO basic: 4-8 weeks. Okta full platform: 12-16 weeks. Microsoft Entra ID: 6-12 weeks (often coupled with M365 deployment). Ping Identity, CyberArk: 12-32 weeks (enterprise). Auth0: 1-4 weeks (engineering team). Plan change management, user MFA enrollment is the biggest bottleneck.
What about passwordless and passkeys in 2026?
Passkeys (FIDO2) are now table-stakes in IAM 2026: (1) Microsoft Entra ID, full passkey support free with M365. (2) Okta, passkey support, free in Workforce Identity. (3) Beyond Identity, passwordless-first architecture. (4) Auth0, passkey support. Vendors that gate passkeys behind premium tiers (some legacy IAM) are losing share. If your IAM doesn't support passkeys, plan a migration.
Should I pick best-of-breed or bundled IAM?
Best-of-breed (Okta separate, Auth0 separate, Duo separate): better when you're heavy in non-Microsoft apps and want depth in each module. Bundled (Microsoft Entra, Rippling SSO, JumpCloud Platform): better when you want unified billing and lifecycle. Most mid-market lands on bundled (Entra for M365 shops, Rippling for Rippling-anchored, JumpCloud for SMB without M365).
How do IAM breaches affect vendor selection?
The Okta 2022 Lapsus$ breach and 2023 support breach reset trust expectations across the category. After-action: (1) Verify the vendor's breach disclosure history. (2) Require breach notification SLAs in the contract. (3) Run quarterly access reviews regardless of vendor. (4) Don't rely on the IAM vendor as your only line of defense, combine with EDR, SIEM, and conditional access policies.
How does this overlap with HRIS for employee provisioning?
Modern HRIS (Workday, BambooHR, Rippling) drives IAM provisioning via SCIM. When an employee is hired in HRIS, the IAM auto-creates the SSO account. When terminated, IAM auto-deprovisions. Rippling SSO is bundled with Rippling HRIS (we use distinct product IDs `rippling-sso` and `rippling-hris`). Workday Recruiting (in Top 10 ATS) and Workday HCM (in Top 10 HRIS) drive provisioning to Okta/Entra.

Final word

Looking at a different market? See the global Identity & Access Management (IAM) / SSO ranking, or pick another country at the top of this page.

Last updated 2026-05-17. Local pricing reverified quarterly. Found something inaccurate? Tell us.