Skip to content
Z Zendikt
United States edition · 10 products ranked · Verified 2026-05-17

Top 10 IAM / SSO Software in the United States for 2026

Independent ranking of identity & access management software for US buyers, USD pricing, NIST 800-63 and CISA Zero Trust fit, FedRAMP status.

← Global ranking · Category overview
Identity & Access Management (IAM) / SSO by country
🌐 Global United States India United Kingdom France Germany

United States verdict (TL;DR)

Verified 2026-05-17

Okta and Microsoft Entra ID split the US market on a clean fault line: Entra ID wins every Microsoft 365-anchored organization by bundled default; Okta wins non-Microsoft enterprises with its 7,000-app integration ecosystem. JumpCloud is the SMB default at $11-$24/user. FedRAMP Authorization is the gating factor for any federal or federal-contractor sale, and only Okta, Entra ID, and Duo carry FedRAMP High or Moderate authorization as of mid-2026.

Picks for United States

  • Microsoft 365-anchored enterprises (any size): entra-id Bundled in M365 E3/E5 at zero marginal cost. Conditional Access is best-in-class. FedRAMP High authorized. Default for any org where Microsoft is the backbone.
  • Non-Microsoft enterprises (500-50,000 employees): okta Deepest integration ecosystem (7,000+ apps). NIST 800-63 IAL/AAL alignment verified. FedRAMP Moderate authorized. Dominant US workforce IAM outside Microsoft shops.
  • SMB IAM + directory + endpoint (25-500 employees): jumpcloud Cloud-native AD replacement, SSO + MFA + RMM at $11-$24/user. Free tier for 10 users. No dedicated IT required.
  • Federal, DoD, and federal contractor MFA: duo FedRAMP High authorized. CISA-referenced MFA control. Phishing-resistant MFA (FIDO2/WebAuthn) for federal zero-trust mandates.
  • Customer IAM (B2C/B2B product teams): auth0 CIAM market leader. Developer-first SDKs. Free to 25,000 MAU. Auth0 FedRAMP authorized for public-sector CIAM.
  • Passwordless-first, zero-trust architecture: beyond-identity Passkey/FIDO2 native. No passwords, no phishing vectors. Best for US orgs following CISA Zero Trust Maturity Model at level 3.
  • Rippling HRIS customers: rippling-sso Bundled in Rippling platform. Automated provisioning/deprovisioning tied to HRIS employee lifecycle. Best for Rippling-committed US SMBs.
Market context

How the identity & access management (iam) / sso market looks in United States

The US IAM market is the deepest and most competitive in the world, home to every major vendor (Okta, Cisco/Duo, CyberArk, Beyond Identity, OneLogin, JumpCloud, Rippling) and the largest installed base for Microsoft Entra ID. The defining buyer split is Microsoft vs. non-Microsoft: any US organization on Microsoft 365 E3 or E5 receives Entra ID P1 or P2 respectively at no additional cost, making a separate Okta purchase a deliberate premium choice rather than a default. In practice, approximately 350,000 US companies run Microsoft 365, and the large majority of those use Entra ID as their primary SSO layer without evaluating Okta at all.

The 2026 federal and regulated-sector dynamic is more consequential than prior years. The Biden-era EO 14028 (May 2021) and CISA Zero Trust Maturity Model (v2, April 2023) now flow through to agency procurement requirements, DOGE cost reviews are accelerating FedRAMP rationalization, and the NIST 800-207 (Zero Trust Architecture) standard has become the default reference for any US federal or defense-adjacent IAM RFP. FedRAMP Authorization status is a hard gate: only Okta Workforce Identity (FedRAMP Moderate), Microsoft Entra ID (FedRAMP High), Duo Security (FedRAMP High), and Auth0 (FedRAMP Moderate) hold authorization as of mid-2026. Ping Identity, JumpCloud, and CyberArk Identity are in process or in pursuit.

SOC 2 Type 2 is table-stakes for any US enterprise IAM sale. Every product in this ranking holds SOC 2 Type 2 or equivalent. The emerging differentiator is FIDO2/WebAuthn passkey support as CISA's phishing-resistant MFA guidance (August 2023) pushes US enterprises away from TOTP and SMS. Beyond Identity, Entra ID, and Okta have the strongest passkey implementations as of 2026. OneLogin (One Identity) and Ping Identity are behind the curve on passkey UX.

Compliance & local rules

NIST 800-63 (Digital Identity Guidelines) defines IAL1/IAL2/AAL1/AAL2/AAL3 assurance levels; federal buyers must specify which levels their IAM must support. CISA Zero Trust Maturity Model (v2) defines Identity as one of five pillars with four maturity stages; Okta, Entra ID, and Duo publish alignment documentation. FedRAMP Authorization (Moderate or High) is required for federal agency cloud deployments; vendors in pursuit or in process cannot be used for production federal workloads. SOC 2 Type 2 is the commercial enterprise standard and all ranked products hold it. CCPA applies to customer-facing CIAM deployments (Auth0, Ping Identity CIAM) with consent and deletion rights for California consumers. PCI DSS v4 requires MFA for all administrative and cardholder-data access.

At a glance

Quick comparison, ranked for United States

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
2 Microsoft Entra ID
Any Microsoft-anchored organization
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, AU; worldwide
1 Okta Workforce Identity
Non-Microsoft enterprises
 $2 $2 4.5 Global; strongest in US, EU, UK
3 JumpCloud
SMBs without dedicated IT
 $0 + $0/emp $0 4.5 Global; strongest in US, UK, AU
7 Duo Security (Cisco)
MFA-first deployments and Cisco-anchored
 $0 + $0/emp $0 4.5 Global; strongest in US, EU, UK
4 Auth0 (Okta)
Engineering teams building customer apps
 $0 + $0/emp $0 4.4 Global; strongest in US, EU, UK
5 Ping Identity
Non-Microsoft enterprises
 Quote - 4.4 Global; strongest in US, EU, UK
6 CyberArk Identity
CyberArk-anchored enterprises
 Quote - 4.4 Global; strongest in US, EU, Israel
9 Beyond Identity
Security-forward organizations
 Quote - 4.5 Global; strongest in US, UK
8 OneLogin (One Identity)
Mid-market non-Microsoft
 $4 $4 4.4 Global; strongest in US, EU, UK
10 Rippling SSO
Rippling-anchored SMBs
 Quote - 4.6 Primarily US; growing international

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in United States actually pay

Median annual deal size by employee band, in USD. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (USD) Sample Notes
Okta Workforce Identity 100-500 employees $18,000 187 SSO + Adaptive MFA bundle; USD
Okta Workforce Identity 500-2,500 employees $84,000 156 SSO + MFA + Lifecycle Management
Microsoft Entra ID 100-500 employees (M365 E3) $0 187 Bundled; P1 included
Microsoft Entra ID 500-2,500 employees (P2 upgrade) $36,000 124 Entra ID P2 add-on over M365 E3
JumpCloud 25-100 employees $13,200 142 Platform plan, USD
Duo Security (Cisco) 250-1,000 employees $28,000 89 Duo Advantage MFA, USD
Ping Identity 5,000+ employees $210,000 34 PingOne Workforce enterprise
Local challengers

United States-built or United States-strong vendors worth knowing

Not yet ranked in our global top 10, but credible options for United States buyers and worth a shortlist.

Securly

Visit ↗

US K-12 identity + web filtering. Dominant in US school districts. Not IAM for commercial enterprises but significant US education install base.

Strata Identity

Visit ↗

Irvine, CA-based identity orchestration layer for enterprises migrating between Okta, Ping, and Entra. Strong for large US enterprises with multi-vendor IAM debt.

Transmit Security

Visit ↗

Boston-based CIAM platform with passkey-first architecture. Growing in US financial services (JPMC, US Bank deployments reported). Auth0 alternative for regulated CIAM.

The United States ranking

All 10, ranked for United States

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the United States market.

#2

Microsoft Entra ID

De facto default for any organization on Microsoft 365.

Founded 2014 · Redmond, WA · public · 1–500,000+ employees
G2 4.5 (7,280)
Capterra 4.6
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Microsoft Entra ID

Microsoft Entra ID (formerly Azure AD) is the de facto default workforce IAM for any organization on Microsoft 365. Bundled at no extra cost in M365 E3/E5 plans, the single biggest competitive lever in the IAM category. Best fit for any Microsoft-anchored organization. Trade-offs: outside the Microsoft ecosystem the product is meaningfully weaker, integration ecosystem narrower than Okta (~3,000 vs 7,000), and Entra Premium P1/P2 add-ons cost extra ($6-$9/user/mo).

Best for

Any organization on Microsoft 365 E3/E5 (essentially the standard at zero marginal cost), particularly hybrid Active Directory environments and Microsoft-anchored enterprises.

Worst for

Non-Microsoft organizations (Okta better fit), customer-facing apps (Auth0/Okta CIC better), or SMBs without M365 (JumpCloud cheaper).

Strengths

  • Bundled with Microsoft 365 E3/E5 at no extra cost
  • De facto default for Microsoft-anchored orgs
  • Native integration with all Microsoft products
  • Built for hybrid AD environments
  • Conditional Access policies industry-leading
  • FedRAMP High authorized

Weaknesses

  • Outside Microsoft ecosystem meaningfully weaker
  • Integration ecosystem narrower than Okta (~3,000)
  • Entra Premium P1/P2 add-ons cost extra ($6-$9/user)
  • UX complexity high for non-Microsoft admins
  • Customer support quality varies by region

Pricing tiers

public
  • Free (Entra ID Free)
    Bundled with any Azure subscription; basic SSO
    $0+$0 /mo +/emp
  • Entra ID P1
    Bundled with M365 E3; Conditional Access
    $6 /mo
  • Entra ID P2
    Bundled with M365 E5; Identity Protection
    $9 /mo
  • Entra ID Governance
    Per user; access reviews, lifecycle workflows
    $7 /mo
Watch for
  • · Premium tiers required for Conditional Access
  • · Entra Governance separate add-on
  • · Annual M365 price increases

Key features

  • +SSO (3,000+ pre-built apps)
  • +Conditional Access policies
  • +Native Microsoft 365 integration
  • +Hybrid AD support
  • +Identity Protection (P2)
  • +Privileged Identity Management
  • +B2B and B2C support
  • +Mobile apps
3000+ integrations
Microsoft 365SalesforceWorkday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, AU; worldwide
View full Microsoft Entra ID intelligence profile → Compare Microsoft Entra ID →
#1

Okta Workforce Identity

Workforce IAM market leader with the deepest integration ecosystem.

Founded 2009 · San Francisco, CA · public · 100–100,000+ employees
G2 4.5 (8,420)
Capterra 4.6
From $2 /mo
● Transparent pricing
Visit Okta Workforce Identity

Okta is the workforce IAM market leader with the deepest integration ecosystem in the category (7,000+ pre-built app integrations). Founded 2009, public 2017. Best fit for 500+ employee organizations that aren't Microsoft-anchored. Trade-offs: pricing has escalated meaningfully ($2-$15/user/mo per module, adds up fast with multiple modules), the 2022 Lapsus$ breach and 2023 support system breach damaged trust, and Microsoft Entra is taking share from Microsoft-anchored orgs through the M365 bundle.

Best for

Non-Microsoft enterprises (500-50,000 employees) requiring deep workforce IAM with 7,000+ app integrations and mature SCIM provisioning.

Worst for

Microsoft 365-anchored organizations (Entra ID bundled at no extra cost), SMBs under 100 employees (JumpCloud cheaper), or customer-facing apps (Auth0 better fit; same vendor).

Strengths

  • Deepest integration ecosystem (7,000+ pre-built apps)
  • Workforce IAM market leader
  • Fits non-Microsoft enterprises
  • Mature SCIM provisioning
  • Workflow Automation (Workflows)
  • Public company financial transparency

Weaknesses

  • Pricing escalates meaningfully with multiple modules
  • 2022 Lapsus$ breach + 2023 support system breach damaged trust
  • Microsoft Entra taking share from M365 orgs
  • Per-module pricing creates surprise costs
  • Customer support quality declined post-2022

Pricing tiers

public
  • SSO
    Per user; basic SSO
    $2 /mo
  • Adaptive MFA
    Per user; risk-based MFA
    $4 /mo
  • Lifecycle Mgmt
    Per user; SCIM provisioning
    $4 /mo
  • Identity Governance
    Per user; access reviews
    $9 /mo
  • Workflows
    Per user; automation
    $3 /mo
  • Workforce Identity Cloud
    Bundled enterprise
    Quote
Watch for
  • · Per-module pricing adds up fast
  • · Annual price increases of 10-15%
  • · Onboarding fees ($5K-$50K)
  • · Workflows and Identity Governance separate

Key features

  • +SSO (7,000+ pre-built apps)
  • +Adaptive MFA with risk scoring
  • +Lifecycle management (SCIM)
  • +Identity Governance (access reviews)
  • +Workflows automation
  • +API Access Management
  • +Customer Identity (Auth0)
  • +Mobile apps
7000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full Okta Workforce Identity intelligence profile → Compare Okta Workforce Identity →
#3

JumpCloud

IAM + directory + RMM at $11-$24/user, SMB default.

Founded 2012 · Louisville, CO · private · 10–500 employees
G2 4.5 (2,480)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit JumpCloud

JumpCloud is the SMB IAM + directory + endpoint management leader. The product's strengths: cloud-native directory (Active Directory replacement), bundled SSO + MFA + RMM at $11-$24/user/mo, and zero-trust architecture. Best fit for 25-500 employee SMBs without dedicated IT, especially Mac-heavy shops where Active Directory was never a fit. Trade-offs: enterprise scaling above 1,000 users gets challenging, integration ecosystem narrower than Okta (~700 vs 7,000), and Support response times vary.

Best for

SMBs (25-500 employees) without dedicated IT, especially Mac-heavy shops needing IAM + directory + endpoint management bundled at affordable per-user pricing.

Worst for

Enterprise (1,000+ users, Okta/Entra better), Microsoft 365-anchored (Entra bundled cheaper), or customer IAM (Auth0 better).

Strengths

  • Cloud-native directory (Active Directory replacement)
  • Bundled SSO + MFA + RMM at $11-$24/user/mo
  • Made for Mac-heavy shops
  • No dedicated IT required
  • Zero-trust architecture
  • Generous free tier (10 users)

Weaknesses

  • Enterprise scaling above 1,000 users challenging
  • Integration ecosystem narrower than Okta (~700)
  • Support is hit-or-miss
  • Identity governance features limited
  • Outside SMB sweet spot less appealing

Pricing tiers

public
  • Free
    Up to 10 users, 10 devices
    $0+$0 /mo +/emp
  • Core Directory
    Per user; SSO, MFA, directory
    $11 /mo
  • Platform
    Per user; everything + RMM
    $24 /mo
  • Platform Prime
    Custom; advanced governance
    Quote
Watch for
  • · Annual billing for discount
  • · Add-on for advanced governance

Key features

  • +Cloud-native directory
  • +SSO (700+ pre-built apps)
  • +MFA
  • +Device management (RMM)
  • +Patch management
  • +SCIM provisioning
  • +Mobile apps
  • +Zero-trust architecture
700+ integrations
Microsoft 365Google WorkspaceAWSSalesforceSlackBambooHR
Geography
Global; strongest in US, UK, AU
View full JumpCloud intelligence profile → Compare JumpCloud →
#7

Duo Security (Cisco)

MFA market leader, SSO secondary.

Founded 2010 · Ann Arbor, MI · public · 10–100,000+ employees
G2 4.5 (2,840)
Capterra 4.7
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Duo Security (Cisco)

Duo Security is the MFA market leader, acquired by Cisco in 2018 for $2.4B. The product's strengths: cleanest MFA UX in category, strong device trust capabilities (Duo Healthcheck), and Cisco-network integration. Best fit for organizations where MFA is the primary need and SSO is secondary, or Cisco-anchored networks. Trade-offs: SSO depth thinner than Okta/Entra, integration ecosystem narrower, and post-Cisco product velocity has slowed.

Best for

Organizations where MFA is the primary need and SSO is secondary, or Cisco-network-anchored enterprises wanting native MFA + device trust.

Worst for

Best-of-breed workforce IAM (Okta/Entra better for SSO depth), customer IAM (Auth0 better), or SMBs needing all-in-one (JumpCloud better).

Strengths

  • MFA market leader
  • Cleanest MFA UX in category
  • Device trust capabilities (Duo Healthcheck)
  • Cisco network integration
  • Built for MFA-first deployments

Weaknesses

  • SSO depth thinner than Okta/Entra
  • Integration ecosystem narrower (~500)
  • Post-Cisco product velocity slowed
  • Identity governance limited
  • Support depends on tier

Pricing tiers

public
  • Free
    Up to 10 users; basic MFA
    $0+$0 /mo +/emp
  • Essentials
    Per user; basic MFA + SSO
    $3 /mo
  • Advantage
    Per user; device trust, advanced policies
    $6 /mo
  • Premier
    Per user; full identity platform
    $9 /mo
Watch for
  • · Annual billing for discount
  • · Premium support add-on

Key features

  • +MFA (push, TOTP, hardware tokens)
  • +Device trust (Duo Healthcheck)
  • +SSO (~500 apps)
  • +Adaptive policies
  • +Passwordless authentication
  • +Mobile apps
  • +Cisco network integration
500+ integrations
Microsoft 365SalesforceAWSGoogle WorkspaceCisco AnyConnectSlack
Geography
Global; strongest in US, EU, UK
View full Duo Security (Cisco) intelligence profile → Compare Duo Security (Cisco) →
#4

Auth0 (Okta)

Customer IAM (CIAM) market leader.

Founded 2013 · Bellevue, WA · public · Any (engineering teams) employees
G2 4.4 (1,840)
Capterra 4.4
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Auth0 (Okta)

Auth0 is the customer identity (CIAM) market leader, acquired by Okta in 2021 for $6.5B. Best fit for engineering teams embedding identity in customer-facing applications. The product's strengths: developer-first SDK ecosystem, generous free tier (25,000 MAU), and broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys). Trade-offs: pricing scales with monthly active users (MAU), costs become meaningful above 100K MAU, and post-Okta acquisition trust impact from the 2022/2023 Okta breaches.

Best for

Engineering teams embedding identity in customer-facing apps (B2B SaaS, B2C apps, marketplaces) needing rapid integration across multiple protocols.

Worst for

Workforce IAM (Okta WIC or Entra better), small employee counts (overkill), or simple SSO use cases (cheaper alternatives suffice).

Strengths

  • CIAM market leader
  • Developer-first SDK ecosystem (any language)
  • Generous free tier (25,000 MAU)
  • Broad protocol support (OAuth, OIDC, SAML, social, passwordless, passkeys)
  • Strong B2B and B2C use cases
  • Mature documentation

Weaknesses

  • Pricing scales with MAU, meaningful above 100K
  • Post-Okta breach trust impact
  • Outside CIAM use case weaker than Okta WIC
  • Customer support quality declined post-Okta
  • Some enterprise features require Enterprise tier

Pricing tiers

public
  • Free
    Up to 25,000 MAU, 5 social connections
    $0+$0 /mo +/emp
  • Essentials (B2C)
    Up to 1,000 MAU; basic CIAM
    $35 /mo
  • Professional (B2C)
    Up to 1,000 MAU; advanced features
    $240 /mo
  • Enterprise
    Custom; SLA, advanced security
    Quote
Watch for
  • · Per-MAU scaling can be steep
  • · Add-ons for advanced security
  • · B2B SSO Enterprise Connections at higher tier

Key features

  • +SSO (OAuth, OIDC, SAML)
  • +Social login (50+ providers)
  • +Passwordless authentication
  • +Passkey support (FIDO2)
  • +M2M authentication
  • +B2B Organizations
  • +Hooks and Actions for customization
  • +1,000+ SDKs and tutorials
200+ integrations
AWSSalesforceMicrosoft AzureGoogle CloudStripeAuth0 Marketplace
Geography
Global; strongest in US, EU, UK
View full Auth0 (Okta) intelligence profile → Compare Auth0 (Okta) →
#5

Ping Identity

Enterprise IAM alternative for non-Microsoft enterprises.

Founded 2002 · Denver, CO · private · 1,000–500,000+ employees
G2 4.4 (1,180)
Capterra 4.4
Custom quote
○ Sales call required
Visit Ping Identity

Ping Identity is the enterprise IAM alternative to Okta for non-Microsoft enterprises, founded 2002, taken private by Thoma Bravo in 2022 for $2.8B and merged with ForgeRock in 2023. The product's strengths: deep enterprise feature set, strong identity governance, and federation depth for complex enterprises. Best fit for 5,000+ employee enterprises with complex identity governance needs. Trade-offs: pricing escalated post-Thoma Bravo, ForgeRock merger created roadmap uncertainty, and product UX dated vs Okta.

Best for

Large non-Microsoft enterprises (5,000+ employees) with complex identity governance, federation, and consumer + workforce IAM needs.

Worst for

Microsoft 365-anchored (Entra better), SMB (overpriced, JumpCloud cheaper), or modern engineering teams (Auth0 better for CIAM).

Strengths

  • Deep enterprise feature set
  • Strong identity governance (post-ForgeRock merger)
  • Federation depth for complex enterprises
  • Right call for 5,000+ employee non-Microsoft
  • PingOne unified platform

Weaknesses

  • Pricing escalated post-Thoma Bravo (2022)
  • ForgeRock merger roadmap uncertainty
  • Product UX dated vs Okta
  • Uneven support quality post-acquisition
  • Innovation pace slower than Okta/Entra

Pricing tiers

opaque
  • PingOne Workforce
    ~$3-$8/user/mo typical
    Quote
  • PingOne Customer
    Per MAU; CIAM
    Quote
  • PingOne Identity Governance
    Per user; access reviews
    Quote
  • Enterprise Bundle
    Custom; advanced features
    Quote
Watch for
  • · Per-product pricing adds up
  • · Implementation fee ($25K-$200K)
  • · Annual price increases of 8-12%

Key features

  • +SSO (3,000+ pre-built apps)
  • +Adaptive MFA
  • +Identity Governance (post-ForgeRock)
  • +Federation (complex enterprise)
  • +PingOne Customer (CIAM)
  • +API security
  • +Mobile apps
3000+ integrations
SalesforceMicrosoft 365Workday HCMAWSGoogle WorkspaceServiceNow
Geography
Global; strongest in US, EU, UK
View full Ping Identity intelligence profile → Compare Ping Identity →
#6

CyberArk Identity

PAM-anchored identity platform for governance-heavy enterprises.

Founded 1999 · Petach Tikva, Israel · public · 1,000–500,000+ employees
G2 4.4 (980)
Capterra 4.4
Custom quote
○ Sales call required
Visit CyberArk Identity

CyberArk Identity is the identity platform from CyberArk, the privileged access management (PAM) leader. The product extends CyberArk's PAM strength into broader workforce identity. Best fit for enterprises that already run CyberArk PAM and want unified identity governance. Trade-offs: outside the CyberArk ecosystem the product is less compelling (Okta/Entra deeper for general workforce IAM), pricing meaningful, and sales process enterprise-only.

Best for

Enterprises (5,000+ employees) already running CyberArk PAM, wanting unified identity governance and risk-based authentication.

Worst for

Non-CyberArk shops (Okta/Entra better), SMBs (JumpCloud cheaper), or developer/engineering CIAM (Auth0 better fit).

Strengths

  • Native integration with CyberArk PAM
  • Strong identity governance and access reviews
  • Risk-based authentication
  • Enterprise compliance depth
  • Works for CyberArk-anchored enterprises
  • Public company financial transparency

Weaknesses

  • Outside CyberArk ecosystem less compelling
  • Pricing meaningful at scale
  • Sales process enterprise-only
  • Integration ecosystem narrower (~1,500)
  • UX complexity high

Pricing tiers

opaque
  • Identity Cloud
    Per-user; SSO + MFA
    Quote
  • Identity Security
    Per-user; risk-based auth, governance
    Quote
  • Bundled with PAM
    Custom; unified PAM + IAM
    Quote
Watch for
  • · Implementation fee ($25K-$300K)
  • · Per-product pricing
  • · Annual price increases

Key features

  • +SSO + MFA
  • +Identity governance
  • +Risk-based authentication
  • +Native CyberArk PAM integration
  • +Privileged session management
  • +Mobile apps
  • +1,500+ integrations
1500+ integrations
CyberArk PAMSalesforceMicrosoft 365AWSServiceNowWorkday HCM
Geography
Global; strongest in US, EU, Israel
View full CyberArk Identity intelligence profile → Compare CyberArk Identity →
#9

Beyond Identity

Passwordless-first IAM with FIDO2/passkey-native architecture.

Founded 2020 · New York, NY · private · 100–10,000 employees
G2 4.5 (380)
Capterra 4.6
Custom quote
○ Sales call required
Visit Beyond Identity

Beyond Identity is the passwordless-first IAM platform, founded 2020 by Jim Clark (Netscape) and Tom (Pat) Jermoluk (@Home). The product's strengths: passkey/FIDO2-native architecture (no passwords ever), strong device-bound credentials, and modern UX. Best fit for security-forward organizations eliminating passwords entirely. Trade-offs: Lighter market share than Okta/Entra, integration ecosystem narrower (~150), and pricing meaningful at scale.

Best for

Security-forward organizations (200-5,000 employees) eliminating passwords entirely with passkey/FIDO2-native architecture.

Worst for

Microsoft-anchored shops (Entra includes passkey support free), organizations not ready for passwordless (Okta/Entra better), or SMBs (JumpCloud cheaper).

Strengths

  • Passkey/FIDO2-native architecture (no passwords)
  • Device-bound credentials (anti-phishing)
  • Modern UX
  • Right call for security-forward orgs
  • Founder-led with strong VC backing

Weaknesses

  • Narrower customer base than Okta/Entra
  • Integration ecosystem narrower (~150)
  • Pricing meaningful at scale
  • Newer product (2020); some growing pains
  • Less mature governance features

Pricing tiers

opaque
  • Workforce Secure SSO
    ~$8-$15/user/mo typical
    Quote
  • Workforce Secure DevOps
    Adds developer authentication
    Quote
  • Workforce Secure Customers
    Adds customer IAM
    Quote
Watch for
  • · Per-product pricing
  • · Implementation fee ($5K-$25K)

Key features

  • +Passkey/FIDO2-native authentication
  • +Device-bound credentials
  • +Adaptive policies
  • +Risk scoring
  • +Mobile apps
  • +150+ integrations
150+ integrations
Microsoft 365OktaSalesforceAWSGitHub
Geography
Global; strongest in US, UK
View full Beyond Identity intelligence profile → Compare Beyond Identity →
#8

OneLogin (One Identity)

Lower-cost Okta alternative for mid-market.

Founded 2009 · San Francisco, CA · private · 50–10,000 employees
G2 4.4 (1,380)
Capterra 4.3
From $4 /mo
● Transparent pricing
Visit OneLogin (One Identity)

OneLogin is the lower-cost Okta alternative for mid-market organizations. Acquired by One Identity (Quest Software) in 2021. The product's strengths: per-user pricing meaningfully cheaper than Okta, mature SSO and provisioning, and strong fit for mid-market not on Microsoft. Trade-offs: post-One Identity acquisition product velocity has slowed, integration ecosystem narrower than Okta (~5,000 vs 7,000), and customer support quality has declined.

Best for

Mid-market organizations (200-2,000 employees) wanting lower-cost workforce IAM than Okta with sufficient depth for non-Microsoft shops.

Worst for

Microsoft 365-anchored (Entra better), enterprise needing deepest features (Okta/Ping better), or modern engineering teams needing CIAM (Auth0 better).

Strengths

  • Lower-cost Okta alternative
  • Mature SSO and provisioning
  • Made for mid-market non-Microsoft
  • Established 2009; broad customer base
  • OneLogin Vigilance AI for risk detection

Weaknesses

  • Post-One Identity product velocity slowed
  • Integration ecosystem narrower (~5,000 vs 7,000)
  • Customer support quality declined
  • Innovation pace slower than Okta/Entra
  • AI features less mature

Pricing tiers

public
  • Advanced
    Per user; SSO + MFA
    $4 /mo
  • Professional
    Per user; provisioning, advanced MFA
    $8 /mo
  • Bundle
    Custom; full platform
    Quote
Watch for
  • · Per-product pricing
  • · Annual billing for discount
  • · Implementation fee

Key features

  • +SSO (~5,000 pre-built apps)
  • +Adaptive MFA
  • +SCIM provisioning
  • +OneLogin Vigilance AI (risk detection)
  • +Mobile apps
  • +5,000+ integrations
5000+ integrations
SalesforceMicrosoft 365Google WorkspaceAWSSlackWorkday HCM
Geography
Global; strongest in US, EU, UK
View full OneLogin (One Identity) intelligence profile → Compare OneLogin (One Identity) →
#10

Rippling SSO

Bundled with Rippling HRIS, default for Rippling-committed SMBs.

Founded 2016 · San Francisco, CA · private · 10–500 employees
G2 4.6 (580)
Capterra 4.6
Custom quote
○ Sales call required
Visit Rippling SSO

Rippling SSO is bundled with Rippling HRIS (covered separately in our Top 10 HRIS ranking) and Rippling Payroll (in our Top 10 Payroll Software ranking). The product's primary advantage: unified employee + identity lifecycle (employee onboarding in HRIS automatically provisions SSO + apps), making it the default for Rippling-committed SMBs (10-500 employees). Trade-offs: outside the Rippling ecosystem the product is significantly weaker, integration ecosystem narrower than Okta (~600), and standalone use case rare.

Best for

SMBs (10-500 employees) already on Rippling HRIS wanting unified employee + identity lifecycle (HRIS-driven SSO provisioning).

Worst for

Non-Rippling organizations (Okta/Entra better), enterprise (Okta/Entra/Ping better), or customer IAM (Auth0 better fit).

Strengths

  • Unified employee + identity lifecycle with Rippling HRIS
  • Default for Rippling-committed SMBs
  • Native HRIS-driven provisioning
  • Fits 10-500 employee Rippling shops
  • Modern UX

Weaknesses

  • Outside Rippling ecosystem significantly weaker
  • Integration ecosystem narrower (~600)
  • Standalone use case rare
  • Identity governance features limited
  • Less penetration than Okta/Entra

Pricing tiers

opaque
  • Rippling SSO
    $8/user/mo typical (bundled with Rippling)
    Quote
Watch for
  • · Bundled with Rippling HRIS subscription
  • · Per-product pricing within Rippling

Key features

  • +SSO (~600 pre-built apps)
  • +MFA
  • +Native HRIS-driven provisioning
  • +Conditional Access policies
  • +Mobile apps
  • +Tight Rippling HRIS integration
600+ integrations
Rippling HRISSalesforceMicrosoft 365Google WorkspaceAWSSlack
Geography
Primarily US; growing international
View full Rippling SSO intelligence profile → Compare Rippling SSO →

Frequently asked questions

The questions buyers actually ask before they sign.

Do I need FedRAMP-authorized IAM for federal contracts?
Yes, if your organization is a federal agency or processes federal data in cloud environments, FedRAMP Moderate or High authorization is required. For FISMA High systems, only FedRAMP High authorized products (Microsoft Entra ID, Duo Security) qualify. For Moderate, Okta Workforce Identity and Auth0 also qualify. Ping Identity, JumpCloud, and CyberArk Identity are in process as of mid-2026. Always verify current status at marketplace.fedramp.gov before procurement.
How does the CISA Zero Trust Maturity Model affect IAM vendor choice?
CISA ZTMM v2 defines four identity maturity levels. At Traditional (level 1), any MFA-capable product suffices. At Advanced (level 2), risk-based Conditional Access and SCIM lifecycle management are required; Entra ID P1/P2 and Okta meet this. At Optimal (level 3+), phishing-resistant MFA (FIDO2/WebAuthn/passkeys) and continuous identity validation are required; Beyond Identity, Entra ID with FIDO2 policy, and Okta FastPass are the strongest options.
Is Okta still trustworthy after the 2022 and 2023 breaches?
The 2022 Lapsus$ breach and 2023 Okta support system breach (which exposed customer session tokens) were significant trust events. Okta published a post-incident architecture overhaul in February 2024, including new customer tenant isolation, Zero Trust access for Okta infrastructure, and third-party access controls. Enterprises signing new Okta contracts in 2025-2026 should ask for the February 2024 Security Architecture Improvements document and verify the controls in their own SOC 2 review cycle.
Okta vs Microsoft Entra ID, which one?
Microsoft Entra ID if you're on Microsoft 365 E3 or E5, Entra is bundled at no extra cost, which is the single biggest economic lever in IAM. Okta if you're a non-Microsoft enterprise needing the deepest integration ecosystem (7,000+ apps vs Entra ~3,000). For Microsoft-anchored shops, Entra usually wins on TCO; for best-of-breed integration depth, Okta usually wins. Both are credible at enterprise scale.
How does this differ from your SIEM ranking?
Our Top 10 SIEM Software ranking covers log aggregation and security event monitoring (Splunk, Sentinel, etc.). This IAM ranking covers identity provisioning and authentication (who can access what). Both feed each other, IAM events flow into SIEM, SIEM detection rules trigger IAM responses. Most enterprises run both. Microsoft Sentinel + Microsoft Entra ID is a common combo.
How much should I budget for IAM?
SMB on M365 E3+ (1-100 employees): $0 incremental (Entra bundled). SMB without M365: $11-$24/user/mo (JumpCloud Core to Platform). Mid-market (100-1,000 employees): $4-$15/user/mo (Okta SSO+MFA, OneLogin Pro). Enterprise (1,000+ employees): $15-$30/user/mo (Okta full platform, Ping bundles, CyberArk). Customer IAM (Auth0): per-MAU scaling.
How long does IAM implementation take?
JumpCloud, Duo: 1-2 weeks. Okta SSO basic: 4-8 weeks. Okta full platform: 12-16 weeks. Microsoft Entra ID: 6-12 weeks (often coupled with M365 deployment). Ping Identity, CyberArk: 12-32 weeks (enterprise). Auth0: 1-4 weeks (engineering team). Plan change management, user MFA enrollment is the biggest bottleneck.
What about passwordless and passkeys in 2026?
Passkeys (FIDO2) are now table-stakes in IAM 2026: (1) Microsoft Entra ID, full passkey support free with M365. (2) Okta, passkey support, free in Workforce Identity. (3) Beyond Identity, passwordless-first architecture. (4) Auth0, passkey support. Vendors that gate passkeys behind premium tiers (some legacy IAM) are losing share. If your IAM doesn't support passkeys, plan a migration.
Should I pick best-of-breed or bundled IAM?
Best-of-breed (Okta separate, Auth0 separate, Duo separate): better when you're heavy in non-Microsoft apps and want depth in each module. Bundled (Microsoft Entra, Rippling SSO, JumpCloud Platform): better when you want unified billing and lifecycle. Most mid-market lands on bundled (Entra for M365 shops, Rippling for Rippling-anchored, JumpCloud for SMB without M365).
How do IAM breaches affect vendor selection?
The Okta 2022 Lapsus$ breach and 2023 support breach reset trust expectations across the category. After-action: (1) Verify the vendor's breach disclosure history. (2) Require breach notification SLAs in the contract. (3) Run quarterly access reviews regardless of vendor. (4) Don't rely on the IAM vendor as your only line of defense, combine with EDR, SIEM, and conditional access policies.
How does this overlap with HRIS for employee provisioning?
Modern HRIS (Workday, BambooHR, Rippling) drives IAM provisioning via SCIM. When an employee is hired in HRIS, the IAM auto-creates the SSO account. When terminated, IAM auto-deprovisions. Rippling SSO is bundled with Rippling HRIS (we use distinct product IDs `rippling-sso` and `rippling-hris`). Workday Recruiting (in Top 10 ATS) and Workday HCM (in Top 10 HRIS) drive provisioning to Okta/Entra.

Final word

Looking at a different market? See the global Identity & Access Management (IAM) / SSO ranking, or pick another country at the top of this page.

Last updated 2026-05-17. Local pricing reverified quarterly. Found something inaccurate? Tell us.