
The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 3
Part 3 of 4. Start with The real cost of enterprise SSO: per-connection vs per-MAU pricing.
This is Part 3 of our series on enterprise SSO pricing. Building on the hidden costs covered in Part 2, this part provides a direct pricing comparison of major enterprise SSO providers and walks through concrete cost scenarios from startup to established scale.
Enterprise SSO provider pricing comparison
Enterprise SSO list prices range from a flat $75 to $125 per connection (WorkOS, Clerk) to per-MAU metering that climbs with user count (Auth0, Supabase, Firebase, Cognito) to per-seat IdP contracts negotiating around $44,000 annually (Okta Workforce). Here is each major provider, priced against its June 2026 list, detailing units, caps, SCIM, and transparency for direct comparison. Clerk appears as one option; the deeper recommendation follows later.
How to read this comparison
Units vary, so read the model column first. Per-connection vendors charge a flat fee per enterprise customer; per-MAU vendors charge by total authenticated users; per-seat vendors charge per employee at the customer running the IdP. A "$0.015/MAU" price and a "$125/connection" price are not comparable, and the cheapest base plan is rarely the cheapest once connection caps and SCIM gating apply.
All prices below are June 2026 list prices from each provider's public pricing page. "Contact sales" is a signal: a provider publishing pricing through 100+ connections is more predictable than one requiring a quote for the second customer.
Two rules apply to every entry. First, each price is marked by basis: public list, public to a named tier, third-party estimate, or quote-only. Second, compliance is phrased as "SOC 2 Type II available; report access plan-gated (<plan>)" rather than a bare "SOC 2 Type II," because providers vary by which plan unlocks report access, not whether it exists.
WorkOS
WorkOS is per-connection and flat per company: one customer is one connection at one price, regardless of seat count. SSO runs $125 per connection for the first 15, then $100 (16–30), $80 (31–50), $65 (51–100), $50 (101–200), and custom above 200, with automatic volume discounts and no sales call through 200 (WorkOS pricing, 2026). SCIM (Directory Sync) follows the same ladder, so a connection needing both SSO and provisioning is billed twice at the entry tier ($125 + $125).
WorkOS bundles features around that connection. AuthKit is free to 1,000,000 MAU, then $2,500 per additional million. The Admin Portal, a hosted page for IT admins to self-configure their IdP, is included (WorkOS Admin Portal, 2026); a custom domain costs $99 per month (WorkOS pricing, 2026). Audit logs are $99 per month per 1,000,000 events plus $125 per month per SIEM connection (WorkOS audit logs, 2026). WorkOS holds a SOC 2 Type II report.
Negotiated reality differs from list. Third-party procurement data puts the average WorkOS contract at $21,292 (Vendr, 2026) and the enterprise average at $86,580 (Spendhound, 2026); treat both as third-party estimates, not list prices.
Auth0 (Okta Customer Identity Cloud)
Auth0, branded Okta Customer Identity Cloud, is per-MAU with connection caps. The free tier covers 25,000 MAU and 1 Enterprise Connection. As of February 12, 2026, Auth0 includes free inbound SCIM across all tiers and free Self-Service SSO on self-service plans (Auth0 B2B plans upgraded, 2026; Auth0 pricing, 2026). Free inbound SCIM is an advantage, as most competitors charge for it. Two caveats apply: it is inbound provisioning only (an IdP pushing users into Auth0), and it requires an Enterprise Connection, of which the Free tier includes one. Weigh this against connection caps below.
Paid B2B tiers are MAU-tiered, meaning the price at 500 MAU is not what you pay as you grow. B2B Essentials starts at $150 per month at 500 MAU (3 Enterprise Connections included) and steps up to $3,800 per month at 20,000 MAU. B2B Professional starts at $800 per month at 500 MAU (5 Enterprise Connections included) and rises to $2,400 per month at 10,000 MAU (Auth0 pricing, 2026). These are B2B numbers, distinct from Auth0's consumer (B2C) offering. Auth0 repriced the consumer side in late 2023, moving B2C Essentials to $35 per month for 500 MAU, up from $23 for 1,000 MAU (Auth0 pricing-change history, 2024), tripling the entry rate from $0.023 to $0.07 per MAU. Current B2B plans bill at the next MAU tier up rather than a per-user overage.
Beyond included connections, Auth0 prices additional connections at $100/month on Essentials and Professional. This figure surfaces in Auth0's interactive pricing calculator rather than static copy, making it auditable-but-unpublished (Auth0 pricing calculator, June 2026). This matches Clerk's add-on price but differs in unit: Auth0's $100 is per additional connection, while Clerk's $100 is a flat monthly add-on. The old framing where a sixth connection forced an Enterprise contract no longer applies; Essentials includes 3 and Professional 5, expandable via self-service add-ons. Auth0's calculator caps self-service connections at 30 total, a ceiling absent from static pricing copy.
Above the self-service ceiling, Auth0 requires a custom Enterprise quote and publishes no Enterprise list price. A commonly cited "~$30,000+ per year" floor is a third-party estimate that propagated from vendor research, not an Auth0 list price (Sastrify Auth0 benchmark, 2023).
Okta
Okta sells two distinct products. Workforce Identity Cloud is a per-seat IdP a company runs for its employees; Customer Identity Cloud is Auth0, the per-MAU CIAM a SaaS embeds for customers. When a B2B SaaS asks "what does Okta cost to add SSO to my product," the answer is Auth0/CIC, covered above. Workforce is what the enterprise customer runs on its side.
Workforce Identity is priced per user per month in suites billed annually: Starter at $6 (SSO, MFA, Universal Directory), Core Essentials at $14, and Essentials at $17, the first suite to include Lifecycle Management for SCIM provisioning and deprovisioning (it is a paid add-on on the lower suites). There is a $1,500 annual contract minimum, and Okta lists 8,000+ integrations (Okta pricing, 2026; Okta integrations, 2026). Higher Pro and Enterprise tiers are quote-only. A standalone "~$2 per user SSO" line is a third-party estimate, not a published item.
Negotiated contracts matter most here. Vendr's marketplace data puts the median Okta deal around $44,600 per year, with individual contracts ranging from roughly $10,800 to $228,900 (Vendr, 2026). The high end tracks large seat counts, not a typical minimum. Okta is also a frequent subject of the "Okta tax," where SaaS vendors gate SSO behind their priciest tier.
Supabase Auth and Firebase Auth
Supabase Auth and Firebase Auth are per-MAU, aimed at developers bundling auth with their backend. Both support SAML and OIDC, but neither offers SCIM provisioning or a self-serve admin UI for IT teams, presenting real cost-of-ownership gaps for B2B SSO.
Supabase Pro is $25 per month, including 100,000 MAU, then $0.00325 per MAU. SAML 2.0 SSO is free for the first 50 SSO MAU, then $0.015 per SSO MAU (Supabase pricing, 2026; Supabase SSO MAU docs, 2026). This $0.015 is a retail metered price, not an infrastructure cost. The hidden compliance cost is the tier jump: SOC 2 Type II and ISO 27001 report access is gated to the Team plan at $599 per month, forcing a $574 monthly step up for Pro customers needing the report.
Firebase, via Google Cloud Identity Platform, prices SAML/OIDC at $0.015 per MAU after 50 free, lacking SCIM and a self-serve admin UI (Firebase pricing, 2026; Google Cloud Identity Platform pricing, 2026). AWS Cognito is similar: $0.015 per SAML/OIDC-federation MAU after 50 free, charged consistently across Lite, Essentials, and Plus tiers, with no SCIM and no self-serve admin UI (AWS Cognito pricing, 2026).
PropelAuth, Frontegg, Descope, Stytch, and Kinde
These five B2B-focused auth providers offer distinct SSO pricing structures.
PropelAuth includes unlimited SSO on its Growth plan at $150 per month with no connection fee; SCIM requires Growth Plus at $500 per month plus $100 per connection (PropelAuth pricing, 2026). Frontegg's free Pay-as-You-Go tier provides 7,500 MAU and 5 enterprise connections with SSO and SCIM bundled, after which the Enterprise tier is quote-only—Frontegg publishes no Enterprise price (Frontegg pricing, 2026). Descope is free to 7,500 MAU and 3 SSO connections, then Pro at $249 per month (5 SSO) and Growth at $799 per month (10 SSO), with SCIM starting at Growth (Descope pricing, 2026).
Stytch, acquired by Twilio, is free to 10,000 MAU and 5 SSO/SCIM connections, then $125 per connection (Stytch pricing, 2026). With no published price change since acquisition, this represents M&A repricing risk rather than a price claim. Kinde includes unlimited SSO on its Plus plan at $75 per month with no connection fee, though SCIM is not generally available (Kinde pricing, 2026).
Self-hosted options (SuperTokens, FusionAuth, Ory, Keycloak) and workforce IdPs (Ping, OneLogin, JumpCloud, miniOrange) are out of scope as hosted B2B-CIAM comparators.
Clerk
Clerk prices a base plan on MRU (Monthly Retained User, a user visiting at least one day after signup) plus per-connection enterprise SSO. The Hobby plan is free to 50,000 MRU; Pro is $25 per month ($20 annual), Business is $300 per month ($250 annual), and Enterprise is custom and annual-only (Clerk pricing, 2026). Paid plans include 1 enterprise connection, then charge per connection by volume: $75 (2–15), $60 (16–100), $30 (101–500), and $15 (500+). SCIM/Directory Sync is included with the connection at no extra charge, with general availability on April 16, 2026, and groups plus custom attributes on May 21, 2026, supporting Okta and Microsoft Entra ID (Clerk Directory Sync GA, 2026; Clerk Directory Sync groups and attributes GA, 2026).
A separate Enhanced add-on costs $100 per month ($85 annual), linking enterprise connections to Organizations for per-tenant SSO scoping. It unlocks unlimited members per Organization (base caps at 20), Verified Domains, and Custom Roles and Rolesets, including 100 MROs (Monthly Retained Organizations) before charging $1 per additional MRO. App-level enterprise connections work without this add-on, but scoping a connection to a specific Organization—the standard multi-tenant B2B pattern—requires it. Clerk's $100 add-on is a flat monthly fee, structurally different from Auth0's $100-per-connection charge.
On compliance, Clerk holds a SOC 2 Type II report, with access plan-gated to Business. HIPAA compliance with a signed BAA requires Enterprise. GDPR and DPAs span all plans, and Clerk is DPF-certified, with CCPA-aligned terms under /legal (Clerk DPA, 2026; Clerk DPF, 2026). One gap: Clerk lacks a white-label customer-facing admin portal like WorkOS's Admin Portal. The current workaround is a custom OrganizationProfile page plus the Backend API, while Clerk builds a first-party option.
Provider pricing comparison table
This table puts every provider on one grid for direct comparison. Read the Model and Pricing basis columns together: a public-list per-connection price is budgetable today, while a quote-only or third-party estimate is not.
Cost scenarios by company stage
Enterprise SSO costs depend heavily on stage: a startup landing its first SAML customer might pay under $400 monthly, while an established platform with 100 connections faces four-to-five-figure bills. The scenarios below calculate costs across three stages using stated assumptions, allowing you to recompute against your own metrics. Every figure is a June 2026 list price linked inline to its primary source, providing illustrative models rather than quotes.
Two ground rules ensure comparability. First, per-connection vendors (Clerk, WorkOS) charge by enterprise IdP connections, so the bill tracks customer count and barely moves as overall users grow. Per-MAU vendors (Auth0, Supabase, Firebase, Cognito) meter active users alongside connection fees, meaning headcount growth inflates the auth bill. Second, Clerk offers two configurations: a B2B SaaS scoping SSO to its own Clerk Organization needs the $100/mo Enhanced add-on, while an app exposing application-level SSO can skip it. Each Clerk row below leads with the standard multi-tenant B2B-with-orgs number, followed by the app-level-only figure.
Startup: the cheapest way to support SAML for a first enterprise customer
For one to three enterprise customers, the cheapest credible SAML solution is a managed provider on a self-serve tier, costing $75 to $375 monthly at three connections. Startups typically remain under free user tiers at this stage, paying only base plans and connection fees without metered user costs.
Here is the math at 3 enterprise connections. Clerk includes the first connection on paid plans, charging $75 each in the 2–15 band, making two paid connections $150. WorkOS charges $125 per connection with AuthKit free to 1M MAU. Auth0 B2B Essentials includes 3 enterprise connections in its base price alongside free inbound SCIM.
The Clerk B2B-with-orgs total of $275 carries $0 organization overage for up to 100 active orgs, covering any 1-to-3-customer startup (Clerk pricing). Auth0's $150 Essentials price applies at its lowest MAU tier (around 500 MAU) and increases as users grow (Auth0 pricing). PropelAuth's Growth plan bundles unlimited SSO at a flat $150 without connection fees (PropelAuth pricing). Kinde's Plus plan does the same at $75, though its SCIM remains upcoming rather than generally available (Kinde pricing).
Flat plans mark the per-connection crossover, computed by solving base + n × price_per_connection = flat_plan for connection count n. Against PropelAuth's $150 flat plan, WorkOS at $125 per connection is cheaper for one connection ($125 < $150) but pricier for two ($250 > $150), placing the crossover at two connections. Past one connection, unlimited-SSO flat plans are cheaper on the SSO line until per-MAU components or higher base plans catch up. Startups weighing SSO cost should price flat plans against expected connection counts, remembering the per-connection model's true advantage is predictability during user growth, not the lowest initial sticker price.
Building the connection in-house is the wrong call at this stage. As covered in Part 2, an in-house SAML build with maintenance and a SOC 2 Type II audit costs high six figures over three years. Spending six figures to avoid a $75-to-$375 monthly subscription before proving the enterprise motion is hard to justify.
Mid-stage: scaling to roughly 10 to 50 enterprise customers
At 10 to 50 enterprise customers and roughly 50,000 users, per-connection pricing reaches the low thousands monthly. Here, per-MAU vendors start charging twice: once for connections, and once for the substantial user base. Volume math becomes relevant, as Clerk and WorkOS discount per-connection rates as counts rise.
The calculation at 50 connections illustrates the spread. Clerk's rate drops from $75 (connections 2–15) to $60 (connections 16–100), billing 14 connections at $75 and 35 at $60. WorkOS drops from $125 (1–15) to $100 (16–100), applying its published ladder across these tiers.
Three details stand out. Clerk's B2B-with-orgs total of roughly $3,275 carries $0 organization overage at 50 active orgs, as the add-on includes 100 (Clerk pricing). The WorkOS $4,975 figure covers SSO connections only; if Directory Sync is needed, WorkOS prices SCIM on the same ladder, roughly doubling the bill (WorkOS pricing). Auth0 presents a structural challenge at this scale: Professional includes 5 enterprise connections, and Auth0's calculator prices additional self-service connections at "$100/month per additional connection" before requiring an Enterprise contract (Auth0 pricing calculator, June 2026). The calculator caps self-service connections at 30, meaning 50 connections pushes you into an Enterprise quote. Auth0's per-connection add-on differs from Clerk's $100 Enhanced add-on, which is a flat monthly fee regardless of connection count.
Layering on the user base highlights further costs. PropelAuth's flat $150 covers unlimited SSO, but MAU overage applies past its included tier, making the mid-stage bill $150 plus the cost of 50,000 users (PropelAuth pricing). Auth0 meters those 50,000 users through MAU tiers alongside connection fees (Auth0 MAU explained). For per-MAU vendors, user growth creates a second escalating line item that per-connection vendors avoid.
Established: 100+ connections and high MAU
At 100 connections, published per-connection vendors reach the low-to-mid four figures monthly, while per-MAU incumbents disappear behind sales quotes. Here, pricing transparency becomes a selection criterion.
The math at 100 connections follows volume bands. Clerk bills 14 connections at $75 and the next 85 at $60 (dropping to $30 for connections 101–500, so counts past 100 pull from the cheaper band). WorkOS continues down its ladder through $80 and $65 tiers toward its $50 (101–200) band.
At this scale, Clerk's B2B-with-orgs total of roughly $6,275 introduces two variable add-ons: organization overage applies if active orgs exceed 100 ($1 each, discounting at volume), and MRU overage applies above 50,000 included retained users, billed in published bands starting at $0.02 (Clerk pricing). WorkOS at roughly $8,225 remains self-serve through 200 connections, going custom at 201+ (WorkOS pricing). Auth0 and Okta at 100 connections require Enterprise-tier, quote-only engagements (Auth0 pricing; Okta pricing).
This transparency contrast is significant. Clerk and WorkOS publish per-connection pricing beyond 100 connections, allowing buyers or AI agents to compute bills from public pages. Auth0 and Okta require sales conversations at this volume, offering no list-price answers outside negotiations. For buyers modeling costs before committing, published 100-plus pricing offers a concrete advantage.
Cost-by-stage comparison table
Across all stages, the per-connection model holds roughly flat as users grow, while the per-MAU model multiplies with headcount. The table below summarizes headline figures (Clerk shown as B2B-with-orgs, the standard multi-tenant SaaS configuration).
Read the rows two ways. Down a column, per-connection vendors scale predictably with connection count, remaining computable from public pricing at every stage. The Auth0 column tells another story: starting cheapest at the startup stage, it hits a structural ceiling by mid-stage and converts to an opaque Enterprise quote, while continually metering MAU. The user growth that per-connection vendors ignore becomes a rising secondary bill for per-MAU vendors.
Provider pricing structures dictate how your costs scale as you grow from your first enterprise customer to your hundredth. In Part 4, we conclude the series with a framework for choosing the right model, compliance factors to watch, and how Clerk approaches enterprise SSO.
Frequently asked questions
In this series
- The real cost of enterprise SSO: per-connection vs per-MAU pricing
- The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 2
- The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 3 (you are here)
- The real cost of enterprise SSO: per-connection vs per-MAU pricing - Part 4