Okta vs Auth0 vs Managed Keycloak: IAM Cost Comparison
Identity and Access Management pricing follows two models: per-user (Okta, Auth0) or fixed-price (Keycloak). The difference compounds as your organisation grows.
This page compares the three options so you can choose the right IAM platform for your budget and requirements.
Quick comparison
| Okta | Auth0 | VSHN Managed Keycloak | |
|---|---|---|---|
| Pricing model | Per user/month | Per monthly active user | Fixed monthly price |
| Starting price | $6/user/month | Free to 7,500 MAU | CHF 360/month |
| 1,000 users | ~$6,000/year | ~$840/year | CHF 4,320/year |
| 10,000 users | ~$60,000/year | ~$8,400/year | CHF 4,320/year |
| 50,000 users | ~$300,000/year | Custom (est. $30K+) | CHF 4,320/year |
| Data location | USA (AWS) | USA (AWS) | Your choice (Swiss cloud, Azure, AWS, on-premises) |
| Open source | No | No | Yes (Apache 2.0) |
| Vendor lock-in | High | High | None |
| SSO protocols | SAML, OIDC | SAML, OIDC | SAML, OIDC, LDAP, Kerberos |
| Self-hosted option | No | No | Yes (that's what this is) |
The per-user pricing trap
Okta and Auth0 charge per user. This works at small scale but becomes a growth penalty:
- Okta Workforce Identity starts at $6/user/month (Starter Suite). With SSO, MFA, and lifecycle management, expect $14-17/user/month (Essentials/Professional). Enterprise is custom pricing.
- Auth0 charges per monthly active user (MAU). The free tier covers 7,500 MAU. Beyond that, Essentials starts at $35/month, Professional at $240/month. Enterprise contracts start around $30,000/year.
Managed Keycloak is CHF 360/month. No per-user fees. The management, support, and software stay the same whether you have 100 users or 100,000. You may need more cloud infrastructure as request volume grows — VSHN handles the capacity planning, and cloud resources are billed separately at cost.
Cost at scale: 10,000 employees
| Solution | Annual cost | Includes |
|---|---|---|
| Okta Essentials | ~$170,000 | SSO, MFA, lifecycle, cloud hosting |
| Auth0 Enterprise | ~$30,000+ | Custom pricing, cloud hosting |
| VSHN Managed Keycloak (Best Effort) | CHF 4,320 | SSO, MFA, federation, Swiss hosting, 24/7 monitoring |
| VSHN Managed Keycloak (99.99% SLA) | CHF 18,000 | Everything above + 24/7 on-call, SLA with service credits |
Even at the 99.99% SLA tier, managed Keycloak is a fraction of Okta's cost. The difference funds your entire IAM team.
What you give up with Keycloak
Keycloak is not a drop-in replacement for everything Okta and Auth0 offer:
- No built-in user directory sync — Okta has deep HR system integrations (Workday, BambooHR). Keycloak uses LDAP/AD federation or custom providers.
- No pre-built app catalog — Okta's Integration Network has 7,000+ pre-configured apps. Keycloak requires manual SAML/OIDC configuration per app.
- No managed passwordless at scale — Okta's FastPass and Auth0's passkey support are more mature. Keycloak supports WebAuthn but requires more configuration.
- Self-managed complexity — without VSHN, running Keycloak in production requires Kubernetes expertise, database management, and upgrade planning.
This is where the VSHN + Inventage partnership matters: VSHN handles the infrastructure, Inventage provides Keycloak application expertise — including custom authentication flows, SSO integrations, and theme development. If you wouldn't build the Auth0 Actions customisations yourself either, Inventage builds the equivalent in Keycloak for you. You get the cost advantage of open source with professional support on both the platform and the application layer.
What you gain with Keycloak
- Digital sovereignty — Identity is the most fundamental layer of your IT. It ties every application together. If your identity provider isn't sovereign, none of your applications are. Keycloak is Apache 2.0 — your configuration, themes, and extensions belong to you. No vendor can change the terms, raise prices, or restrict features.
- Your infrastructure, your rules — VSHN operates Keycloak wherever you need it: on Swiss cloud (cloudscale.ch, Exoscale) for data residency, or in your existing Azure or AWS tenant so identity lives next to your applications. Either way, you own the infrastructure and you control who has access. With Okta or Auth0, your credentials live on their AWS account.
- Full feature access — no feature gating behind expensive tiers. SSO, MFA, fine-grained authorization, user federation, custom themes, and SCIM are all included.
- Unlimited users — no per-user fees. The service price is fixed; only cloud infrastructure scales with load (and VSHN handles the capacity planning).
- FINMA-compatible — ISO 27001 certified operations, Swiss data residency, audit-ready documentation.
Managed Keycloak pricing
| Service | Monthly price | What you get |
|---|---|---|
| Managed Keycloak (Best Effort) | CHF 360 | 1 instance, monitoring, backups, upgrades, office-hours support |
| Managed Keycloak (99.99% SLA) | CHF 1,500 | 2 instances (HA), 24/7 on-call, SLA with service credits, dev/test instance included |
| Consulting package (Inventage) | CHF 8,000 | 5 days / 40 hours: architecture, auth flows, integration, customization |
Cloud infrastructure costs (compute, storage) are billed separately by the provider.
When to choose each option
Choose Okta when: - You need 7,000+ pre-built app integrations out of the box - HR system sync (Workday, BambooHR) is critical - You have budget for per-user pricing and don't expect rapid user growth - US data hosting is acceptable
Choose Auth0 when: - You need Auth0's Actions pipeline for highly custom login flows (progressive profiling, bot detection, third-party enrichment at login time) — Keycloak has authentication flows and SPIs but they require Java, not JavaScript - You want a managed B2B multi-tenant setup with per-organisation branding out of the box (Auth0 Organizations) — Keycloak can do this with realms but requires more configuration - Your MAU count is predictable and within Auth0's pricing sweet spot
Choose VSHN Managed Keycloak when: - Your data must stay in Switzerland (FINMA, Swiss data protection, internal policy) - You want predictable costs that don't scale with user count - You need full control over your IAM platform without vendor lock-in - You want open-source technology with professional Swiss operations - You're replacing Okta or Auth0 to reduce costs at scale
Next steps
Ready to evaluate Keycloak for your organisation? Book a free 15-minute call. We'll review your current IAM setup and estimate the migration effort.
Contact Us
Managed Keycloak on Swiss cloud infrastructure. 24/7 operations, up to 99.99% SLA, from CHF 360/month. By VSHN and Inventage.
Back to Managed Keycloak Switzerland