You are the person who has to stand in front of a CFO and explain why identity and access management deserves a line item that grows every year. Maybe you run IT for a 400-person company. Maybe you are the lone security lead who just failed a SOC 2 access-review control and now has budget attention you did not ask for.
Either way, the IAM and SSO purchase is not about features. It is about whether you can prove the spend stops a breach the board reads about. Here is the 60-second version. The sticker price (the per-user SSO line) is the smallest number in the deal.
The real money is implementation, the SSO tax your other vendors charge you the moment you turn on SAML, and the headcount it takes to run the thing. Score the platform on lifecycle automation and audit evidence, not login screens, because that is what gets de-provisioning right and that is what the CFO can connect to risk reduction.
That single number is your entire business case. When credential abuse is the front door for nearly a quarter of breaches, the IAM and SSO platform is not an IT convenience. It is the control that closes the door. Spend the evaluation proving it closes, not admiring the dashboard.
The buying problem before the buying
Most IAM and SSO evaluations fail before a contract is signed because the team scores the wrong thing. They watch a clean SSO login demo, nod, and move on. The login was never the hard part. The hard part is what happens when someone leaves.
Only 34% of organizations revoke a departing employee’s system access on the day they leave, and for half of all organizations it takes three days or longer, according to deprovisioning research cited by industry analysts . Three days is not a paperwork delay.
That is a former employee, or whoever now has their laptop, holding live access to your systems. One in five organizations has already had a breach traced to a former employee.
The usage motion here is workforce identity: every employee, contractor, and service account gets provisioned on day one, gets the right access while they are there, and gets cut off the minute they leave. The deal motion is almost always land-and-expand.
You buy SSO, then the vendor sells you MFA, then lifecycle management, then governance, each a separate per-user line.
Define the failure as a number before you start. If you cannot deprovision a terminated user from every connected app in under an hour, automatically, the platform has not solved your problem. Write that target down. It becomes the pass/fail you score every vendor against, and the CFO understands it instantly.
There is a second failure mode nobody budgets for. Machine identities now outnumber human ones by 82 to 1 in the average enterprise, per CyberArk’s 2025 research .
Service accounts, API keys, bots. If your evaluation only covers humans logging in, you are scoring a tiny fraction of the identities the platform will eventually need to govern.
The weighted scorecard for an IAM and SSO platform
Score every vendor on the same 12 criteria, weighted by what actually causes IAM projects to fail or breaches to land. Lifecycle automation and audit evidence carry the most weight because they are the hardest to retrofit and the easiest to fake in a demo. Make every vendor produce evidence, not slideware. A login demo proves nothing.
Watch a real deprovisioning event fire across three connected apps, or do not believe it.
| Criterion | Weight | What to score, and the evidence to demand |
|---|---|---|
| Lifecycle automation (provision/deprovision) | 14 | Live demo of a termination event cutting access across 3+ apps in under an hour. Time it. |
| SCIM and SAML/OIDC integration depth | 12 | Pre-built connectors for YOUR top 15 apps, not a count of 7,000. Test the 5 that matter. |
| Audit and access-certification evidence | 12 | Generate a real access-review report and an exportable, tamper-evident log during the trial. |
| Adaptive MFA and phishing-resistance (FIDO2/passkeys) | 11 | Confirm FIDO2/WebAuthn and number-matching, not just SMS OTP. Test a risk-based policy. |
| Total 3-year cost incl. SSO tax and add-ons | 10 | Force a 3-year quote covering MFA, lifecycle, governance lines. Map the SSO tax on your apps. |
| Directory and HRIS sync as source of truth | 8 | Bi-directional sync with your HRIS (Workday, BambooHR) driving joiner/mover/leaver events. |
| Admin overhead and run cost | 8 | Ask how many FTE hours per week to run it. Reference-check that number with a live customer. |
| Compliance posture (SOC 2 II, ISO, FedRAMP) | 7 | Current SOC 2 Type II under NDA: observation window, CPA firm, noted exceptions. |
| Reliability and uptime history | 6 | Status-page history and post-incident reports. An IDP outage locks everyone out of everything. |
| Migration path from current state | 5 | A written cutover plan from your existing directory with rollback. Ask for a reference that did it. |
| Support quality and SLA at your tier | 4 | Test response time during the trial. Premium support is often a paid add-on, price it. |
| Non-human / machine identity coverage | 3 | Can it discover and govern service accounts and API keys, or only humans? |
Get the IAM and SSO Evaluation Toolkit
The weighted vendor scorecard (Excel, auto-scores your shortlist and ranks the winner) plus the 1-page checklist of questions to ask every vendor and the red flags to walk away from. Free.
The weights are deliberate. Lifecycle automation, integration depth, and audit evidence together carry 38 of the 100 points because those three are where the breach risk and the audit failure actually live. Pricing carries 10, enough to matter, not enough to let a cheap tool that cannot deprovision win.
If a vendor pushes back on any evidence request, that is data. A platform confident in its lifecycle automation will happily fire a live termination event in front of you.
The true multi-year cost of an IAM and SSO platform
The per-user SSO number is bait. Okta lists Single Sign-On at around $2 per user per month, per its published add-on pricing , and that figure is what ends up in the slide your CFO sees first. It bears almost no relationship to what you will spend.
Stack the real lines. Adaptive MFA runs about $6 per user per month, Lifecycle Management about $4, and Identity Governance between $9 and $11, according to AccessOwl’s 2026 Okta breakdown .
A mid-sized team wanting SSO plus MFA plus full lifecycle automation plus governance lands at $18 to $25 per user per month, not $2. The Okta Essentials suite for a 100-person company runs about $20,400 a year on license alone.
Then implementation lands. Professional services for a mid-market IAM deployment run $15,000 to $75,000, and one analysis pegs first-year implementation at roughly 2.5x the annual license cost, per IAM deployment cost research . Deployment is not a weekend.
Okta mid-market rollouts typically take two to four months; broader IAM projects run three to six.
Now the line nobody on the committee sees coming: the SSO tax. The moment you require SAML on your other SaaS tools, those vendors move you to an enterprise tier. The premium ranges from 15% to over 100%, and the public SSO Wall of Shame documents the extremes, GitHub at a 525% jump and Cloudflare at 4,900%.
A company connecting 40 apps can see SSO-driven upgrades push true cost well past the identity license itself.
Two more cost traps. Renewals: buyers routinely face 50% to 200% increases as à la carte add-ons accumulate, though credibly evaluating Microsoft Entra ID as an alternative wins 20% to 30% discounts, per Okta pricing-negotiation analysis . And run cost: every platform needs admin headcount.
That FTE time is real money the license quote never mentions. Put all of it in the three-year model before you bring a number upstairs.
The adoption discount the CFO applies to your IAM ROI
The vendor will hand you an ROI deck. Apply a discount before you repeat any of it. Forrester’s commissioned study claims Okta Identity Governance delivers 211% ROI, and Microsoft’s claims 240% for the Entra Suite with payback under six months.
Those are vendor-funded studies on best-case composite organizations, as Okta’s own summary makes clear . Real-world results lag composites, every time.
Use a number the CFO cannot argue with. The same Forrester work found IAM governance cuts manual access-management effort by up to 60%, per the Okta TEI summary .
That is your conservative anchor: not a percentage ROI, but a measurable cut in the IT hours spent on access tickets, joiner/mover/leaver work, and audit prep. Translate it into the FTE hours your team spends today and the dollars stop being hypothetical.
Then anchor on the downside you are buying out of. A breach with stolen or compromised credentials as the initial vector costs $4.67 million on average and takes about 246 days to identify and contain, per IBM’s 2025 Cost of a Data Breach report . Customer PII shows up in 53% of breaches.
You are not buying logins. You are buying down the probability of a multi-million-dollar event that credential abuse drives more than any other vector.
The shelfware risk is specific to this category. The classic failure is buying the governance tier, never wiring it to the HRIS, and leaving access certifications running manually anyway. The license bills, the value never lands. Score HRIS-driven automation hard, because an IGA module nobody configured is the most expensive shelfware you can sign.
The security and procurement gate
Procurement and your own security team will gate this purchase on evidence, not marketing. For an identity platform, the bar is higher than for ordinary SaaS, because this tool holds the keys to every other tool. Treat the following as pass/fail. A miss on any item is a reason to slow down, not a footnote.
- Current SOC 2 Type II report, provided under NDA, with the observation window, the CPA firm, and any noted exceptions visible.
- ISO 27001 certification, and FedRAMP authorization if you sell to government or operate in regulated sectors.
- SAML 2.0 and OIDC federation plus SCIM 2.0 provisioning, the non-negotiable baseline for 2026 identity procurement.
- Phishing-resistant MFA: FIDO2/WebAuthn and passkeys, not SMS OTP as the only second factor.
- A signed DPA, with data-residency options if you have EU or other regional data-handling obligations.
- Tamper-evident, exportable audit logs with at least 12-month retention to satisfy access-review controls.
- Documented incident response and breach-notification commitments, plus a public status page with post-incident reports.
- Encryption in transit and at rest, with customer-managed key options for higher-sensitivity tiers if needed.
- Role-based and attribute-based access control granular enough to enforce least privilege, not just on/off access.
- Sub-processor list and a vendor security questionnaire (SIG or CAIQ) completed without stalling.
If a vendor cannot hand you a current SOC 2 Type II under NDA within a couple of days, that is the answer. For the platform that becomes the front door to everything you own, opacity here is disqualifying.
The buying committee, mapped
Nobody signs an IAM and SSO deal alone. Map the committee early, learn what each person actually fears, and bring the one piece of evidence that closes their specific concern. Walk in with the CISO’s risk narrative and the CFO’s three-year number and the deal moves. Walk in with a feature list and it stalls in legal for a quarter.
| Role | Their concern | Evidence to bring |
|---|---|---|
| CFO / Finance | Multi-year total cost and renewal exposure | 3-year all-in model with add-ons, SSO tax, services, and FTE run cost |
| CISO / Security lead | Breach risk, phishing resistance, audit defensibility | DBIR/IBM credential-breach stats tied to this tool’s MFA and logging |
| IT / IdentityAdmin | Run overhead, integration depth, deprovisioning that works | Timed live termination event across your real top apps |
| Compliance / GRC | SOC 2, ISO, access-review evidence for the next audit | Current SOC 2 Type II under NDA plus a generated access-review report |
| HR / People Ops | HRIS as source of truth for joiner/mover/leaver | Bi-directional sync demo with your actual HRIS driving lifecycle events |
| Procurement / Legal | DPA, sub-processors, contract and SLA terms | Completed security questionnaire, signed DPA, support SLA at your tier |
| App owners / End users | Login friction and day-one access | A real user enrolling a passkey and reaching their apps in the trial |
Running the trial like a test
Do not run a demo. Run a proof of concept against your own environment with a written pass/fail you wrote before the vendor showed up. The whole point of IAM and SSO is the hard edges, and you only see those when you push real workflows through real connectors.
Connect your five most important apps, not the vendor’s pre-wired sandbox. Include the one app you know is a pain, the legacy system or the app with the worst SCIM support. If the platform handles your ugly app, it handles the rest. If it quietly leaves that app to manual provisioning, you just found the gap before you signed.
Run the full joiner/mover/leaver cycle end to end. Provision a test user from the HRIS, change their role and watch access shift, then terminate them and time how long until every connected app cuts them off. Your target was under an hour, automatic. Hold the stopwatch and write down the actual number for each vendor.
Then test the evidence layer. Generate a real access-certification report and export the audit log. Hand both to your compliance lead and ask one question: would this pass our next access-review control? If the answer is no, no demo of a slick login screen makes up for it.
Finally, enroll a phishing-resistant factor (a passkey or FIDO2 key) and confirm a risk-based policy actually steps up authentication when it should.
The one-page summary you bring to the C-suite
Strip the evaluation down to one page before the final meeting. The C-suite does not want the scorecard. They want the decision, the number, and the risk it retires, in language a non-technical executive can repeat to the board.
Lead with the risk. Credential abuse is the leading initial access vector at 22% of breaches, and a credential-driven breach averages $4.67 million. This purchase is the primary control against that. State the chosen platform and the one-line reason it won: best lifecycle automation, cleanest audit evidence, or best fit with your existing directory.
Give the honest number. Not the $2 SSO line. The three-year all-in: license across the tiers you need, year-one implementation at roughly 2.5x license, the SSO-tax impact on connected apps, and the admin FTE cost.
Then the conservative return: up to 60% less manual access-management effort in your team’s real hours, plus the breach probability you are buying down. One page. Risk, choice, cost, return. That gets a signature.
Red flags that should end an evaluation
Some findings are not negotiating points. They are exits. If a vendor cannot fire a live deprovisioning event across your connected apps during the trial, the core promise is unproven and you should walk. Deprovisioning is the whole job. A platform that cannot demonstrate it under your conditions has told you everything you need to know.
The second hard stop is opacity on security evidence. A vendor that stalls, redirects, or “will get back to you” on a current SOC 2 Type II report has disqualified itself. For the tool that becomes the front door to every other system you own, you cannot accept a black box, and an auditor will not let you.
Questions buyers ask before they sign
What does an IAM and SSO platform actually cost beyond the per-user price?
Plan for three to five times the headline SSO number once you add MFA, lifecycle management, and governance tiers, which can push the all-in figure to $18 to $25 per user per month. On top of that, year-one implementation runs roughly 2.5x the annual license, and the SSO tax on your connected apps can rival the identity license itself.
Always model three years, not one month.
How long does IAM and SSO implementation take?
Mid-market Okta-style rollouts typically run two to four months, and broader IAM programs three to six, per mid-size deployment research .
The variable is integration complexity: clean cloud apps with good SCIM support go fast, while legacy systems and custom directories stretch the timeline. Budget professional services of $15,000 to $75,000 and do not let a vendor promise a one-week go-live.
Should we use Microsoft Entra ID if we already pay for Microsoft 365?
Often yes, on cost. Entra ID P1 is $6 per user per month and P2 is $9, with much of the value already bundled into M365 licensing, per Microsoft’s published pricing .
For Microsoft-heavy organizations it is usually the cheaper path and integrates natively with Conditional Access and Intune. Even if you prefer Okta, pricing a credible Entra alternative typically wins 20% to 30% off the Okta quote.
What is the SSO tax and how do we budget for it?
The SSO tax is the premium your other SaaS vendors charge to unlock SAML or OIDC, usually by forcing you to an enterprise tier. It ranges from 15% to well over 100% per tool, and the public SSO Wall of Shame tracks the worst offenders.
Audit your current SaaS stack, list which tools gate SSO behind an upgrade, and add those deltas to the three-year model before you sign anything.
How do we measure ROI on IAM in a way the CFO believes?
Skip the vendor’s headline ROI percentage and anchor on the manual-effort cut. Independent-style studies show governance automation reduces manual access-management work by up to 60%, which you convert into your team’s real FTE hours. Pair that with the downside you retire: a credential-driven breach averages $4.67 million.
Effort saved plus risk retired is a number finance can defend.
Does an IAM platform cover service accounts and machine identities?
Most workforce IAM platforms focus on humans, yet machine identities outnumber humans 82 to 1 and many carry privileged access, per CyberArk’s 2025 research .
Confirm during the trial whether the platform can discover and govern service accounts and API keys or only human logins. If non-human identities matter to you, score it explicitly rather than assuming coverage.
What compliance evidence should we demand before buying?
A current SOC 2 Type II report under NDA, ISO 27001 certification, and FedRAMP if you are in regulated or government work. Insist on seeing the observation window, the auditing CPA firm, and any noted exceptions, not just a logo on a trust page.
Confirm the platform produces tamper-evident, exportable audit logs with at least 12-month retention so your next access-review control passes cleanly.
For the tools that actually cleared this bar, see our tested ranking of the best IAM and SSO platforms , and read how we test every platform we publish. If you are early in the security stack build, our research on the SSO tax shows exactly where the hidden costs land across common SaaS tools.