Step 1: define the requirement
Before any vendor conversation, write down: seat count today and projected 24 months out, application integration count (SaaS + on-prem), MFA requirement (passkeys, FIDO2, SMS, push), provisioning requirement (SCIM vs API vs manual), governance requirement (access reviews, certifications, segregation of duties), and deployment model preference (SaaS only, hybrid, on-prem).
Step 2: filter by hard constraints
Some constraints exclude vendors outright. Ping below 5,000 seats. Okta below 21 seats (annual minimum). Self-host below your platform engineering capacity. Microsoft Entra is excluded if you are on Google Workspace exclusively. Apply these filters before any demo.
Step 3: build a TCO model
Use the calculator on the homepage as a starting point. Add: implementation cost (typically 50 to 150 percent of first-year licence at enterprise), professional services for migration, training and change management, and ongoing operational headcount cost. The licence line is usually 30 to 60 percent of three-year TCO.
Step 4: validate hidden costs
For each shortlisted vendor, confirm: annual minimums, contractual seat floors, SMS MFA pricing, premium support fees, sandbox tenant fees, and add-on pricing for advanced features (identity threat detection, governance, B2B federation). The hidden costs page covers the common gotchas.
Step 5: issue an RFP
The RFP template page includes a structured response form covering pricing, features, security, and SLAs. Insist on a written response to every line. Avoid vendor-led demos as the primary evaluation mechanism. They are designed to highlight strengths and obscure gaps.
Last verified June 2026.