Hidden cost 1: annual and contractual minimums
Several IdPs publish a low per-user rate that does not apply at smaller volumes. Okta carries a $1,500/yr annual minimum across every tier, which means a 10-seat team pays the same as a 20-seat team. Ping Identity has a 5,000-user contractual minimum on its Essential tier, giving an effective floor of $180,000/yr.
Hidden cost 2: SAML SSO behind upgrade walls
Developer CIAM products often gate SAML behind a higher tier than the marketing site implies. Clerk's $25/mo Pro tier does not include SAML. SAML support requires the $100/mo Enhanced Authentication add-on, bringing the floor to $1,500/yr. FusionAuth's Community edition is free for self-host but SAML on the cloud product requires the Essentials tier ($750/mo).
Hidden cost 3: MAU billing on never-returning users
CIAM products bill on monthly active users (MAU). The definition of "active" varies but typically counts any user who authenticates during the billing window. A user who logs in once and never returns is billed for the full 30-day window. Spam signups, abandoned trials, and one-click integrations can all inflate MAU well above your real engaged-user count.
Hidden cost 4: implementation and partner fees
Enterprise-tier rollouts of Okta, Ping, or IBM Verify typically require a systems integrator engagement. Implementation cost depends on integration count and migration scope; budget tens of thousands of dollars at the small end and six figures at the high end. See the implementation cost page for breakdown.
Hidden cost 5: SMS MFA delivery
SMS-based MFA is metered separately by most IdPs at carrier delivery rates. Volumes are small per user but spike during outage recovery, password resets, and onboarding waves. Bundled SMS credits in CIAM products are usually exhausted quickly at scale.
Last verified June 2026.