Choosing an identity platform is a 5-year commitment. Switching costs are high — every application integration, every custom policy, and every user credential is tied to your IdP. Pick wrong and you’ll either overpay for years or hit scaling walls that require a painful re-platforming.
This framework gives you a structured approach to the decision, based on factors that actually matter rather than vendor marketing.
The Decision Matrix
Score each platform 1-5 on these factors, weighted by your organization’s priorities:
| Factor | Weight (adjust) | Keycloak | Auth0 | Okta | Entra ID |
|---|---|---|---|---|---|
| Per-user cost at your scale | High | 5 | 2 | 2 | 3 |
| Time to first integration | Medium | 2 | 5 | 4 | 3 |
| Custom auth flow extensibility | Varies | 5 | 4 | 3 | 4 |
| Pre-built SaaS integrations | Varies | 2 | 4 | 5 | 4 |
| Operational overhead | High | 1 | 5 | 5 | 4 |
| Data sovereignty control | Varies | 5 | 3 | 3 | 3 |
| OIDC/SAML standard compliance | Low | 5 | 4 | 4 | 4 |
| Vendor lock-in risk | Medium | 5 | 2 | 2 | 2 |
| Community/ecosystem | Medium | 4 | 3 | 4 | 5 |
This isn’t a “Keycloak wins” or “Okta wins” table — the weights depend entirely on your context.
Factor Deep Dives
Cost Structure
This is usually the deciding factor, so let’s get specific.
Keycloak: Free software. Costs are infrastructure and operations.
- 3-node HA cluster on Kubernetes: ~$500-800/month cloud compute
- PostgreSQL managed database: ~$200-400/month
- Operations staffing: 0.25-1.0 FTE depending on complexity
- Red Hat SSO support (optional): ~$15K-50K/year
Auth0: Per-MAU (Monthly Active User) pricing.
- Free tier: 7,500 MAU
- Essential: $35/month for 500 MAU, scales to ~$2,300/month at 10K MAU
- Professional: custom pricing, typically $3-5 per MAU at enterprise scale
- Enterprise: negotiable, volume discounts
Okta: Per-user licensing.
- Workforce SSO: ~$2-6/user/month
- Customer Identity (CIAM): ~$0.02-0.05 per MAU (much cheaper at scale)
- MFA add-on: ~$3-6/user/month
- Enterprise: negotiable
Entra ID: Bundled and standalone.
- Free tier: basic SSO included with Microsoft 365
- P1: $6/user/month (conditional access, self-service password reset)
- P2: $9/user/month (identity protection, PIM)
- Often already included in existing Microsoft licensing
Build-vs-Buy Decision Tree
Do you have unique auth requirements not met by any platform?
├── Yes → Still don't build from scratch. Use Keycloak + custom SPIs.
└── No →
Do you have dedicated IAM/DevOps engineers?
├── Yes (2+ FTE) →
│ Is per-user cost a primary concern?
│ ├── Yes → Keycloak
│ └── No → Auth0 or Okta (depending on use case)
└── No →
Are you a Microsoft shop?
├── Yes → Entra ID (already paying for it)
└── No →
B2C or B2B?
├── B2C (millions of users) → Auth0 or Cognito
└── B2B (thousands of users) → Okta or Auth0
Extensibility Comparison
When the out-of-the-box flows don’t fit your requirements, how easy is it to customize?
Keycloak: Custom SPIs (Java), custom authenticators, custom protocol mappers. Full source code access. You can modify literally anything, including the authentication engine itself. The trade-off is complexity — SPI development requires understanding Keycloak internals.
Auth0: Actions (JavaScript/TypeScript), custom database connections, pre/post-login hooks. Executes in Auth0’s serverless runtime. Limited to what the hook points expose — you can’t modify the core authentication engine.
Okta: Workflows (visual, low-code), inline hooks (webhooks), custom authenticators via SDK. Good for common customizations, but hitting the walls when you need non-standard flows.
Entra ID: Custom policies (IEF/XML for B2C), custom extensions, conditional access policy engine. The IEF XML policy language is powerful but notoriously hard to debug and maintain.
Compliance and Certification
| Certification | Keycloak | Auth0 | Okta | Entra ID |
|---|---|---|---|---|
| SOC 2 Type II | Self-managed | Yes | Yes | Yes |
| ISO 27001 | Self-managed | Yes | Yes | Yes |
| FedRAMP | Self-managed | Moderate | High | High |
| HIPAA BAA | Self-managed | Yes | Yes | Yes |
| FIPS 140-2 | Possible (config) | Yes | Yes | Yes |
| GDPR/Data residency | Full control | Limited regions | Limited regions | EU Data Boundary |
Keycloak scores either 0 or 5 on compliance depending on how you deploy it. Self-hosted means you control everything but also bear the audit burden. SaaS vendors absorb the compliance overhead.
Hidden Costs and Gotchas
Keycloak Hidden Costs
- Upgrade cadence: New major version every 3-4 months, each with potential breaking changes
- Extension maintenance: Custom SPIs need updating with each Keycloak release
- Incident response: When Keycloak goes down at 2 AM, it’s your team’s problem
- Security patching: CVE response is your responsibility and timeline
Auth0 Hidden Costs
- Rate limits: Enterprise plans have per-second rate limits that can throttle during traffic spikes
- Tenant isolation: Multi-environment setups (dev/staging/prod) each count as separate tenants with separate billing
- Migration lock-in: No password hash export makes leaving Auth0 expensive
Okta Hidden Costs
- Add-on pricing: MFA, lifecycle management, API access management are separate SKUs
- Integration complexity: Some “pre-built” integrations require Professional Services engagement
- Rate limits: Aggressive rate limiting on lower-tier plans
Entra ID Hidden Costs
- Conditional access requires P1/P2: The most useful security features are behind premium licensing
- B2C customization pain: Custom policies via IEF are a specialized skill that few developers possess
- Microsoft-centric assumptions: Third-party integrations sometimes feel like second-class citizens
Proof of Concept Approach
Before committing, run a 2-week PoC with your top 2 candidates:
Week 1
- Deploy/configure the platform
- Integrate 2 representative applications (one SAML, one OIDC)
- Set up user sync from your directory
- Configure MFA
Week 2
- Implement one custom authentication flow
- Load test with realistic user counts
- Evaluate admin experience (day-to-day operations)
- Calculate projected 3-year TCO
PoC Scorecard
| Criteria | Platform A Score | Platform B Score |
|---|---|---|
| Integration time for first app | ||
| Custom flow complexity | ||
| Admin console usability | ||
| Login latency (P95) | ||
| Documentation quality | ||
| 3-year projected TCO | ||
| Team confidence level |
The “team confidence level” metric is the most important and the most ignored. If your team dreads working with a platform during a 2-week PoC, imagine how they’ll feel after 3 years.
When to Re-evaluate
You’ve chosen a platform — when should you reconsider?
- Costs growing faster than user base: Usually means pricing tiers are misaligned with your growth
- More than 30% custom code: If most of your auth logic is in custom hooks/SPIs rather than the platform’s built-in features, you might be fighting the platform
- Vendor roadmap divergence: The platform is investing in features you don’t need while ignoring your use cases
- M&A: The acquired company uses a different platform (see our M&A identity integration guide)
- Regulatory change: New compliance requirements that the current platform can’t meet
Re-platforming is expensive (6-18 month project for most organizations), so re-evaluate annually but only switch when the cost of staying clearly exceeds the cost of migrating.
