Identity & Access Management: 19 Tools compared

Managing who can access what across cloud apps, internal tools, and infrastructure. Whether you need enterprise SSO with thousands of integrations, developer-friendly CIAM for your SaaS app, or open-source IAM you can self-host, you'll…

19 tools|Updated April 2026

Quick comparison

All identity & access management tools side by side, alphabetical.

ToolDeploymentPricing modelOpen sourceStandards / certs
1Password (Business)CloudPer-userSOC 2 Type IIISO 27001
Auth0CloudPer monthly active user (MAU)SOC 2 Type 2ISO 27001HIPAA
authentikSelf-hostedOpen Source + EnterpriseYes
Bitwarden (Business)Cloud + Self-hostedPer-userYesISO 27001SOC 2 Type IISOC 3
Cloudflare AccessCloudPer-user (free tier + paid tiers)SOC 2 Type 2ISO 27001FedRAMP Moderate
Dashlane (Business)CloudPer-user
DelineaCloud + Self-hostedPer-user or per-server licensing
Duo SecurityCloudPer-user monthly subscription with free tierFedRAMPSOC 2 Type IIISO 27001
ForgeRockCloud + Self-hostedPer-user subscription or custom enterprise licensing
JumpCloudCloudPer-user (billed annually)SOC 2 Type 2ISO 27001HIPAA
Keeper (Business)CloudPer-user
KeycloakSelf-hostedOpen Source + Enterprise SubscriptionYes
LastPass (Business)CloudPer-userSOC 2 Type IISOC 3ISO 27001
Microsoft Entra IDCloudPer-user (bundled with Microsoft licenses)SOC 2 Type 2ISO 27001FedRAMP High
Okta Workforce IdentityCloudPer-user tiers (billed annually)SOC 2 Type 2ISO 27001FedRAMP High
One IdentityCloud + Self-hostedPer-user subscription + modules
OneLoginCloudPer-user tiersSOC 2 Type 2ISO 27001HIPAA
Ping IdentityCloud + Self-hostedEnterprise (contact sales)SOC 2 Type 2ISO 27001FedRAMP High
SailPointCloud + Self-hostedPer-identity subscription

1Password (Business)

Developer Platform
Best fit for

Teams wanting combined password management and developer secrets automation

1Password for Business extends the popular password manager into secrets automation for development teams. It provides secure credential sharing, CI/CD secrets injection, SSH key management, and service account tokens for automated workflows.

Pricing

Business from $7.99/user/month

Per-user

Deployment

Cloud

Standards & certifications

SOC 2 Type IIISO 27001

Auth0

Identity & Access Management
Best fit for

SaaS teams that need customer login with a great developer experience

Auth0 is a developer-focused customer identity platform (CIAM) now owned by Okta but sold as a separate product. It provides drop-in login, social sign-in, passwordless authentication, and multi-factor auth for applications, with SDKs for nearly every major framework. Auth0 is especially popular with SaaS startups because of its generous free tier and developer experience: you can go from zero to a working login flow in minutes.

Pricing

Free up to 25,000 MAUs; B2C paid from $35/mo; B2B paid from $150/mo

Per monthly active user (MAU)

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001HIPAAGDPR

authentik

Open Source IAM
Best fit for

Teams wanting a modern, developer-friendly open-source identity provider with easy deployment

authentik is an open-source identity provider focused on flexibility and versatility. It supports SAML, OAuth2, OpenID Connect, LDAP, SCIM, and RADIUS protocols. It provides a modern UI for user self-service, admin management, and can act as a full identity provider or authentication proxy.

Pricing

Free (Open Source) / Enterprise from contact

Open Source + Enterprise

Deployment

Self-HostedOpen Source

Bitwarden (Business)

Enterprise Password Management
Best fit for

Security-conscious organizations wanting an affordable, auditable, and self-hostable password manager

Bitwarden is an open-source password management solution trusted by millions of users and thousands of organizations worldwide. The business tier provides enterprise-grade credential management with end-to-end encryption, flexible self-hosting options, and deep integration with identity providers. Its transparent, auditable codebase and affordable per-user pricing make it a compelling alternative to proprietary password managers for security-conscious organizations.

Pricing

Teams from $4/user/month / Enterprise from $6/user/month

Per-user

Deployment

CloudSelf-HostedOpen Source

Standards & certifications

ISO 27001SOC 2 Type IISOC 3HIPAA

Cloudflare Access

Identity & Access Management
Best fit for

Teams replacing a VPN with zero trust access to internal apps

Cloudflare Access is a zero trust network access (ZTNA) product, part of the Cloudflare Zero Trust platform. Instead of handing out VPN credentials, Access puts Cloudflare's global network in front of your internal apps and SSH/RDP hosts, enforcing identity-aware policies on every request. It brokers authentication to your existing identity provider (Okta, Entra ID, Google Workspace, etc.) rather than replacing it, which keeps deployment lightweight.

Pricing

Free up to 50 users; Zero Trust Standard $7/user/mo

Per-user (free tier + paid tiers)

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001FedRAMP Moderate

Dashlane (Business)

Enterprise Password Management
Best fit for

Organizations prioritizing user experience, phishing protection, and high employee adoption rates

Dashlane Business is an enterprise password management platform that combines credential management with built-in phishing protection, VPN for Wi-Fi security, and proactive dark web monitoring. Known for its polished user interface and focus on employee adoption, Dashlane provides SSO and SCIM integration, real-time phishing alerts, and a company-wide password health score. Its confidential SSO architecture allows organizations to deploy single sign-on without requiring a separate identity provider for the master password.

Pricing

Business from $8/user/month / Enterprise custom pricing

Per-user

Deployment

Cloud

Delinea

PAM & Identity
Best fit for

Organizations wanting a faster PAM deployment with lower complexity

Delinea, formed from the merger of Thycotic and Centrify, offers a PAM platform centered around its flagship Secret Server product. Delinea focuses on making privileged access management accessible and easy to deploy, with cloud-ready solutions for credential vaulting, privilege elevation, and server access management.

Pricing

Custom pricing; contact the vendor.

Per-user or per-server licensing

Deployment

CloudSelf-Hosted

Duo Security

MFA & Zero Trust Access
Best fit for

Organizations prioritizing easy-to-deploy MFA across VPNs, cloud apps, and legacy systems, especially those in Cisco networking environments

Duo Security, a Cisco company, is a multi-factor authentication and zero trust access platform. Duo is known for its ease of deployment, user-friendly push authentication, and broad integration with VPNs, cloud applications, and legacy systems. It provides device trust verification, adaptive access policies, and single sign-on, serving as a practical entry point for organizations building zero trust security architecture.

Pricing

Free (up to 10 users) / Essentials $3/user/month / Advantage $6/user/month / Premier $9/user/month

Per-user monthly subscription with free tier

Deployment

Cloud

Standards & certifications

FedRAMPSOC 2 Type IIISO 27001

ForgeRock

Enterprise IAM
Best fit for

Large enterprises and service providers needing the most flexible identity orchestration, massive CIAM scale, or complex regulatory compliance requirements

ForgeRock is an enterprise-grade identity management platform designed for the most demanding workforce and customer identity deployments. Now merged with Ping Identity, ForgeRock provides identity orchestration, access management, directory services, and identity governance. Its AI-powered identity platform handles complex authentication journeys with a visual orchestration engine, and its high-performance directory scales to billions of identity records for large CIAM deployments.

Pricing

Custom enterprise pricing based on deployment model and scale

Per-user subscription or custom enterprise licensing

Deployment

CloudSelf-Hosted

JumpCloud

Identity & Access Management
Best fit for

SMBs and mid-market teams wanting IAM plus MDM without buying both

JumpCloud is an open directory platform that consolidates identity, device, and access management into a single tool. It combines SSO, MFA, cloud LDAP, RADIUS, and cross-platform device management (Windows, macOS, Linux) in one dashboard. The platform is especially popular with SMBs and mid-market IT teams who want to replace Active Directory, Okta, and an MDM tool with one product.

Pricing

Free 30-day trial (legacy free tier for up to 10 users/10 devices referenced by third parties); paid packages from $9/user/mo annual (Device Management), SSO from $11/user/mo annual; Platform tier is custom/contact-sales

Per-user (billed annually)

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001HIPAAGDPR

Keeper (Business)

Enterprise Password Management
Best fit for

Compliance-focused enterprises needing zero-knowledge security and dark web monitoring

Keeper Security is a zero-knowledge enterprise password management and secrets management platform designed for organizations with strict security and compliance requirements. It offers encrypted vault storage, dark web monitoring through BreachWatch, privileged access management, and robust admin controls. Keeper is SOC 2 and ISO 27001 certified and supports granular role-based policies for managing credentials across large teams.

Pricing

Business Starter from $2/user/month / Business from $3.75/user/month / Enterprise custom pricing

Per-user

Deployment

Cloud

Keycloak

Identity & Access Management
Best fit for

Teams that need full control, auditability, and zero license cost

Keycloak is the open-source identity and access management platform backed by Red Hat. It provides SSO, federation, identity brokering, and social login for modern applications and services. Keycloak is the upstream project for Red Hat Build of Keycloak (the commercially supported version) and is widely deployed in both enterprise and community settings where full control over the identity stack is required.

Pricing

Free (open source) / Red Hat Build of Keycloak via subscription

Open Source + Enterprise Subscription

Deployment

Self-HostedOpen Source

LastPass (Business)

Enterprise Password Management
Best fit for

Organizations with large user bases needing broad SSO app integration and a familiar password management experience

LastPass Business is a widely deployed enterprise password management solution offering centralized credential storage, SSO, and multi-factor authentication for organizations. Despite high-profile security incidents in 2022, LastPass remains one of the most broadly adopted business password managers due to its extensive integration ecosystem, familiar user experience, and mature admin features. The platform provides over 1,200 pre-integrated SSO apps and an admin dashboard for managing policies across distributed teams.

Pricing

Teams from $4/user/month / Business from $7/user/month

Per-user

Deployment

Cloud

Standards & certifications

SOC 2 Type IISOC 3ISO 27001ISO 27701

Microsoft Entra ID

Identity & Access Management
Best fit for

Organizations already committed to Microsoft 365 and Azure

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud identity platform and the backbone of authentication for Microsoft 365, Azure, and Windows. Because it ships with nearly every M365 or Microsoft 365 Business plan, it's the default identity provider for a huge share of the market. Entra ID includes Conditional Access for risk-based policies, Privileged Identity Management, and deep integration with Windows device trust.

Pricing

Free tier with M365; P1 $6/user/mo; P2 $9/user/mo

Per-user (bundled with Microsoft licenses)

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001FedRAMP HighHIPAA

Okta Workforce Identity

Identity & Access Management
Best fit for

Enterprises with large SaaS portfolios needing a proven, broadly-integrated IAM backbone

Okta is the category-defining cloud identity platform, providing single sign-on, multi-factor authentication, lifecycle management, and API access management. The Okta Integration Network has more than 7,000 pre-built app integrations, and the platform is trusted by roughly half of the Fortune 100. Okta has invested heavily in phishing-resistant authentication (FIDO2, passkeys) and adaptive access policies driven by device and behavior signals.

Pricing

Workforce Identity from $6 per user/mo (Starter) or $17 per user/mo (Essentials), billed annually, $1,500/yr minimum (vendor list price, 2026).

Per-user tiers (billed annually)

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001FedRAMP HighHIPAA

One Identity

PAM & Identity
Best fit for

Organizations needing unified identity governance and privileged access management

One Identity, a Quest Software company, provides a unified identity security platform spanning privileged access management, identity governance and administration, and Active Directory management. Its Safeguard product line delivers PAM capabilities while its Identity Manager provides comprehensive governance and compliance.

Pricing

Custom enterprise pricing

Per-user subscription + modules

Deployment

CloudSelf-Hosted

OneLogin

Identity & Access Management
Best fit for

Mid-market teams wanting full IAM features at a lower per-seat price

OneLogin is a cloud IAM platform focused on the mid-market, now part of One Identity (Quest Software). It offers SSO, MFA, user provisioning, and unified directory services, typically at a lower price point than Okta. OneLogin's SmartFactor Authentication uses machine learning to score risk at every login, and the platform has a solid integration catalog through its App Catalog.

Pricing

No free tier; Workforce Identity from $3/user/mo (Basic), Essentials $6, Business $10; Enterprise contact sales

Per-user tiers

Deployment

Cloud

Standards & certifications

SOC 2 Type 2ISO 27001HIPAAGDPR

Ping Identity

Identity & Access Management
Best fit for

Large, regulated enterprises needing hybrid deployment and deep federation

Ping Identity is an enterprise-grade identity platform focused on large, regulated organizations. It supports workforce, customer, and non-human identities, with strong federation capabilities, hybrid/self-hosted deployment options, and FedRAMP-authorized offerings. After the Thoma Bravo acquisition and merger with ForgeRock, Ping's PingOne platform is one of the most comprehensive enterprise IAM suites available.

Pricing

PingOne for Workforce from $3 per user/mo (Essential) or $6 per user/mo (Plus), 5,000-user minimum; PingOne for Customers from $35,000/yr (Plus from $50,000/yr) (vendor list price, 2026). PingFederate and PingAccess are quote-only.

Enterprise (contact sales)

Deployment

CloudSelf-Hosted

Standards & certifications

SOC 2 Type 2ISO 27001FedRAMP HighHIPAA

SailPoint

Identity Governance
Best fit for

Enterprises needing comprehensive identity governance and access certification

SailPoint is a identity governance and administration (IGA) platform that provides comprehensive capabilities for managing digital identities, governing access, and ensuring compliance. Its AI-driven platform automates access certifications, policy enforcement, and lifecycle management for all user types across cloud and on-premises applications.

Pricing

Custom enterprise pricing

Per-identity subscription

Deployment

CloudSelf-Hosted

Related guides

Other categories you might be evaluating alongside identity & access management.

About this listing

Identity & Access Management tools, listed alphabetically and compared on public information. How we work →

Frequently Asked Questions

Identity and access management (IAM) is the practice of controlling who can access what resources across an organization. An IAM platform provides centralized authentication (login), authorization (permissions), single sign-on (SSO), multi-factor authentication (MFA), and user lifecycle management (onboarding and offboarding). Modern IAM tools also handle directory sync, device trust, and just-in-time access provisioning.

IAM (Identity and Access Management) covers all users and their access to standard applications and resources. PAM (Privileged Access Management) is a specialized subset focused on securing access to sensitive systems like servers, databases, and admin consoles used by IT staff and engineers. Many enterprises use both: IAM for everyday employee access, PAM for privileged sessions with session recording and just-in-time elevation.

SSO alone is not enough. SSO centralizes authentication, which means a single compromised password gives an attacker access to everything. MFA adds a second factor (a phone, hardware key, or biometric) so a stolen password isn't sufficient. Industry best practice is SSO plus MFA for every application, with phishing-resistant factors (WebAuthn, FIDO2 hardware keys) for sensitive systems.

The main open-source IAM platform is Keycloak, originally developed by Red Hat. It supports SSO, MFA, social login, and federation with LDAP and Active Directory. Other options include Authentik (a more modern developer-focused alternative) and ORY (a modular set of identity primitives). Open source means no license cost, but you're responsible for hosting, upgrades, and high availability.

Workforce IAM tools typically range from $2/user/month (basic SSO) to $15/user/month (full suite with MFA, lifecycle management, and advanced features). Okta Workforce starts around $2/user/month for SSO and $6/user/month for the Adaptive SSO bundle. Microsoft Entra ID is included in many Microsoft 365 plans. Self-hosted options like Keycloak have no license cost but require infrastructure. Customer IAM (Auth0) is priced by monthly active users, typically free for small volume.

Most major cloud IAM platforms have SOC 2 Type 2, including Okta, Microsoft Entra ID, Ping Identity, Auth0, JumpCloud, and OneLogin. FedRAMP authorization is rarer. Okta, Microsoft, and Ping have FedRAMP-certified versions of their platforms for government use. Self-hosted platforms like Keycloak can run in your own FedRAMP-compliant environment but do not come with certifications out of the box.