WorkOS Alternatives (2025): SSO, SCIM, and Pricing Compared

content/workos-alternatives/index.md

@@ -0,0 +1,94 @@
+---
+title: "WorkOS Alternatives (2025): SSO, SCIM, and Pricing Compared"
+date: "2025-10-05"
+description: "Discover the best WorkOS alternatives for SSO, SCIM, and audit logs—open-source and managed options, pricing signals, and when SuperTokens fits."
+cover: "workos-alternatives.png"
+category: "programming"
+author: "Mostafa Ibrahim"
+---
+
+WorkOS gets you SSO and SCIM fast, but the pricing model and hosting choice often decide your real cost, control, and support load. If you’re running a multi-tenant SaaS or selling enterprise plans, those trade-offs matter more than the feature matrix. When that’s the case, it’s worth weighing alternatives to WorkOS.
+
+We’ll compare alternatives on three axes: pricing (how costs scale with tenants and usage), hosting (fully managed vs self-host/VPC for residency and extensibility), and admin UX (setup links/portal to reduce integration support). That lens keeps the evaluation practical and testable.
+
+By the end, you’ll have a rubric to verify SSO/SCIM/audit parity, surface hidden costs like audit retention/streaming, and see where [SuperTokens](https://supertokens.com/) fits—especially if you want per-MAU pricing or an OSS/VPC path—with [Ory Polis](https://www.ory.sh/polis) as a bridge when you need SAML/OIDC setup-link parity.
+
+## When to look beyond WorkOS
+
+If any of the points below describe your situation, it’s a strong signal to compare alternatives.
+
+- **Cost model mismatch**: You want lower SSO/SCIM connection costs or a per-MAU/flat model because your tenant count is growing and per-connection fees stack up.
+- **Control and extensibility needs**: You need self-hosting/VPC, tighter data residency, or deeper extensibility than a point solution comfortably supports.
+- **Prefer an all-in CIAM bundle**: You want users/sessions, SSO, SCIM, audit logs, and RBAC in one package—rather than piecemeal add-ons.
+
+**Context**: WorkOS typically bills SSO and Directory Sync per connection ($125/connection/month); Audit Logs are $125/month per SIEM connection for log streaming and $99/month per million events stored for retention; User Management is free up to 1M MAU.
+
+## What to compare (use this checklist)
+
+Use this checklist to compare vendors consistently.
+
+|Category|What to check|Pass threshold|
+|---|---|---|
+|Pricing model|Per-connection vs per-MAU vs flat|Matches your growth (tenants vs MAU)|
+|Hosting|SaaS vs self-host/VPC|Meets residency, latency, and ops requirements|
+|Feature Coverage|SSO, SCIM, Audit, admin setup links|All present and stable|
+|Multi-tenant/RBAC and SDKs|Orgs/roles mapping; SDKs for your stack|Clean mapping + mature SDKs|
+|Migration/lock-in|JWKS, exports, contract terms|Keys and data portable; reasonable contract terms|
+
+Close the checklist by running a short bake-off against these items—cost unit, hosting fit, parity, depth/SDK fit, and portability—then decide.
+
+## Open-source / self-hosted alternatives
+
+![Supertokens](./Supertokens.png)
+
+If you want VPC/self-host control or to avoid per-connection fees, these OSS-first options are worth a close look.
+
+- **SuperTokens (OSS or Cloud)**
+
+    - **What it is**: Dev-first authentication with modern SDKs, session management, and multi-tenant/organization primitives. Run it self-hosted or use the Cloud (per-MAU).
+    - **Why it fits here**: No SSO/SCIM per-connection tax; clean path to VPC/OSS; good migration posture (portable keys/data).
+    - **How to reach SAML/OIDC SSO**: Pair with a SAML/OIDC bridge (see Ory Polis) to deliver enterprise SSO plus setup links for admin self-serve.
+    - **What to verify**: Org/tenant model maps to your app; SDK coverage for your stack; token/session flows meet your threat model.
+
+- **Ory Network / Ory Polis**
+
+    - **What it is**: Composable IAM (Kratos/Hydra/Keto/Oathkeeper) with a managed Network offering; Polis adds a SAML/OIDC bridge and setup-link flows similar to an admin portal. Pricing starts at $70/mo (Production plan).
+    - **Why it fits here**: Lets you add standards-compliant SSO to an existing user system (e.g., SuperTokens) while keeping IdP setup self-service for customer admins.
+    - **What to verify**: Required protocols (SAML/OIDC) and IdP catalog, setup-link UX, hosting mode (Network vs self-host), and how SCIM/user provisioning is handled in your architecture.
+
+**Bottom line**: For OSS/VPC control with modern DX, use SuperTokens for sessions and tenant primitives, and add Ory Polis for SAML/OIDC and setup-link parity. Run a small bake-off to confirm SSO coverage, admin UX, and total cost.
+
+## Feature parity vs. WorkOS (what to verify)
+
+Before price comparisons, confirm that any alternative matches the **capabilities and admin UX** your customers expect.
+
+- **SSO (SAML/OIDC)**
+
+    - **Verify**: Support for both SAML and OIDC, breadth of IdP catalog (Okta, Azure AD, Google, Ping, OneLogin, etc.), setup links/admin portal so customer admins can self-configure.
+    - **Pricing anchor**: WorkOS SSO baseline is $125 per connection/month.
+
+- **Directory Sync (SCIM)**
+
+    - **Verify**: User and group provision/deprovision, group→role mapping in your app, sync status/error visibility, and whether SCIM is per-connection or included.
+    - **Pricing anchor**: WorkOS Directory Sync is $125 per connection/month.
+
+- **Audit Logs**
+
+    - **Verify**: Event coverage (auth, org, admin actions), retention options, export/streaming to SIEM, searchability, and throughput limits.
+    - **Pricing anchor**: WorkOS Audit Logs—$125/month per SIEM connection for log streaming, and $99/month per million events stored for retention.
+
+**Close the loop**: Run a mini bake-off: configure SSO with two IdPs, sync a sample SCIM directory with groups→roles, and ship logs to your SIEM. If an alternative passes these with a clean admin UX, then compare the total cost.
+
+## Pricing signals and gotchas
+
+Use these patterns to predict total cost and avoid surprises.
+
+- **Per-connection vs per-MAU**: WorkOS prices SSO/SCIM per connection; SuperTokens Cloud is per-MAU. If you have many tenant orgs with modest usage, per-connection costs can add up quickly; with few orgs and large user counts, per-connection may be cheaper. Model both to find your break-even.
+- **Add-on gates**: Watch for paid audit log retention/streaming, MFA, or organization features that sit behind higher tiers. For WorkOS, longer audit retention and SIEM streaming add cost; include them in your forecast from day one.
+- **Admin-portal parity**: Missing setup links / tenant self-service shifts work to your team and slows deals. Verify that admins can self-configure SSO/SCIM. (Ory Polis supports setup-link flows.)
+
+**Bottom line**: Choose the pricing unit that matches your growth shape, account for paid add-ons upfront, and demand self-serve admin flows to keep support costs in check.
+
+## Conclusion
+
+WorkOS is great for fast enterprise readiness, but pricing and hosting model push some teams to look elsewhere. If you want no per-connection tax and OSS/VPC control, shortlist SuperTokens (OSS/Cloud) with Ory Polis for SAML. If you want a managed bundle, compare Stytch (included connections), Clerk (no SSO connection fees), Auth0/Frontegg(ecosystem depth), and FusionAuth (self-host path). Run a two-week bake-off focused on SSO/SCIM parity, admin UX, and total cost before you commit.