Your enterprise customer demands SSO and SCIM. You search for a solution and find WorkOS, Keycloak, Auth0. Plug-and-play SSO, sounds great. But what does it really cost, and what do you give up?
WorkOS
WorkOS is a SaaS platform that offers SSO and SCIM as an API. You integrate their SDK, they handle the SAML/OIDC connections with your customers. Setup takes a few hours.
What you pay:
- $125 per SSO connection per month. 10 enterprise customers = $1,250/month = $15,000/year. 50 customers = $75,000/year.
- SCIM provisioning is included in the Enterprise plan - even more expensive.
What you give up:
- Vendor lock-in. SSO connections run through WorkOS. If you want to migrate, you need to re-onboard every customer.
- Data sovereignty. Identity data flows through their servers (US). For customers in government, healthcare or finance, that's a problem.
- No control. You can't customize protocol behavior. Custom claims, specific SCIM mappings, non-standard flows - you depend on what they support.
Keycloak
Keycloak is an open-source identity platform by Red Hat. It handles SSO, federation, user management and more. It's free and proven at enterprise scale.
The problem for .NET teams:
- Java stack. Keycloak runs on Java (Quarkus). Your .NET team has to deploy, monitor and patch a separate Java application.
- Separate infrastructure. Keycloak is a full application with its own database, configuration and upgrade cycle. That's an extra system to maintain.
- Complexity. Keycloak can do everything, but that flexibility makes configuration complex. The admin console has hundreds of options. The learning curve is steep.
- No native integration. Your .NET SaaS talks to Keycloak via HTTP. Custom logic requires Keycloak SPIs written in Java.
Auth0 / Okta
Auth0 (now part of Okta) is identity-as-a-service. Similar to WorkOS, but broader: login, MFA, user management, SSO.
Where it gets painful:
- Pricing. Auth0 charges per active user. With B2B SaaS and thousands of enterprise users, costs add up quickly. Enterprise SSO features are in the most expensive plans.
- Vendor lock-in. Same story as WorkOS. Identity data lives at Auth0. Migrating is a project in itself.
- Overkill. If you only need SSO and SCIM for your existing .NET application, Auth0 is a broad platform where you don't use 80% of the features.
Building custom in .NET
The fourth option: build SSO and SCIM as part of your own .NET application. No external dependency, no monthly per-connection fees.
What you get:
- No vendor lock-in. The code is yours. You can modify, extend, or switch hosting without migrating anything.
- No per-connection fees. Whether you have 5 or 500 enterprise customers, the cost stays the same.
- Data sovereignty. Identity data stays in your own database, on your own infrastructure. That makes compliance straightforward.
- Full control. Custom claims, specific SCIM mappings, non-standard SAML configurations - you adapt it to what your customers need.
- Native .NET. No Java, no external SDKs. Everything runs in your existing ASP.NET Core application.
What it costs:
- One-time investment of 4-6 weeks of development.
- Knowledge of OAuth2, OpenID Connect, SAML and SCIM is required. This is not a weekend project.
The comparison
| WorkOS | Keycloak | Auth0 | Custom .NET | |
|---|---|---|---|---|
| Cost at 50 customers | ~$75,000/year | Free (+ ops) | Variable (high) | One-time |
| Vendor lock-in | Yes | No | Yes | No |
| Data sovereignty | No (US) | Yes (self-hosted) | No (US/EU) | Yes |
| Tech stack | SaaS API | Java | SaaS API | .NET native |
| Setup time | Hours | Weeks | Hours | 4-6 weeks |
| Customizability | Limited | High (Java) | Limited | Full |
When to choose what?
- WorkOS/Auth0 - when you need SSO quickly, expect few enterprise customers, and the monthly fees are acceptable.
- Keycloak - when your team has Java experience and you want to run a broad identity platform alongside your .NET application.
- Custom in .NET - when you expect more than a handful of enterprise customers, data sovereignty matters, or you don't want an external dependency for a core feature of your product.
How I help
I build SSO (SAML + OIDC) and SCIM provisioning as a native part of your .NET SaaS. In 4-6 weeks it's enterprise-ready, documented, and handed over to your team. No recurring costs, no vendor lock-in.