When your identity provider’s renewal pricing skyrockets: switching to an on-premise alternative at a third of the cost
When your identity provider’s renewal pricing skyrockets: switching to an on-premise alternative at a third of the cost
There is a moment many IT teams will recognise. The renewal notice for your cloud identity platform arrives, and the number on it bears no relation to what you signed three years ago. You built your entire authentication layer on this service. Every VPN, every SaaS application, every user login flows through it. The vendor knows this, and each renewal cycle tends to land higher than the last: the deeper the integration, the weaker your negotiating position.
A large European private-sector company operating high-availability digital services found itself in exactly this position with Okta. At renewal time, the pricing had increased drastically. The team did what we believe more organisations should do: instead of treating the increase as a cost of doing business, they treated it as a deadline to evaluate alternatives.
They are now running their entire authentication on OpenOTP, the RCDevs authentication server, deployed fully on-premise. Okta has been switched off. This article describes how that transition went, because the most common objection we hear is not about features or price. It is “we are too deep into our current provider to ever leave”. This case suggests otherwise.
Can a cloud identity provider like Okta be fully replaced on-premise?
The short answer from this project: yes, including federation, MFA and the application integrations that make a real environment complicated.
The company ran on Microsoft Active Directory, with several hundred users authenticating through Okta to a portfolio +/- 20 applications. These ranged from modern SaaS to network infrastructure: Office 365, the Ivanti VPN (formerly Pulse Secure), Cisco Umbrella, plus endpoint management, internal collaboration and finance platforms.
This mix matters. Replacing a cloud IdP is rarely blocked by the flagship SaaS applications, which all speak SAML or OpenID Connect and can be repointed to a new identity provider. The friction usually sits in the network layer and the long tail of tools. In this deployment, RCDevs Federation Services took over the SAML and OIDC federations, while the VPN was connected through RADIUS Bridge, the OpenOTP component that adds strong authentication to RADIUS-speaking equipment. The client kept its existing VPN appliances; only the authentication authority behind them changed.
Identity data did not move to anyone’s cloud. User accounts remain in the company’s Active Directory, which stays the source of truth, and OpenOTP handles both authentication factors: at login, it validates the password against the AD itself, then enforces the second factor (push notification, OTP or FIDO2) according to the defined policies. Those policies, along with users and integrations, are managed in WebADM, the central IAM console that runs and pilots all the services of the suite, on infrastructure the client owns.
How long does migrating away from Okta actually take?
Fear of the migration itself is what keeps most organisations paying renewal increases they resent. So here are the real figures from this project, measured in billed engineering hours worked jointly by RCDevs Support Service and the client’s IT team.
The proof of concept took a little over eight hours. The production migration and deployment took nineteen hours, faster than we had anticipated with the client. Moving Office 365 authentication was handled as a separate final step, and took three additional hours.
These hours covered the full journey from a standing Okta estate to a standing OpenOTP one, with applications moved in stages rather than in a single cutover.
The staged approach also meant no service interruption for users during the migration. The one exception was Office 365: a federation change there has to replicate across Microsoft’s Azure infrastructure before it is effective everywhere, a propagation delay that belongs to Microsoft 365 rather than to the target IdP, and the reason this workload came last.
The joint team ran the project end to end, from the first POC session to the final Office 365 cutover.
Three things that change with a sovereign on-premise IAM: cost, control, sovereignty
For this company, the changes map directly to the three reasons European organisations contact us about leaving US cloud identity platforms.
1. Cost: IAM three times less expensive, with no add-on pricing
Comparing the OpenOTP licensing against the renewal pricing Okta had just put forward, the client found our solution three times less expensive. Just as importantly, the pricing is stable and flat: one licence covers the full suite, and capabilities that cloud identity platforms commonly price as separate add-ons, such as adaptive MFA, conditional access policies and directory integration, are included, as is the active-active high-availability cluster. The number on the next renewal is predictable.
2. Control: authentication no longer depends on an external cloud service
The identity platform now runs entirely on-premise. Authentication does not depend on the availability, the roadmap or the commercial decisions of an external cloud service. For an operator of high-availability digital services, removing a third-party dependency from the login path is a resilience gain in itself.
3. Sovereignty: identity data stays in the client’s jurisdiction
Identity is one of the most sensitive datasets an organisation holds: who works there, what they access, when and from where. With a fully on-premise deployment from a European vendor, that data never leaves the client’s jurisdiction and sits outside the reach of extraterritorial frameworks such as the US CLOUD Act. For European companies weighing NIS2 obligations and supplier dependency, this is increasingly a requirement rather than a preference.
Renewal pressure is leverage, not fate
The lesson this client would probably phrase better than we can: a renewal increase is also an audit opportunity. Their authentication today does everything it did before, for a third of the cost, on infrastructure they own, with their directory as the single source of truth. The dependency that made the price increase possible is gone.
If your own renewal is approaching and the numbers no longer make sense, the migration is more contained than it looks. We are happy to demonstrate it on your environment, as we did here, before you commit to anything.
Further reading
OpenOTP, developed by European vendor RCDevs, covers what a cloud IdP does (SAML and OIDC federation, MFA, RADIUS integrations) while running entirely on infrastructure the organisation owns.
In this project, about thirty hours of joint engineering work in total: a proof of concept of just over eight hours, nineteen hours for the production migration, and three more for the Office 365 cutover.
Nothing was replaced in this deployment. SAML and OIDC applications were repointed to the new identity provider, and the existing VPN appliances kept working with authentication moved to RADIUS Bridge.
Nothing moves. Active Directory stays the source of truth: OpenOTP validates the password against the AD at login, then enforces the second factor (push, OTP or FIDO2) according to WebADM policies.
The CLOUD Act can compel US providers to hand over data they host, wherever it sits. Identity data held on-premise by the organisation itself, with a European vendor, is simply not in that scope.
It can be federated to an on-premise IdP like other SAML and OIDC applications. In this project, moving Office 365 authentication to OpenOTP was handled as a separate final step and took three hours.
