Top 4 Reasons You Over-Spend on SaaS IdP Licenses and How to Cut Costs

Your employees and vendors come and go but their accounts can stay forever, costing you money.

Using the below alerts and checks, we saved our first early-access customer over $60,000 USD/year.

1. Account is only deactivated in your primary IdP

Description: Most companies have more than one IdP, e.g. Okta and Google Workspace. An account might only get deactivated in one of these IdPs.

Identification: When you connect your IdPs to our application, you pick a "source of truth." For example, if you federate Google Workspace login through Okta, Okta is your "source of truth." Given this setup, we will create a "Deprovisioned email not disabled in all IdPs" alert if an account is deactivated in Okta but still active or suspended in Google Workspace.

2. Account is archived but never deleted (Google Workspace)

Description: Once an account is archived, companies often do not delete them once they are beyond their compliance and regulatory retention periods. On a Google Workspace Business Plus plan, this costs $72/year/account. This can easily add up to thousands or tens of thousands of dollars/year.

Identification:

1. Pre-built "Old archived Google Workspace account" alerts when an account has been in an archived state for >= 3 years.

2. Go to the "IdP Accounts" page, filter by status, and sort by last login date.

3. Account is suspend but never archived (Google Workspace)

Description: If, as noted above, you have not deleted old archived accounts, you will eventually reach your archive license capacity. At that point, accounts may go into a suspended state instead of archived state, which costs the same amount as an active account (e.g. $216/account/yr for a Google Workspace Business Plus plan vs $72 for archived users).

Identification:

1. Pre-built "Stale account" alerts when a Google Workspace account has not been logged into for > 90 days and is in a suspended state.

2. Go to the "IdP Accounts" page, filter by status, and sort by last login date.

4. Active account for old projects and services

Description: Some “stale” accounts will have been created for vendors that you no longer use, integrations that have been deprecated, or internal testing.

Identification:

1. Pre-built "Stale account" alerts when an account has not been logged into for > 90 days and is not archived, deactivated, or disabled.

2. Go to the "IdP Accounts" page, filter by status, and sort by last login date.

Note: Some accounts will show up as not having a recent login; however, may be active. For example, it might use a refresh token vs logging in again. Before deleting them, check through IdP logs to verify if there has been activity.