How does Passage pricing compare to Rippling, Okta and BambooHR?

Passage Pro is $7.50 and Team is $13 per managed user per month with no base fee. Rippling's IT modules stack on a roughly $8 per-user platform fee; Okta Lifecycle is $4 but requires a roughly $14 Core base; BambooHR Pro is $17 per employee and its IT onboarding is checklist-only. Passage includes device-return enforcement and portable audit evidence that those tools charge extra for or do not offer.

Pricing — Passage vs Rippling, Okta Lifecycle & BambooHR (2026)

Name: Passage
Brand: Passage

Free

$0

Local-first / privacy-first

1 connected tenant
M365 or Google connector
Unlimited manual-step runs
5 automated runs/mo
Full audit log
CSV evidence export

Pro

$7.50/user/mo

Core SMB · annual · min $150/mo

Everything in Free
Unlimited automated runs
All identity connectors (M365, Google, Okta, JumpCloud)
Residual-token closure gate
License-reclamation savings rollup
Device lifecycle via Cairn
Mover diff engine
Scheduled & bulk runs
Signed evidence push

Team

$13/user/mo

Compliance-driven · annual

Everything in Pro
HRIS trigger ingestion
Non-federated SaaS connectors (GitHub, Salesforce, Atlassian, Zoom, Slack)
Two-step deprovisioning: seat + OAuth-token revoke
OAuth-grant discovery (shadow apps)
Vault credential handoff
SLA timers + escalation
License-reclamation analytics
BYO-key AI features

MSP

$6/user/mo

Volume · annual

Everything in Team
Multi-tenant parent console
Per-client branding
Cross-client reporting
Bulk tenant onboarding
Consolidated billing

Billed per active employee whose lifecycle you manage in the period — not per IT seat. Annual billing −15%.

Passage vs Rippling, Okta Lifecycle & BambooHR

The honest version. Same $6–$13 real-JML band — but device return, portable evidence, and no SSO tax come included, not as extra modules or not at all.

Capability	Passage	Rippling (IT)	Okta Lifecycle	BambooHR + IT
Headline price for real JML	$7.50 Pro / $13 Teamper managed user/mo · no base	~$8 platform base+ Device ~$8 + App ~$7 modules	~$4 LCM add-onrequires ~$14 Core base (SSO tax)	$10–$25 Core–EliteIT onboarding is an add-on
Implementation / onboarding fee	None — self-serve	$2k–$20k+	Pro services common	5–15% of annual
Free tier that actually disables accounts	Yes	No	No	No
Real deprovisioning (disable + revoke sessions)	Yes — core	Yes	Yes (mature SCIM)	Checklist, not real provisioning
Ends access in non-federated SaaS (seat and OAuth token revoke)	Yes — both halves, both critical	SCIM seat; token revoke uneven	Federated only; non-fed left open	No
OAuth-grant discovery (finds shadow apps)	Yes — covered/uncovered	No	No	No
Residual-token closure gate (can't close with token live)	Yes — hard block	No	No	No
License-reclamation savings in the evidence	Yes — $/mo & /yr rollup	Seat reports, separate	No	No
Automated provisioning + human tasks in one run	Yes — both, gated	Provisioning-led	Provisioning only	Tasks only (no real provisioning)
Device-return enforced as a closure gate	Yes (via Cairn)	Device mgmt, not gated to offboarding	No device return	No device return
Mover diff — revoke stale access on role change	Yes — critical revoke steps	Role-based	Partial	No
Scheduled & bulk JML runs	Yes	Yes	Via policies	Manual
Hash-anchored, portable audit evidence	Yes — exportable	Logs inside the platform	Logs inside the platform	No
Cross-framework compliance push (SOC 2 / HIPAA / NIST 800-171 / CMMC)	Yes — built in	Indirect	No	No
No SSO tax / no platform fee	Yes	Platform fee	SSO tax (Core base)	HR platform required
BYO-key AI (no inference markup)	Yes	No	No	No
MSP multi-tenant console	Yes — $6/user	Limited	Enterprise motion	No
Full HR / payroll / benefits	No — by design	Yes	No	Yes

$0

No implementation fee

Rippling charges $2k–$20k+ and BambooHR 5–15% of annual just to onboard. Passage is self-serve from the free tier — your first leaver run takes minutes.

~$14

No SSO-tax base

Okta's $4 Lifecycle Management add-on only runs on top of a ~$14/user Core Essentials base. Passage's $7.50 Pro is the whole price — nothing to buy underneath it.

Included

Device + evidence in the price

Device-return enforcement and hash-anchored, portable audit evidence are part of Pro — Rippling bills device mgmt as a separate module, and Okta/BambooHR don't return devices at all.

Where each competitor leaves SMBs exposed

Rippling (IT) — best-in-class provisioning, but it lives inside a platform: a ~$8/user base plus Device (~$8) and App (~$7) modules stack PEPM, and implementation runs $2k–$20k+. You adopt the suite to get the lifecycle automation. Passage gives you the access lifecycle, device-return enforcement, and portable evidence without buying the platform.
Okta Lifecycle Management — mature SCIM and deep deprovisioning for federated apps, but the $4 LCM add-on is gated behind a ~$14/user Core base (the "SSO tax"), it doesn't end access in non-federated SaaS (a GitHub PAT or Salesforce refresh token survives the disable), there's no device return, and no human-task workflow. Passage delivers the $7.50 real-JML price with no base, runs the seat + OAuth-token revoke per app, adds device return, and writes portable evidence Okta keeps inside its own logs.
BambooHR + IT onboarding — loved HR onboarding UX, but its IT onboarding is a checklist, not real provisioning: it tracks "disable Jane's account" as a task without ever disabling it, has no device deprovisioning, and hides 30–50% in add-on fees over the $10–$25 base. Passage actually fires the deprovisioning and tracks the human tasks in the same gated run.

Pricing reflects publicly reported 2026 list figures: Rippling base + module PEPM and $2k–$20k+ implementation (PeopleManagingPeople, costbench); Okta LCM ~$4 add-on on ~$14 Core (AccessOwl); BambooHR Core $10 / Pro $17 / Elite $25 + implementation 5–15% of annual (PeopleManagingPeople). Vendor pricing and capabilities change — verify current terms directly.

Pricing questions

Is there an SSO tax or implementation fee?

No. No platform fee, no SSO tax, no paid implementation. Okta gates its $4 Lifecycle add-on behind a ~$14/user Core base; Rippling and BambooHR charge $2k–$20k or 5–15% of annual to onboard. Passage is self-serve from a free tier that actually disables accounts.

What does "per managed user" mean?

You pay per active employee whose lifecycle you manage in the billing period — the joiner-mover-leaver subject pool — not per IT seat. This matches the Okta / AccessOwl / Console convention and aligns price with value.

What drives the upgrade from Free?

The free tier caps at 5 automated runs/month and can't push evidence to Sightline/Bastion. Teams upgrade to Pro for unlimited runs, all four identity connectors, the residual-token closure gate, the license-reclamation savings rollup, device lifecycle, and signed evidence push — the compliance buyer's must-have. Team adds the non-federated SaaS connectors that run two-step deprovisioning and OAuth-grant discovery.

Does Passage end access in apps beyond the identity provider?

Yes — that's the point. Disabling Okta/Entra/Google only stops single sign-on; non-federated SaaS like GitHub, Salesforce, Atlassian, Zoom and Slack keep their own tokens. On Team, Passage runs two steps per app — remove the seat and revoke the OAuth grant/token — discovers shadow apps no template anticipated, and the closure gate hard-blocks if a seat was removed while its token is still live. (Live connector calls are simulated behind a boundary in this build; the orchestration, the gate, and the hashed proof are real.)

Is the comparison fair to the competitors?

We compare on the IT joiner-mover-leaver job. Rippling and BambooHR also do full HR/payroll/benefits, which Passage deliberately does not — that's noted in the table. The numbers cite public 2026 list pricing; we link the sources and recommend verifying current terms directly.

Real JML at the price of a checklist.