This document describes the available editions and billing rules for IDaaS EIAM 2.0.
Edition comparison
IDaaS EIAM 2.0 offers the following editions:
Free Edition: Provides a selection of free identity connection features to meet basic identity management needs. For example, you can synchronize Active Directory (AD) accounts and organizations to IDaaS or use single sign-on (SSO) to log on to Alibaba Cloud RAM.
Enterprise Edition: Provides all identity connection features and a wide range of identity security features. It acts as a cloud identity hub to connect isolated identity silos.
Capabilities | Free Edition | Enterprise Edition |
Maximum number of accounts per instance | 50 | Based on the number of purchased accounts |
QR code logon and full synchronization for inbound DingTalk IdP | Support | Supported |
Features for inbound DingTalk IdP, such as password-free logon to the workbench, incremental synchronization, and sensitive data synchronization (advanced configuration) | Not supported | Support |
Delegated logon, user filtering, and full synchronization for inbound AD/LDAP IdP | Supported | Support |
Features for inbound AD/LDAP IdP, such as custom logon identities, incremental synchronization, and scheduled verification | Not supported | Supported |
Features for inbound WeCom IdP, such as QR code logon, password-free logon to the workbench, and data synchronization | Not supported | Supported. Requires a dedicated endpoint. |
Federated authentication (logon to IDaaS) and manual account binding for inbound OpenID Connect (OIDC) IdP | Supported | Support |
Automatic binding, automatic creation, and automatic information updates for inbound OIDC IdP. This is used for federated logon to IDaaS or applications from identity providers such as Azure AD (Entra ID), Okta, or a self-built 4A system. | Not supported | Supported |
Logon, data synchronization, and other features for all outbound IdPs | Not supported | Currently supports DingTalk. Will require a separate purchase in the future. |
Group and extension field features | Not supported | Supported |
Features for marketplace applications, such as SSO, data synchronization, and API access | Supports only specific applications | Supported |
Features for standard applications (such as SAML and OIDC) and self-developed applications, such as SSO, data synchronization, and API access | Not supported | Supported |
Maximum number of applications per instance | 3 | 1,000 |
Logon methods such as IDaaS account password and text message verification code | Supported | Supported |
Two-factor authentication using OTP, text messages, email, and more | Supported | Supported |
Bind two-factor authentication at logon | Not supported | Supported |
Basic security features such as password complexity rules and high-risk password detection | Supported | Supported |
Advanced password features such as initial passwords, periodic password changes, password history, and password reset | Not supported | Supported |
Grant application access to accounts, organizations, and groups | Supported | Supported |
Branding features such as custom icons, names, and domain names | Not supported | Supported |
Dedicated endpoint (for connecting to WeCom or using PrivateLink to connect to AD/LDAP) | Not supported | Requires a separate purchase |
Service availability commitment and critical event response | Not guaranteed | 99.9% availability commitment and rapid response to critical impact events |
Help and support | Tickets | Ticket response within 24 hours and 8×5 support for questions |
When an Enterprise Edition instance expires, its paid features are automatically restricted, and the instance is downgraded to the Free Edition. Data in the instance is not deleted during the downgrade. To use the paid features again, you must purchase a new subscription.
Account billing
IDaaS EIAM 2.0 uses a subscription billing model. The price is based on the number of accounts in the instance. The price per account decreases as the total number of accounts increases. For pricing details, see the purchase page.
If the number of accounts in your IDaaS instance reaches the purchased quota, you cannot create new accounts. Existing operations such as user logon and SSO are not affected. To resume account creation, you must upgrade your instance or reduce the number of accounts.
Dedicated endpoint billing
The dedicated endpoint feature lets you synchronize data and perform delegated authentication for AD/LDAP without opening public ports. You can also use a dedicated public IP address to connect to WeCom. For more information, see Network endpoints.
You must have an Enterprise Edition instance to purchase a dedicated endpoint and obtain a dedicated endpoint quota. The cost of each dedicated endpoint is 30% of the total cost of your Enterprise Edition accounts.
When an Enterprise Edition instance is released (downgraded to the Free Edition), its dedicated endpoints become unavailable. The dedicated endpoints are automatically deleted after one day. Deleted resources and data cannot be recovered.
Conditional access billing
Conditional access is a process that evaluates the context of an access request to make an access decision. Using conditional access policies, you can apply specific access controls for different situations. For example, you can set different two-factor authentication requirements for different applications. For more information, see Conditional access policies.
You must have an Enterprise Edition instance to purchase and use the conditional access feature. The cost of the conditional access feature is 40% of the total cost of your Enterprise Edition accounts.
When an Enterprise Edition instance is released (downgraded to the Free Edition), custom conditional access policies become unavailable. Default conditional access policies are not affected.
M2M application billing
Machine-to-machine (M2M) permission management is an access control mechanism for non-interactive, service-to-service scenarios. In this mechanism, IDaaS issues authorization credentials, and components such as API Gateway perform authentication. This process strictly controls caller access to protected resources and prevents unauthorized calls.
M2M is a separately billed feature. The billing rules for M2M applications in each EIAM instance are as follows:
The following maximum number of applications refers to the number of applications within a single EIAM instance, not the total number of M2M applications across all instances.
Maximum number of applications | Fee (USD/month) |
≤ 2 | 0 |
≤ 5 | 75 |
≤ 10 | 150 |
≤ 30 | 450 |
≤ 50 | 750 |
≤ 100 | 1,500 |