Federated Trust, FusionAuth, C1, Okta, and Auth0 solve different problems that buyers evaluate together. This matrix compares them across 44 capabilities — with a twist the industry avoids: the Federated Trust column carries the same public maturity labels as our trust center, so designed work is never dressed up as shipped product.
00Platforms
00Capabilities
00Capability groups
00Evidence levels
Federated Trust
Federated Trust
Cross-company identity, authorization, and custody plane
Managed service today; customer-controlled and sovereign profiles are designed targets.
Committed public maturity registry — every cell carries its status label. Status registry
FusionAuth
Inversoft
Self-hostable CIAM identity server
Self-host anywhere (Docker, packages, Kubernetes) or dedicated single-tenant FusionAuth Cloud.
Public documentation and pricing pages, version 1.68.0. Source
C1
ConductorOne
AI-native identity governance and access overlay
Multi-tenant SaaS control plane; self-hosted open-source connectors reach private infrastructure.
Public marketing, documentation, and launch press — no public versioning or pricing. Source
Okta
Okta, Inc.
Workforce identity cloud
Multi-tenant SaaS only, with government-scoped variants; no self-hosted control plane.
Public documentation, trust pages, and press releases. Source
Auth0
Okta, Inc.
Customer identity cloud (CIAM)
Multi-tenant public cloud or dedicated vendor-managed Private Cloud on AWS or Azure.
Public documentation, platform pages, and press releases. Source
Showing 44 of 44 capabilities across 8 of 8 groups, comparing 5 of 5 platforms.
3 of 3 capabilities
Platform role and architecture
What each product fundamentally is. These five are not interchangeable: two issuers, a governance overlay, a workforce cloud, and a cross-company trust plane.
Platform role and architecture: capability comparison across 5 platforms
Capability
Federated Trust
FusionAuth
C1
Okta
Auth0
Identity provider of recordHosts sign-in and issues the tokens applications trust.
PartialLimited / pilot
Central issuer with branded login for named hosts; protocol and profile rollout is limited/pilot.
Yes
Complete CIAM identity server: hosted login, registration, tokens, and sessions.
No
C1 does not host login or issue tokens; it governs access and presumes an IdP underneath.
Yes
Full workforce IdP: Universal Directory, SSO, and token issuance across the Okta Integration Network.
Yes
Developer-first CIAM issuer: Universal Login, tokens, and sessions at consumer scale.
Governance over existing systemsMaps and governs access held in other IdPs and applications.
PlannedDesigned
Federated Trust governs its own authority plane; overlay governance of third-party systems is not the product.
No
An identity server, not an IGA overlay; no cross-system review or remediation product.
Yes
The core product: a universal graph over IdPs, apps, and infrastructure with policy-driven remediation.
Add-on
Okta Identity Governance (paid add-on): requests, reviews, and lifecycle over Okta-integrated apps.
No
CIAM platform; enterprise governance overlay is not the Auth0 surface.
Cross-organization trust planeOne shared, canonical authority for relationships and grants that span company boundaries.
PartialLimited / pilot
The core thesis: canonical organizations, relationships, and revocable cross-company grants. Code and contract evidence; rollout gated.
No
Tenants are isolated namespaces; the vendor recommends separate instances for strong isolation.
Unknown
Scope is one enterprise per tenant; no cross-organization authority appears in reviewed public docs.
Partial
Orgs are per-company; B2B is org-to-org federation and hub-and-spoke patterns, not one shared plane.
Partial
Auth0 Organizations model business customers inside one tenant; not a shared cross-company authority.
6 of 6 capabilities
Deployment and data control
Where the control plane runs, who can hold the keys, and whether the product can leave the vendor’s cloud. This is where the five differ most.
Deployment and data control: capability comparison across 5 platforms
Capability
Federated Trust
FusionAuth
C1
Okta
Auth0
Vendor-managed cloud serviceA hosted service the vendor operates for you.
YesImplemented
The central service runs today as a managed edge deployment for named hosts.
Yes
FusionAuth Cloud runs dedicated deployments (Basic, Business, HA tiers).
On-Behalf-Of and custom token exchange are generally available.
Sender-constrained tokens (DPoP)Proof-of-possession so stolen tokens cannot be replayed.
PlannedPlanned
A roadmap profile in the committed registry; current clients are not represented as sender-constrained.
Add-on
Authorization-code DPoP binding at Enterprise; resource servers must validate proofs.
Unknown
Not applicable to the reviewed public surface.
Yes
DPoP-bound tokens supported, and required for several Okta management APIs.
Partial
Certificate-bound tokens ship with Highly Regulated Identity; DPoP-specific support is less clearly published.
6 of 6 capabilities
Authorization
Who may do what, decided where. The interesting differences are in fine-grained models, delegation, and what happens when the authority is unreachable.
Authorization: capability comparison across 5 platforms
Capability
Federated Trust
FusionAuth
C1
Okta
Auth0
Roles and groupsClassic role- and group-based access.
PartialLimited / pilot
Roles are expressed through the canonical relationship graph plus local configuration roles.
Yes
Application-scoped roles, registrations, and flat (non-nesting) groups.
Partial
Mirrors roles and entitlements from connected systems into its graph; not your runtime authorizer.
Yes
Groups, group rules, and fine-grained admin roles.
Yes
RBAC with roles and permissions embedded in tokens.
Relationship-based / fine-grained authorizationGoogle Zanzibar-style relationship checks at runtime.
PartialLimited / pilot
Typed relationship and policy evaluation exists in code and tests; independent deployment evidence remains gated.
Add-on
A hosted and supported Permify FGA option at Enterprise.
Partial
Real-time authorization is claimed inside the headless substrate; public depth is thin so far.
Yes
Okta FGA (OpenFGA lineage), generally available since March 2024 with a 99.99% SLA.
SOC 2, ISO 27001/27018, HIPAA BAA, and PCI options; no standalone FedRAMP authorization is published.
Public pricingCan you price it without a sales call?
No
Not commercially packaged; preview engagements are explicitly bounded discussions.
Yes
Public MAU-based pricing and a free self-hosted Community edition.
No
Quote-based; no public pricing.
Partial
Public per-user list prices for workforce SKUs; enterprise agreements dominate in practice.
Yes
Public plans with a free tier; enterprise quotes beyond.
How to read this comparison
Two vocabularies are in play. Every product cell uses one of seven evidence levels. Federated Trust cells additionally carry the committed maturity label from the public status registry — the same one attached to every claim on this site.
Available
Generally available in the product as publicly documented on the snapshot date.
Scoped or partial
Real capability with documented limits: scoped hosts, partial coverage, or a different mechanism than the row implies.
Higher tier or add-on
Offered, but gated behind a higher edition, paid add-on, or specific plan.
Preview or early access
Public preview, early access, or staged rollout announced by the vendor.
Planned or designed
A stated target or designed contract. Not represented as available today.
Not offered
Outside the product’s model as publicly described — not a temporary gap.
No public evidence
No public evidence found in the reviewed sources. Absence of evidence, not proof of absence.
Implemented
Implemented in a Federated Trust service path with current evidence. The named deployment and evidence scope still matter.
Limited / pilot
Code or contracts exist, but integration, operational, or assurance gates still prevent general availability.
Designed
An approved target shape or contract that is not represented as generally available. A validated deployment package is still required.
Planned
A stated engineering target that is not represented as implemented, generally available, or deployed today.
Independently validated
Implemented and assessed independently for a named scope and evidence date. This label does not extend beyond that evidence.
Governing reference
Authoritative material used to guide design and review. This status is not a certification or a universal conformance claim.
This comparison is a dated snapshot assembled by Federated Trust from each vendor’s public documentation, pricing, and press material. It is not a certification, benchmark, or procurement recommendation. Product names and trademarks belong to their owners; none of the vendors reviewed or endorsed this page. Federated Trust cells use the same committed maturity labels as the trust center and never present designed or planned work as available. Corrections are welcome.
The vendors above centralize custody to deliver convenience. Federated Trust is designed for the opposite trade — customer-held keys, resource-local final deny, and sovereign data planes — and labels exactly how much of that exists today.