Windows-native · On-premises IAM

Identity that stays in your hands.

Notentra is the standards-based identity platform you run on your own network — a full identity provider plus a free IIS service-provider module. OIDC, SAML, FIDO2, and conditional access, on hardware your team controls. No cloud dependency. No vendor lock-in.

Get Started See how it compares
~30 min
to first login
$55/usr/yr
IdP entry tier
100%
on your network
login.northwind.gov
Notentra IdP sign-in portal
Platform
Windows Server + IIS
Protocols
OIDC · SAML · FIDO2 · X.509
Conditional Access
Included, every tier
Cloud Dependency
None
Why Notentra

Enterprise-grade identity. No cloud required.

Most identity providers ask you to hand your users, tokens, and audit trail to someone else's cloud. Notentra runs where your data already lives — and includes the capabilities competitors gate behind premium tiers.

01 / SOVEREIGN

Stays on your network

Self-hosted on Windows Server, IIS, and SQL. No SaaS vendor sees your identities. Air-gap capable for sovereign deployments.

02 / NO PREMIUM TAX

Every feature, every tier

Conditional access, risk policy, per-credential AAL grading, and tamper-evident audit ship in every tier. What competitors paywall is baseline here.

03 / FAST

Up in 30 minutes

One Setup.exe wizard handles prerequisites, IIS, the database, certificates, and the admin account. A direct ADFS replacement.

04 / ASSURANCE

AAL graded correctly

Every credential graded to NIST 800-63B. A synced passkey lands at AAL2, a hardware key at AAL3 — so "hardware-bound required" means it.

05 / EVIDENCE

Tamper-evident audit

Every decision is a typed event, HMAC-chained (NIST 800-53 AU-9). Prove the log wasn't edited — verified in one click.

06 / COEXIST

Works with what you run

Run the IdP as a SAML spoke off Okta or Entra. Protect any IIS app with the free SP module — no code changes. Adopt without ripping anything out.

Platform

Two modules. Complete coverage.

The identity provider issues the tokens. The service-provider module protects the apps that consume them. Use either on its own, or both together.

Identity Provider
Notentra IdP
$55–$90/ user / year — all features, every tier

A standards-based IdP for Windows. OIDC, SAML 2.0, WS-Fed, FIDO2, and certificate auth, with conditional access and tamper-evident audit built in.

  • OIDC · SAML 2.0 IdP/SP · WS-Federation
  • Per-credential AAL classification (NIST 800-63B)
  • Per-department hardware authenticator profiles
  • Conditional access & risk-based policy — included
  • Microsoft 365 / Exchange federation
Explore the IdP →
IIS Service Provider
Notentra SP
Freeforever — every site, every server

A native IIS module that turns any IIS-hosted app into a SAML 2.0 service provider. No reverse proxy, no middleware, no application code changes.

  • Drops into the IIS pipeline as an HttpModule
  • Works with Notentra, Entra, Okta, ADFS, or any SAML IdP
  • Injects identity as request headers — read with any stack
  • Cookie, multicast, or Redis session modes
  • No domain join required at the protected app
Explore the SP module →
Competitive positioning

The only Windows-native, on-prem IAM platform.

3-year license cost at 500 users — and where your identity data physically lives.

 Notentra IdPEntra ID P1Okta + MFA
3-yr cost · 500 users$82,500$108,000$144K–216K
Conditional accessIncludedP1 tierAdd-on SKU
Per-credential AAL gradingYesNoPartial
Identity data livesYour networkMicrosoft cloudOkta cloud
Air-gap capableYesNoNo
Free IIS SP moduleYesNoNo

Competitor prices are public-list estimates, May 2026. Verify before quoting.

Get Started

Ready to take control of your identity layer?

Stand Notentra up beside what you run today. Move one app. Decide at renewal.

Create Account Read the Docs