Build, Buy or DIY your CIAM Solution?

Reading Time: 9 minutes

Customer Identity and Access Management (CIAM) has become a crucial aspect of modern consumer-oriented software application architecture.

A good CIAM implementation provides the tools, processes, policies and design patterns to manage and secure customer identities and control access to applications, services, and resources. CIAM ensures that only authenticated and authorized users can access restricted information and functionality, and enables self-service capability as part of a safe and seamless user experience.

Most feel they’re faced with an important decision when it comes to adopting CIAM: should we build our own CIAM solution or buy a ready-made offering? A post I recently came across on LinkedIn illustrates the build-vs-buy paradox quite nicely via a simple and easy-to-follow decision-making framework.

The majority see the build option as providing the most flexibility, but the greatest challenge: one they’d rather avoid, and to be honest one most experts would recommend avoiding too! While building everything yourself from scratch might seem favourable, identity is complex and time-consuming, and getting it wrong can be very costly!

The ready-made alternative is arguably the more attractive approach and was also discussed in a recent report on LinkedIn by the Aspect Dynamics Group. Buying a subscription to a CIAM Software-as-a-Service (SaaS) solution — such as Clerk, FusionAuth, Frontegg, Auth0 by Okta, Firebase from Google, Cognito from AWS, or Entra ID as part of Microsoft Azure — is a popular choice. However, vendor-provided offerings can carry a heavy price tag, particularly if you have a large user base or make extensive use of the features provided.

Both approaches have advantages and challenges, with factors such as business needs, security concerns, scalability, available resources and how much of your revenue you’re willing to spend, affecting the choice. However, there is a middle ground that often gets overlooked.

With consumer-oriented software, though, much of the infrastructure you pay for in a vendor-provided SaaS solution may already be a requirement for the functionality you provide; cloud-based “compute”, database, network resources, etc. could be a necessity for your solution, and delivering these (at scale) already something you need to do.

A DIY, open-source CIAM implementation then — as in a pre-built open-source solution maintained and developed externally, but that you host within your infrastructure — could offer a different option, and one with the added benefit of enhanced flexibility at a much more cost-effective price.

For example, a recent post on X suggests the open-sourced and cross-platform ASP.NET Core Identity might be a good choice, particularly if you’re a .NET developer. Keycloak is another one to consider — as are Authelia and Authentik (neither of which I’ve used, but of which I’ve heard encouraging things).

In the remainder of this article, I’m going to discuss what you should be looking for in a CIAM solution along with the relative merits of Build vs Buy vs DIY (hint: almost always avoid the former whichever of the other routes you decide to go 😎).

Features and Capabilities

At first glance, creating your own simple User ID and Password implementation may seem all that’s required. We’ve all been there: create a user interface, collect credentials, and then check the credentials provided against some form of database record.

Processing User ID and Password credentials, however, is the tip of the iceberg…particularly as they’re fast becoming obsolete! In today’s modern environment, more standards-based approaches for CIAM involving the use of OAuth 2.0, OIDC and/or SAML are preferred — approaches that also offer enhanced functionality and the ability to interoperate with third-party Identity Providers (IdPs) and Authorization services. Feature functionality includes (but is not limited to):

• MFA — additional authentication factors that go beyond the humble UserID and Password.
• SSO — to minimize interactive login whilst also allowing multiple identities to be associated with any given user.
• Social — leveraging Facebook, Google, Microsoft, LinkedIn, etc., thus offloading authentication and authorization to third parties.
• Federation — allowing organizations to use their own IdP deployments for authenticating and authorizing user access…an absolute cornerstone for any B2B SaaS application.
• Passwordless — many see traditional passwordless as legacy technology, however, it still offers real value, particularly when it comes to identity validation/confirmation.
• Passkeys — with Passkey implementations fast becoming the preferred route, biometric-style technology designed to be the de facto standard is set to replace the User ID and Password altogether.

Customization and Control

One of the biggest advantages of building your own CIAM is the notion of having complete control over the architecture, features, and user experience. At least that’s the perception. Here the view is that CIAM can be designed to meet the exact needs, integrating seamlessly with internal applications, legacy systems, and databases:

• You can tailor features to match your specific requirements such as implementing custom workflows for authentication, developing specialized user interfaces, or integrating with other proprietary systems.
• If your business evolves or has specific needs that an off-the-shelf solution doesn’t accommodate then your purpose-built implementation allows you to adapt quickly.

However, this level of customization comes at a price: developing a CIAM system from scratch requires in-depth knowledge of security protocols, compliance requirements, and identity management frameworks, which can stretch your development resources.

Buying a ready-made SaaS solution can provide a convincing alternative, giving you enough flexibility out-of-the-box to do 90% of what you need whilst also providing customizable extension mechanisms to address most, if not all, of the last 10%. The downside is the ever-increasing price tag that this approach typically comes with.

A DIY open-source option can be just as effective yet much cheaper. A hybrid approach — as in a mix of pre-built technology combined with customized code — can get you exactly what you need with the minimum of domain-specialized knowledge and where financial implications are limited to the costs associated with the (hosting) infrastructure.

Security and Compliance

CIAM is a highly complex domain, and any missteps could lead to data breaches, loss of customer trust, and legal consequences. Whilst building a bespoke system arguably provides you with full control (at least the perception of it) a ready-made SaaS solution will typically handle the complexities of securing sensitive customer data so that you don’t have to:

• Data Protection: ensuring that data is encrypted at rest and in transit; that MFA is used as part of step-up authentication workflows for sensitive operations; and that robust session management practices are in force.
• Compliance: adhering to global requirements such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).
• Compliance Certifications: undergoing regular audits and maintaining the necessary standard(s) to ensure compliance with privacy regulations.

Depending on your requirements, the open-source DIY route could provide the perfect compromise between the full control of a bespoke implementation and the convenience of a vendor-provided SaaS solution — allowing you to leverage industry expertise but at a fraction of the overall cost.

Scalability and Maintenance

If your consumer application is designed to handle large volumes of users then scalability will be a major consideration. Your CIAM system must handle the growth of users and user-centric data without compromising performance. If your user base grows unexpectedly or your application experiences a sudden surge in traffic — e.g., during a product launch or sales event — your CIAM must scale seamlessly to support the demand.

With some vendor-provided SaaS solutions, this could be a challenge. Or you could see your costs grow significantly. With an open-source DIY approach, you’d typically leverage the uplift in infrastructure you’ll likely need for your own application(s), thus ensuring you meet the demands without incurring additional and unnecessary charges.

Ongoing updates, bug fixes, and feature enhancements will require a dedicated team of maintenance-oriented and security experts. Continuously updating and evolving to ensure a system remains secure and compliant as new security vulnerabilities are discovered and new regulations are introduced, will require human capital and financial investment if you build CIAM yourself. Whilst a vendor-purchased SaaS implementation goes a long way to mitigate this, an open-source approach may offer a community-oriented compromise more aligned with your resourcing and available budget.

Time and Resource Requirements

Building a bespoke CIAM implementation in-house is a time-consuming process that requires a significant investment in both time and expertise on an ongoing basis. Depending on the complexity of your needs, it could take months or even years to develop, test, and deploy an effective system:

• Expertise: You’ll need a team of developers, security experts, and compliance officers to build and maintain the system.
• Costs: Beyond initial development, ongoing expenditures related to security, compliance, and maintenance can accumulate over time.

Given the challenges involved, building bespoke CIAM may only be feasible for large enterprises with substantial budgets and a team of experts. But even then it’s seldom a recommended route.

If you have a team with expertise you can draw from and/or your consumer-oriented software solution(s) fall into the B2C or B2B SaaS category, then the open-source DIY route can be just as effective an option yet at a much lower overall cost.

Purchasing a vendor-provided SaaS solution offers the advantage of offloading all the effort, however, the price tag can run into the thousands or even hundreds of thousands annually for large-scale enterprise organizations.

Cost and Resource Efficiency

While vendor-provided SaaS CIAM solutions come with a subscription cost, they typically offer better cost efficiency than building a custom solution. They eliminate the need for in-house development, security, and maintenance teams, reducing long-term operational expenses:

• Predictable Costs: SaaS providers typically charge based on the number of monthly active users or logins, together with the functionality used. This can be easier to predict and budget for than building a custom system, though it can be less deterministic on the occasions where increased scale is required.
• Reduced Maintenance Burden: The SaaS vendor takes care of ongoing maintenance, security patches, and updates, so your internal team can focus on other business-critical tasks.

Depending on your requirements, a DIY implementation based on established open-source technology can be equally effective by leveraging the skills and expertise of the open-source community.

Speed of Implementation

Ready-made SaaS CIAM is typically faster to integrate when compared to building a custom solution. In the main, a vendor subscription will provide pre-built templates and user interfaces, drastically reducing the time to market.

• Out-of-the-Box Features: Most SaaS CIAM subscriptions include a wide range of pre-configured standards-based authentication methods, including Social logins, MFA, passwordless authentication, and more.
• Rapid Deployment: Cloud-based implementations allow for quicker deployment with minimal setup required, reducing the time to build your application.
• SDKs: For both client and server-side implementations this means it’s easy to incorporate the best-practice workflows and guidance that ensure safe and secure integration.
• Pre-built Components: For building user interfaces, particularly when it comes to profile management and supporting regulatory compliance standards (such as GDPR).

A DIY solution based on open-source technology can provide similar benefits – particularly when it comes to out-of-box features and rapid deployment. An implementation such as Keycloak, for example, offers a feature set comparable with the leading SaaS CIAM vendors. In addition, you can leverage your own infrastructure for deployment, which means you can leverage your own mechanisms for deployment too.

Vendor Reliance

A downside to purchasing a SaaS CIAM solution is the potential for overreliance on a vendor, often referred to as vendor lock-in. If your business grows or changes, it might be challenging to migrate away from the SaaS solution to another provider or some in-house implementation.

• Data Portability: Ensure that your provider allows for easy export of user data and integration with other systems in case you decide to switch in the future.
• Platform Resilience: The performance, uptime, and security of your CIAM system are reliant on the vendor platform, which may present risks in case of service disruptions or attacks.

With a DIY open-source approach, this isn’t typically an issue. Again, systems like Keycloak give you the choice of where to store user-centric data as well as the ability to leverage the disruption protection mechanisms you likely already deploy.

In fact, with an open-source implementation, CIAM and the bespoke functionality of your consumer-oriented software solution can become atomic — thus you no longer need to cater for vendor-hosted CIAM being down whilst your services are still up and running. Or vice versa.

Comparison

Charting the course of any CIAM approach — especially a course that may seem easy to start with — could result in difficulties later. Perhaps even requiring a complete change of tact at some point; something which is less than ideal, especially if doing so would also hurt the user experience. So there are several things you’ll want to consider before making your choice and deciding on which approach to take will largely depend on several factors:

• Build a custom CIAM solution if you have specific, unique needs that require extensive customization and full control over security, compliance, and integration with internal systems. This approach is most suited for large enterprises with significant resources, but is not for the faint-hearted!
• Buy a vendor-made SaaS CIAM solution if you need a quick, secure, and scalable solution that handles all the complexities of identity and access management, with built-in compliance and security features. SaaS providers are ideal for businesses looking for a fast, cost-effective way to implement CIAM without the overhead of in-house development and maintenance.
• DIY your CIAM solution for arguably the maximum flexibility, using a combination of open-source technologies, (optionally) vendor-built SDKs, and a minimal amount of bespoke “glue” and hosting to leverage the existing investment in your own infrastructure.

Ultimately, the choice comes down to your priorities, resources, and long-term vision for the identity and access management of your customer-centric application(s). Below is a table of comparisons providing an at-a-glance high-level view of the merits of each approach, and you can read more about architecting a CIAM solution in my article:

	Build	Buy	DIY
Features & Capabilities		✅	✅
Customization & Control1	✅	☑️|✅2	✅
Security & Compliance		✅	✅
Scalability & Maintenance		✅	✅
Time & Resource Requirements		✅	☑️
Cost & Resource Efficiency		☑️	✅
Speed of Implementation		✅|☑️3	✅|☑️4
Vendor Reliance5	✅		✅

• ☑️ = mid-level support (out of the box)
• ✅ = full support (out of the box)

1. As in the degree to which a solution can be tailored to requirements ↩︎
2. Depending on the desired functionality ↩︎
3. Depending on the vendor ↩︎
4. Depending on requirements ↩︎
5. As in whether or not there’s reliance on some third-party provider ↩︎