For many years, building a SaaS application has centred around the B2C model, with CIAM integration mostly concerning the process of User Authentication and Consent.
In more recent times, the value of the B2B market and the opportunity to capitalize on a more standard approach for Access Control have led many of the third-party CIAM vendors down the route of adding support for full-spectrum Authorization into their SaaS solutions.
Whilst vendors like Okta have recently released reference applications like SaaStart — showcasing Auth0 features designed for B2B application integration — together with Fine-Grained Authorization (a.k.a. Okta FGA), these are hosted services that can be less than cost-effective.
My name’s Peter Fernandez and in a recent article entitled Build, Buy or DIY your CIAM Solution? I wrote about using open-source alternatives to reduce costs by capitalizing on the infrastructure already likely to be a requirement for the SaaS solution you’re building. In this article, I’m going to discuss how I’m using WordPress, OpenFGA, and Keycloak to do just that.
WordPress
Famed for its popularity as a blogging platform, modern WordPress offers a comprehensive suite of functionality that can be used to build all sorts of solutions. It’s not the most cutting-edge technology, but with over 800 million sites leveraging it, it does mean that almost 44% of all live websites on the internet are powered by it!
Whilst better known for building blogs, building web applications with WordPress is definitely possible and something that folks have been talking about for some time:
There are even companies like Vipe Studio and Gravity Kit that provide professional development services and tools for building web applications using WordPress.
As with most things, WordPress isn’t a magic bullet, and using it for any web application development is probably not where you’d want to start. However, if you have a B2C SaaS application that’s particularly content-heavy and/or requires theme management capability then it could be a good option — particularly given its rich out-of-box functionality and its extensive ecosystem of plugins.
For B2B SaaS application development — which requires a multitenancy approach, leverages both a vendor and a subscriber administration model, and typically requires brand management capability — WordPress Multisite gives you this, and more, ready-made out-of-the-box, which you can use as a foundation for whatever solution you’re building.
It’s also easy to scale. It’s a relatively straightforward process to deploy multiple instances of the WordPress engine anywhere, providing not only the ability to easily load-balance globally but also geographically in order to target specific regional growth.
I typically view WordPress as a technology stack framework, and WordPress Multisite forms the foundation of the Discovery network of which Discover CIAM is a part.
Keycloak
Keycloak (https://www.keycloak.org/) is an open-source platform that can be deployed as a service as part of a CIAM integration. Keycloak works with any development platform and provides application developers with secure authentication and authorization capabilities, requiring minimal or no development effort at all.
Keycloak is a Cloud Native Computing Foundation (CNCF) incubation project that effectively provides a combined IdP and OAuth 2.0 Authorization Server in one, and supports the following out of the box:
- Single Sign On
- Social Login
- Federation
- Passwordless
- Passkeys
- MFA
- RBAC
- Delegated Authorization
- Centralized Management
- Customized Branding
- Clustering for scale and availability
- Extensibility through customized code and adapters
- B2C and B2B SaaS solution support
Whilst you can easily host a Keycloak service yourself, as part of the infrastructure required to support your B2C and/or B2B SaaS solution, there are companies like Login Factor or SkyCloak that offer full to partially managed hosting options. For more on the benefits of a DIY (Deploy It Yourself) approach to CIAM, using Keycloak or one of the other open-source products, see the article entitled Build, Buy or DIY your CIAM Solution?
OpenFGA
Another open-source project, this time from the Linux Foundation that’s part of the CNCF (Cloud Native Computing Foundation), is OpenFGA. OpenFGA — as in open-source Fine Grained Authorization — can be deployed as a service as part of a CIAM integration to provide ReBAC as a modern complement to traditional RBAC access control.
Like Keycloak (above), an OpenFGA service can be hosted yourself, as part of the infrastructure required to support your B2C and/or B2B SaaS solution; the benefits of a DIY (Deploy It Yourself) approach being outlined in my article entitled Build, Buy or DIY your CIAM Solution? Alternatively, an organization such as Okta can provide a managed hosting service based on OpenFGA (see https://docs.fga.dev/ for more details).
You can read more about Relationship-Based Access Control (ReBAC) in the article entitled Access In A Controlled Manner, below, where I talk about it, how it can complement the more traditional method of RBAC, and also ABAC, and where it fits into the overall architecture of an access control system.
Leave a Reply