{"id":127,"date":"2025-02-22T11:51:26","date_gmt":"2025-02-22T11:51:26","guid":{"rendered":"https:\/\/discovery.cevolution.co.uk\/ciam\/?p=127"},"modified":"2026-03-13T10:29:53","modified_gmt":"2026-03-13T10:29:53","slug":"diy-or-buy","status":"publish","type":"post","link":"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/02\/22\/diy-or-buy\/","title":{"rendered":"Build, Buy or DIY your CIAM Solution?"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 9<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p><b>Customer Identity and Access Management (CIAM)<\/b> has become a crucial aspect of modern consumer-oriented software-as-a-service (SaaS) applications. A good CIAM architecture provides the tools, processes, policies and design patterns to manage and secure customer identities and control access to applications, services, and resources. <\/p>\n\n\n\n<p>CIAM ensures that only authenticated and authorised users can access restricted information and functionality, and enables self-service capability as part of a safe and seamless user experience. You can read more about architecting a CIAM solution in my article:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"nGtf9yaHTM\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/04\/09\/architecting-a-modern-ciam-solution\/\">Architecting a CIAM Solution<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Architecting a CIAM Solution&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/04\/09\/architecting-a-modern-ciam-solution\/embed\/#?secret=VK14kk2WoC#?secret=nGtf9yaHTM\" data-secret=\"nGtf9yaHTM\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>My name&#8217;s <span class=\"popup-trigger popmake-378\" data-popup-id=\"378\" data-do-default=\"0\">Peter Fernandez<\/span>, and in this article, I&#8217;m going to discuss what you should be looking for in a CIAM solution, along with the relative merits of Build vs Buy vs DIY (hint: almost always avoid the former, whichever of the other routes you decide to go \ud83d\ude0e).<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"ciam-in-a-nutshell\">CIAM in a Nutshell<\/h2>\n\n\n<p>At first glance, creating your own simple User ID and Password implementation may seem all that\u2019s required. We\u2019ve all been there: create a user interface, collect credentials, and then check the credentials provided against some form of database record. However, processing User ID and Password credentials is just the tip of the iceberg, and there are several things you&#8217;ll want to consider, as deciding on which approach to take will largely depend on several factors:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Build a custom CIAM solution<\/strong> if you have specific, unique needs that require extensive customisation and full control over security, compliance, and integration with internal systems. This approach is most suited for large enterprises with significant resources, but it&#8217;s not for the faint-hearted!<\/li>\n\n\n\n<li><strong>Buy a vendor-made SaaS CIAM solution<\/strong> if you need a quick, secure, and scalable solution that handles all the complexities of identity and access management, with built-in compliance and security features. SaaS providers are ideal for businesses looking for a fast, cost-effective way to implement CIAM without the overhead of in-house development and maintenance.<\/li>\n\n\n\n<li><strong>DIY your CIAM solution<\/strong> for arguably the maximum flexibility, using a combination of open-source technologies, (optionally) vendor-built <span class=\"popup-trigger popmake-3335 \" data-popup-id=\"3335\" data-do-default=\"0\">SDKs<\/span>, and a minimal amount of bespoke &#8220;glue&#8221; and hosting to leverage the existing investment in your own infrastructure.<\/li>\n<\/ul>\n\n\n\n<p>Ultimately, the choice comes down to your priorities, resources, and long-term vision for the identity and access management of your customer-centric application(s), and below, in true TL;DR fashion, is a table of comparisons providing an at-a-glance high-level view of the merits of each approach; if you&#8217;re using a mobile device then I&#8217;d recommend rotating (to a landscape orientation) to get a better view \ud83d\ude01:<\/p>\n\n\n\n<figure class=\"wp-block-table has-medium-font-size\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-center\" data-align=\"center\"><\/th><th class=\"has-text-align-center\" data-align=\"center\">Build<\/th><th class=\"has-text-align-center\" data-align=\"center\">Buy<\/th><th class=\"has-text-align-center\" data-align=\"center\">DIY<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#features\">Features &amp; Capabilities<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#customization\">Customization &amp; Control<\/a><sup data-fn=\"ec24647d-ac7d-471e-aea7-271fe9f7976c\" class=\"fn\"><a href=\"#ec24647d-ac7d-471e-aea7-271fe9f7976c\" id=\"ec24647d-ac7d-471e-aea7-271fe9f7976c-link\">1<\/a><\/sup><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2611\ufe0f|\u2705<sup data-fn=\"0e69223a-0834-4c88-8e75-155cd462bd46\" class=\"fn\"><a href=\"#0e69223a-0834-4c88-8e75-155cd462bd46\" id=\"0e69223a-0834-4c88-8e75-155cd462bd46-link\">2<\/a><\/sup><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#security\">Security &amp; Compliance<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#scalability\">Scalability &amp; Maintenance<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#resources\">Time &amp; Resource Requirements<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2611\ufe0f<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#costs\">Cost &amp; Resource Efficiency<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2611\ufe0f<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#speed\">Speed of Implementation<\/a><\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705|\u2611\ufe0f<sup data-fn=\"9516d75e-48c1-426d-a55e-289deb347b31\" class=\"fn\"><a href=\"#9516d75e-48c1-426d-a55e-289deb347b31\" id=\"9516d75e-48c1-426d-a55e-289deb347b31-link\">3<\/a><\/sup><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705|\u2611\ufe0f<sup data-fn=\"57dbb87f-1efe-411e-a182-a1628a719ee6\" class=\"fn\"><a href=\"#57dbb87f-1efe-411e-a182-a1628a719ee6\" id=\"57dbb87f-1efe-411e-a182-a1628a719ee6-link\">4<\/a><\/sup><\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\"><a href=\"#reliance\">Vendor <\/a><br><a href=\"#reliance\">Reliance<\/a><sup data-fn=\"d1545db0-cbf7-49c6-b09e-4e8ec54b52e4\" class=\"fn\"><a href=\"#d1545db0-cbf7-49c6-b09e-4e8ec54b52e4\" id=\"d1545db0-cbf7-49c6-b09e-4e8ec54b52e4-link\">5<\/a><\/sup><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><td class=\"has-text-align-center\" data-align=\"center\"><\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2705<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list is-style-default\">\n<li class=\"has-medium-font-size\">\u2611\ufe0f = mid-level support (out of the box)<\/li>\n\n\n\n<li class=\"has-medium-font-size\">\u2705 = full support (out of the box) <\/li>\n<\/ul>\n\n\n<ol class=\"wp-block-footnotes has-small-font-size\"><li id=\"ec24647d-ac7d-471e-aea7-271fe9f7976c\">As in the degree to which a solution can be tailored to requirements <a href=\"#ec24647d-ac7d-471e-aea7-271fe9f7976c-link\" aria-label=\"Jump to footnote reference 1\">\u21a9\ufe0e<\/a><\/li><li id=\"0e69223a-0834-4c88-8e75-155cd462bd46\">Depending on the desired functionality  <a href=\"#0e69223a-0834-4c88-8e75-155cd462bd46-link\" aria-label=\"Jump to footnote reference 2\">\u21a9\ufe0e<\/a><\/li><li id=\"9516d75e-48c1-426d-a55e-289deb347b31\">Depending on the vendor <a href=\"#9516d75e-48c1-426d-a55e-289deb347b31-link\" aria-label=\"Jump to footnote reference 3\">\u21a9\ufe0e<\/a><\/li><li id=\"57dbb87f-1efe-411e-a182-a1628a719ee6\">Depending on requirements <a href=\"#57dbb87f-1efe-411e-a182-a1628a719ee6-link\" aria-label=\"Jump to footnote reference 4\">\u21a9\ufe0e<\/a><\/li><li id=\"d1545db0-cbf7-49c6-b09e-4e8ec54b52e4\">As in whether or not there&#8217;s reliance on some third-party provider  <a href=\"#d1545db0-cbf7-49c6-b09e-4e8ec54b52e4-link\" aria-label=\"Jump to footnote reference 5\">\u21a9\ufe0e<\/a><\/li><\/ol>\n\n<h2 class=\"wp-block-heading\" id=\"method-of-adoption\">Method of Adoption<\/h2>\n\n\n<p> Understandably, then, when it comes to adopting CIAM, most feel they&#8217;re faced with an important decision: <strong>should we build our own CIAM solution or buy a ready-made offering?<\/strong> A <a href=\"https:\/\/www.linkedin.com\/posts\/leaddev_leaddevnewyork-activity-7237561388049555456-sJg1\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a> I recently came across on LinkedIn illustrates the build-vs-buy paradox quite nicely via a simple and easy-to-follow decision-making framework.<\/p>\n\n\n\n<div class=\"wp-block-group has-text-align-center has-global-padding is-layout-constrained wp-container-core-group-is-layout-7db9d80f wp-block-group-is-layout-constrained\" style=\"padding-right:0;padding-left:0\">\n<iframe loading=\"lazy\" src=\"https:\/\/www.linkedin.com\/embed\/feed\/update\/urn:li:share:7237561380164227073\" height=\"663\" width=\"85%\" frameborder=\"0\" allowfullscreen=\"\" title=\"Embedded post\"><\/iframe>\n<\/div>\n\n\n\n<p>The majority see the build option as providing the most flexibility, but also the greatest challenge; one they&#8217;d rather avoid, and to be honest, one most experts would recommend avoiding too! While building everything yourself from scratch might seem favourable, identity is complex and time-consuming, and getting it wrong can be very costly!<\/p>\n\n\n\n<p>The ready-made alternative is arguably the more attractive approach and was also discussed in a <a href=\"https:\/\/www.linkedin.com\/pulse\/customer-identity-access-management-ciam-tool-market-a7ove\/\" target=\"_blank\" rel=\"noreferrer noopener\">recent report on LinkedIn<\/a> by the <em>Aspect Dynamics Group<\/em>. Buying a subscription to a CIAM <span class=\"popup-trigger popmake-2946 \" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> solution \u2014 such as Clerk, FusionAuth, Frontegg, Auth0 by Okta, Firebase from Google, Cognito from AWS, or Entra ID as part of Microsoft Azure \u2014 is a popular choice.<\/p>\n\n\n\n<p>However, vendor-provided offerings can carry a heavy price tag, particularly if you have a large user base or make extensive use of the features provided.<\/p>\n\n\n\n<p>Both approaches have advantages and challenges, with factors such as business needs, security concerns, scalability, available resources and how much of your revenue you&#8217;re willing to spend affecting your choice. However, there is a middle ground that often gets overlooked.<\/p>\n\n\n\n<p>With consumer-oriented software, though, much of the infrastructure you pay for in a vendor-provided SaaS solution may already be a requirement for the functionality you provide; cloud-based \u201ccompute\u201d, database, network resources, etc. could be a necessity for your solution, and delivering these (at scale) already something you need to do.<\/p>\n\n\n\n<p>A DIY (open-source) CIAM implementation \u2014 as in a pre-built (open-source) solution maintained and developed externally, but that you host within your infrastructure \u2014 could offer a different option, and one with the added benefit of enhanced flexibility at a much more cost-effective price.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-7ca6a9e08499caa92089f39816788a96 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>DIY is the method of building,\u00a0modifying, or\u00a0repairing\u00a0things by oneself. In this case, you can think of a DIY &#8211; or Deploy It Yourself &#8211; CIAM solution as tailoring an open-source implementation to suit your needs whilst minimising cost.<\/em><\/p>\n<\/div>\n\n\n\n<p>For example, a recent post on X suggests the open-sourced and cross-platform <strong><a href=\"https:\/\/dotnet.microsoft.com\/en-us\/apps\/aspnet\" target=\"_blank\" rel=\"noreferrer noopener\">ASP.NET Core<\/a> Identity<\/strong> might be a good choice, particularly if you&#8217;re a .NET developer. <a href=\"https:\/\/www.keycloak.org\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Keycloak<\/strong><\/a> is another one to consider \u2014 as are <a href=\"https:\/\/www.authelia.com\/\"><strong>Authelia<\/strong><\/a> and <a href=\"https:\/\/goauthentik.io\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Authentik<\/strong><\/a> (neither of which I&#8217;ve used, but of which I&#8217;ve heard encouraging things).<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\"><blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Don&#39;t implement custom auth if you&#39;re a .NET dev.<br><br>ASPNET Core Identity might be all you need.<br><br>Identity gives you:<br><br>&#8211; Authentication<br>&#8211; User management<br>&#8211; Login, logout, refresh tokens<br>&#8211; Roles and claims for authorization<br>&#8211; External authentication providers (Google, Meta)<br><br>It&#39;s\u2026 <a href=\"https:\/\/t.co\/d1N0t5Mq6Q\">pic.twitter.com\/d1N0t5Mq6Q<\/a><\/p>&mdash; Milan Jovanovi\u0107 (@mjovanovictech) <a href=\"https:\/\/twitter.com\/mjovanovictech\/status\/1880880521225376239?ref_src=twsrc%5Etfw\">January 19, 2025<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/div>\n<\/div><\/figure>\n<\/div>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>I personally use <a href=\"https:\/\/www.keycloak.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Keycloak<\/a>, and you can read more about that in my article: <\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"jGIXys5uRO\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/open-source-ciam-using-keycloak\/\">Think Open-Source for Your CIAM Integration, with Keycloak DIY<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Think Open-Source for Your CIAM Integration, with Keycloak DIY&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/open-source-ciam-using-keycloak\/embed\/#?secret=u9Kge8Euwj#?secret=jGIXys5uRO\" data-secret=\"jGIXys5uRO\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n<\/blockquote>\n\n\n<h2 class=\"wp-block-heading\" id=\"features\">Features and Capabilities<\/h2>\n\n\n<p>As already discussed, processing User ID and Password credentials is the tip of the iceberg&#8230;particularly as they&#8217;re fast becoming obsolete! In today&#8217;s modern environment, more standards-based approaches for CIAM involving the use of <span class=\"popup-trigger popmake-467\" data-popup-id=\"467\" data-do-default=\"0\">OAuth 2.0<\/span>, <span class=\"popup-trigger popmake-407\" data-popup-id=\"407\" data-do-default=\"0\">OIDC<\/span> and\/or <span class=\"popup-trigger popmake-470\" data-popup-id=\"470\" data-do-default=\"0\">SAML<\/span> are preferred \u2014 approaches that also offer enhanced functionality and the ability to interoperate with third-party Identity Providers (<span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>s) and Authorization services. Feature functionality includes (but is not limited to):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span><\/strong> \u2014 additional authentication factors that go beyond the humble UserID and Password.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span><\/strong> \u2014 to minimise interactive login whilst also allowing multiple identities to be associated with any given user.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span><\/strong> \u2014 leveraging Facebook, Google, Microsoft, LinkedIn, etc., thus offloading authentication and authorization to third parties.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" data-type=\"page\" data-id=\"1136\" target=\"_blank\" rel=\"noreferrer noopener\">Federation<\/a><\/strong> \u2014 allowing organisations to use their own <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> deployments for authenticating and authorising user access&#8230;an absolute cornerstone for any <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS application.<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/passwordless\/\" data-type=\"page\" data-id=\"1149\" target=\"_blank\" rel=\"noreferrer noopener\">Passwordless<\/a><\/strong> \u2014 many see traditional passwordless as legacy technology, however, it still offers real value, particularly when it comes to identity validation\/confirmation.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-1879\" data-popup-id=\"1879\" data-do-default=\"0\">Passkeys<\/span><\/strong> \u2014 with Passkey implementations fast becoming the preferred route, biometric-style technology designed to be the de facto standard is set to replace the User ID and Password altogether.<\/li>\n<\/ul>\n\n\n\n<p>Charting the course of any CIAM approach, however, especially a course that may seem easy to start with, could result in difficulties later. Perhaps even requiring a complete change of tact at some point \u2014 something which is less than ideal, especially if doing so would also hurt the user experience. So it is important to consider your requirements and strategy for both the short term and the long term. <\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-228bad9bc82d8cb6af3590d2edc30476 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>A change of CIAM approach, for example, could lead to an invalidated session, requiring the user to log in again, irrespective of any established <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span>.<\/em><\/p>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"customization\">Customisation and Control<\/h2>\n\n\n<p>One of the biggest advantages of building your own CIAM is the notion of having <em>complete control<\/em> over the architecture, features, and user experience. At least that&#8217;s the perception. Here, the view is that CIAM can be designed to meet the exact needs, integrating seamlessly with internal applications, legacy systems, and databases:<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-01667551e230ef8e3293ccb2794ef6fa is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>The perception of a requirement isn&#8217;t always what&#8217;s actually required, particularly if you base the characteristics of a contemporary solution on some legacy implementation that may not conform to modern best practices.<\/em><\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can tailor features to match your specific requirements, such as implementing custom workflows for authentication, developing specialised user interfaces, or integrating with other proprietary systems.<\/li>\n\n\n\n<li>If your business evolves or has specific needs that an off-the-shelf solution doesn\u2019t accommodate, then your purpose-built implementation allows you to adapt quickly.<\/li>\n<\/ul>\n\n\n\n<p>However, this level of customisation comes at a price: developing a CIAM system from scratch requires in-depth knowledge of security protocols, compliance requirements, and identity management frameworks, which can stretch your development resources.<\/p>\n\n\n\n<p>Buying a ready-made SaaS solution can provide a convincing alternative, giving you enough flexibility out of the box to do 90% of what you need, whilst also providing customizable extension mechanisms to address most, if not all, of the last 10%. The downside is the ever-increasing price tag that this approach typically comes with.<\/p>\n\n\n\n<p>A DIY open-source option can be just as effective yet much cheaper. A hybrid approach \u2014 as in a mix of pre-built technology combined with customised code \u2014 can get you exactly what you need with the minimum of domain-specialised knowledge, and where financial implications are limited to the costs associated with the (hosting) infrastructure.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"security\">Security and Compliance<\/h2>\n\n\n<p>CIAM is a highly complex domain, and any missteps could lead to data breaches, loss of customer trust, and legal consequences. Whilst building a bespoke system arguably provides you with full control (at least the perception of it), a ready-made SaaS solution will typically handle the complexities of securing sensitive customer data so that you don&#8217;t have to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data Protection<\/strong>: ensuring that data is encrypted at rest and in transit; that <span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span> is used as part of <span class=\"popup-trigger popmake-2262\" data-popup-id=\"2262\" data-do-default=\"0\">step-up authentication<\/span> workflows for sensitive operations; and that robust session management practices are in force.<\/li>\n\n\n\n<li><strong>Compliance<\/strong>: adhering to global requirements such as <strong><span class=\"popup-trigger popmake-399 \" data-popup-id=\"399\" data-do-default=\"0\">GDPR<\/span><\/strong> (General Data Protection Regulation) and <strong>CCPA<\/strong> (California Consumer Privacy Act).<\/li>\n\n\n\n<li><strong>Compliance Certifications<\/strong>: undergoing regular audits and maintaining the necessary standard(s) to ensure compliance with privacy regulations.<\/li>\n<\/ul>\n\n\n\n<p>Depending on your requirements, the open-source DIY route could provide the perfect compromise between the full control of a bespoke implementation and the convenience of a vendor-provided SaaS solution, allowing you to leverage industry expertise but at a fraction of the overall cost.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"scalability\">Scalability and Maintenance<\/h2>\n\n\n<p>If your consumer application is designed to handle large volumes of users, then scalability will be a major consideration. Your CIAM system must handle the growth of users and user-centric data without compromising performance. If your user base grows unexpectedly or your application experiences a sudden surge in traffic \u2014 e.g., during a product launch or sales event \u2014 your CIAM must scale seamlessly to support the demand.<\/p>\n\n\n\n<p>With some vendor-provided SaaS solutions, this could be a challenge. Or you could see your costs grow significantly. With an open-source DIY approach, you&#8217;d typically leverage the uplift in infrastructure you&#8217;ll likely need for your own application(s), thus ensuring you meet the demands without incurring additional and unnecessary charges.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-f7df82b0751875695ea473c6ab9bceb3 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>With certain <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C <\/span>or <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS software solutions, the need for flexible and scalable infrastructure is already a prerequisite. So any (elastic) solution already employed would lend itself ideally to an open-source CIAM approach.<\/em><\/p>\n<\/div>\n\n\n\n<p>Ongoing updates, bug fixes, and feature enhancements will require a dedicated team of maintenance-oriented and security experts. Continuously updating and evolving to ensure a system remains secure and compliant as new security vulnerabilities are discovered and new regulations are introduced will require human capital and financial investment if you build CIAM yourself. Whilst a vendor-purchased SaaS implementation goes a long way to mitigate this, an open-source approach may offer a community-oriented compromise more aligned with your resourcing and available budget.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"resources\">Time and Resource Requirements<\/h2>\n\n\n<p>Building a bespoke CIAM implementation in-house is a time-consuming process that requires a significant investment in both time and expertise on an ongoing basis. Depending on the complexity of your needs, it could take months or even years to develop, test, and deploy an effective system:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Expertise<\/strong>: You\u2019ll need a team of developers, security experts, and compliance officers to build and maintain the system.<\/li>\n\n\n\n<li><strong>Costs<\/strong>: Beyond initial development, ongoing expenditures related to security, compliance, and maintenance can accumulate over time.<\/li>\n<\/ul>\n\n\n\n<p>Given the challenges involved, building bespoke CIAM may only be feasible for large enterprises with substantial budgets and a team of experts. But even then, it&#8217;s seldom a recommended route.<\/p>\n\n\n\n<p>If you have a team with expertise you can draw from and\/or your consumer-oriented software solution(s) fall into the <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span> or <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS category, then the open-source DIY route can be just as effective an option, yet at a much lower overall cost.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-89f15f1f797666c717bfa1ee3510f4e1 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>There are third parties that offer hosting for open-source implementations and charge via a subscription model. Don&#8217;t confuse this with a free-tier offering from a SaaS solution vendor, which will ultimately end up as a cost option with the potential for <a href=\"#reliance\">vendor lock-in<\/a>.<\/em><\/p>\n<\/div>\n\n\n\n<p>Purchasing a vendor-provided SaaS solution offers the advantage of offloading all the effort, however, the price tag can run into the thousands or even hundreds of thousands annually for large-scale enterprise organisations.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"costs\">Cost and Resource Efficiency<\/h2>\n\n\n<p>While vendor-provided SaaS CIAM solutions come with a subscription cost, they typically offer better cost efficiency than building a custom solution. They eliminate the need for in-house development, security, and maintenance teams, reducing long-term operational expenses:<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-4c498814b2d2bff11c9499c35200e0f3 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\">Most vendor-provided SaaS costs are based on MAU (Monthly Active Users) as the base-level indicator of the impact on their platform. If you exclusively leverage a <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social IdP<\/span> for user authentication, say, that impact is reduced, but subscription charges will typically not reflect this.<\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Predictable Costs<\/strong>: SaaS providers typically charge based on the number of monthly active users or logins, together with the functionality used. This can be easier to predict and budget for than building a custom system, though it can be less deterministic on the occasions where increased scale is required.<\/li>\n\n\n\n<li><strong>Reduced Maintenance Burden<\/strong>: The SaaS vendor takes care of ongoing maintenance, security patches, and updates, so your internal team can focus on other business-critical tasks. <\/li>\n<\/ul>\n\n\n\n<p>Depending on your requirements, a DIY implementation based on established open-source technology can be equally effective by leveraging the skills and expertise of the open-source community.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"speed\">Speed of Implementation<\/h2>\n\n\n<p>Ready-made SaaS CIAM is typically faster to integrate when compared to building a custom solution. In the main, a vendor subscription will provide pre-built templates and user interfaces, drastically reducing the time to market.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Out-of-the-Box Features<\/strong>: Most SaaS CIAM subscriptions include a wide range of pre-configured standards-based authentication methods, including <span class=\"popup-trigger popmake-523 \" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> logins, <span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span>, passwordless authentication, and more.<\/li>\n\n\n\n<li><strong>Rapid Deployment<\/strong>: Cloud-based implementations allow for quicker deployment with minimal setup required, reducing the time to build your application.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-3335\" data-popup-id=\"3335\" data-do-default=\"0\">SDKs<\/span><\/strong>: For both client and server-side implementations, this means it&#8217;s easy to incorporate the best-practice workflows and guidance that ensure safe and secure integration.<\/li>\n\n\n\n<li><strong>Pre-built Components<\/strong>: For building user interfaces, particularly when it comes to profile management and supporting regulatory compliance standards (such as GDPR).<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-8ab52aab296f8fdd7d05c6cf6c6408a6 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Most of the major players in the vendor-provided SaaS CIAM market offer free-to-use open-source <span class=\"popup-trigger popmake-3335\" data-popup-id=\"3335\" data-do-default=\"0\">SDK<\/span> packages that are not linked to their respective SaaS platforms. Using standards-based <span class=\"popup-trigger popmake-407\" data-popup-id=\"407\" data-do-default=\"0\">OIDC<\/span> and <span class=\"popup-trigger popmake-467\" data-popup-id=\"467\" data-do-default=\"0\">OAuth 2.0<\/span> flows often means you can use these with any DIY CIAM SaaS solution.<\/em><\/p>\n<\/div>\n\n\n\n<p>A DIY solution based on open-source technology can provide similar benefits, particularly when it comes to out-of-the-box features and rapid deployment. An implementation such as <a href=\"https:\/\/www.keycloak.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Keycloak<\/a>, for example, offers a feature set comparable to the leading SaaS CIAM vendors. In addition, you can leverage your own infrastructure for deployment, which means you can leverage your own mechanisms for deployment too.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"reliance\">Vendor Reliance<\/h2>\n\n\n<p>A downside to purchasing a SaaS CIAM solution is the potential for overreliance on a vendor, often referred to as <em>vendor lock-in<\/em>. If your business grows or changes, it might be challenging to migrate away from the SaaS solution to another provider or some in-house implementation.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data Portability<\/strong>: Ensure that your provider allows for easy export of user data and integration with other systems in case you decide to switch in the future.<\/li>\n\n\n\n<li><strong>Platform Resilience<\/strong>: The performance, uptime, and security of your CIAM system are reliant on the vendor platform, which may present risks in case of service disruptions or attacks.<\/li>\n<\/ul>\n\n\n\n<p>With a DIY open-source approach, this isn&#8217;t typically an issue. Again, systems like <a href=\"https:\/\/www.keycloak.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Keycloak<\/a> give you the choice of where to store user-centric data as well as the ability to leverage the disruption protection mechanisms you likely already deploy.<\/p>\n\n\n\n<p>In fact, with an open-source implementation, CIAM and the bespoke functionality of your consumer-oriented software solution can become atomic \u2014 thus you no longer need to cater for vendor-hosted CIAM being down whilst your services are still up and running. Or vice versa.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Customer Identity and Access Management (a.k.a CIAM) provides the tools, processes, policies and design patterns to manage and secure customer identities and control access to applications, services, and resources. CIAM ensures that only authenticated and authorized users can access restricted information and functionality, and enables self-service capability as part of a safe and seamless user experience.<\/p>\n","protected":false},"author":1,"featured_media":308,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"authenticate":"","authentication":"","authenticatedMethod":"","authenticatedMember":"","authorizedPermissions":[],"_jetpack_memberships_contains_paid_content":false,"footnotes":"[{\"content\":\"As in the degree to which a solution can be tailored to requirements\",\"id\":\"ec24647d-ac7d-471e-aea7-271fe9f7976c\"},{\"content\":\"Depending on the desired functionality \",\"id\":\"0e69223a-0834-4c88-8e75-155cd462bd46\"},{\"content\":\"Depending on the vendor\",\"id\":\"9516d75e-48c1-426d-a55e-289deb347b31\"},{\"content\":\"Depending on requirements\",\"id\":\"57dbb87f-1efe-411e-a182-a1628a719ee6\"},{\"content\":\"As in whether or not there's reliance on some third-party provider \",\"id\":\"d1545db0-cbf7-49c6-b09e-4e8ec54b52e4\"}]","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[7],"tags":[4,6],"class_list":["post-127","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-integration","tag-buyvsdiy","tag-diy"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/01\/27141803\/create-a-high-resolution-detailed-diagonally-split-featured-image-focusing-on.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/comments?post=127"}],"version-history":[{"count":161,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/127\/revisions"}],"predecessor-version":[{"id":5444,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/127\/revisions\/5444"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media\/308"}],"wp:attachment":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media?parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/categories?post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/tags?post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}