Blog

Build vs. Buy: 5 Questions to Ask When You Need to Offer SSO or Directory Sync

September 30, 2021

Discover if building or buying identity management solutions fits your business needs.

Webflow, a current WorkOS customer, found that developing SSO internally could take a small team of engineers upward of a quarter, highlighting the time-intensive nature of in-house identity management.

And that's just for SSO! When you factor in other essential identity features, it’s easy to see how building identity management in-house could drain countless engineering hours from your core product development.

In this article, we will discuss:

  • The challenges of building identity management in-house
  • Benefits of buying identity management solutions
  • Whether you should build vs. buy identity management
  • What to consider before deciding

What is identity management?

Identity management involves managing user authentication, authorization, and the lifecycle of user accounts across systems. 

One of its core benefits is robust security and improved access control. By centralizing authentication, identity management solutions make managing access, monitoring suspicious activity, and consistently enforcing security policies easier.

Challenges of building identity management in-house

The high learning curve for identity protocols

Before your engineering team can begin building a custom identity management solution, they’ll need a solid understanding of SSO authentication flows and SCIM for user provisioning. 

If they are new to using SSO, they need to do quite a bit of upfront research into the various protocols, like SAML, OAuth, and OpenID Connect, to ensure that the systems are set up properly. 

The same goes for SCIM. While SCIM is a standard, every provider has unique implementation details and quirks that must be accounted for. This means your team will have to spend time learning how to handle these variations across different identity providers. Navigating these complexities and ensuring seamless integration with multiple IdPs can be a significant time sink, even for experienced developers.

Learn more about the complexities of building SSO and SCIM in-house in the full article.

Higher risk of security vulnerabilities

Because getting authentication wrong is a significant security concern, the engineers will also need to understand and mitigate security risks inherent to managing identities. Engineers are capable of learning these things, but you’ll need to consider whether doing so is the best use of their time and skills because there is a learning curve.

Opportunity cost and resource allocation

Every line of code your engineers write to recreate an existing service you choose not to buy isn’t written for your core product. 

Can you realistically remove 2 to 3 (or more) engineers from product engineering to build and maintain a full-fledged identity management system? That would mean less time dedicated to building the thing that will give your business a competitive advantage.

Ongoing demand for new IdP integrations

Even with a dedicated team to build the in-house authentication system, it could take months, even the better part of a year, to integrate enough IdPs such that you can provide identity management solutions like SSO or Directory Sync to the majority of potential customers without having to practice “sales-driven development”. This months-long time frame would be even longer if you don’t have engineers working on it full-time.

Long-term maintenance requirements

Each integration will require its code and tests, which need to be updated periodically to avoid code decay. While you won’t usually have to make changes to integration after it’s in production, you will need to ensure you’ve taken care of any edge cases that pop up and implement a monitoring system for performance and uptime linked to your on-call rotation.

Limited availability of support and resources

Despite the ubiquity and importance of authentication in our digital world, comparatively few people understand it thoroughly enough to help troubleshoot building it. 

StackOverflow is the first choice for many developers when it comes to debugging. At the time of this writing, there are 1,784 questions on StackOverflow with the single-sign-on tag that have no answer or no accepted answer.

That’s nearly 23% of the total 7,762 questions. Similarly, the SAML tag has 764 questions with no explanation or accepted answer out of 3,602 total questions (nearly one in four).

The relatively low volume of SSO- and SAML-related questions on StackOverflow compared to other technologies and languages is telling. And these are just two of the features you’ll need to implement.

Benefits of buying identity management solutions

Below are the main benefits you’ll enjoy if you buy a solution:

  • Quick deployment: Most identity providers have pre-built integrations for popular IdPs like Okta, Google, and Microsoft Entra. That means you can support diverse customer needs immediately without building custom integrations for each new customer.
  • Maintenance is included: You get ongoing maintenance, updates, and monitoring as part of the package. This takes the burden of upkeep off your team.
  • Scales as you grow: Bought solutions are designed to scale. As your customer base grows, you can add new IdPs and manage more users without rethinking your architecture. 

Security and compliance are built-in: Identity management providers prioritize security and compliance. It’s their core business, giving you a robust foundation that is regularly updated to meet industry standards.

Build vs buy identity management: Key considerations 

Before you decide to build or buy, consider the following 3 things:

1. Cost and time

Building an identity management solution in-house requires a significant upfront investment in both cost and time. It means dedicating engineers to design, build, test, and then keep up with maintenance, which pulls them away from core product work.

For example, PlanetScale estimates that the initial SCIM implementation would have taken at least a couple of months of full-time engineering work—and that’s just for a single IdP.

On the other hand, buying a ready-made solution can significantly reduce development time and costs in the long run, so your team can stay focused on features that matter to your users.

In case you’re not convinced, here’s an analysis of the total cost of ownership, revenue impact, and the ROI of build vs. buy across a three-year timeline.

2. Security and compliance

One major advantage of buying an identity management solution is the built-in security and compliance. Most providers have built-in compliance for industry standards like GDPR or SOC 2, meaning they’re ready to protect your data from day one. This keeps your product secure and up-to-date without building and maintaining all the security measures yourself.

3. Integration with existing systems

Bought tools are designed to play nicely with other platforms, making it easier to get them working with your existing setup. When you build in-house, you often need extra testing and adjustments to ensure everything fits.

Making the decision

Here are some best practices to follow when making a be build vs buy decision:

  • Evaluate team size and resources: The younger the company and the smaller the team, the more sense it often makes to buy existing software rather than build it in-house. Larger teams with dedicated resources may have more flexibility to build in-house if they have the bandwidth.
  • Assess growth stage and customer demands: Young companies can often benefit from purchasing a solution to meet customer expectations for SSO or Directory Sync quickly. As a company grows and customer demands become more complex, it may revisit the decision based on evolving needs.
  • Consider long-term maintenance costs: The decision to build means committing to long-term maintenance, including updates, security, and compliance. For companies without dedicated support for ongoing maintenance, buying a solution minimizes these long-term costs and upkeep requirements.
  • Analyze integration requirements: If the product requires integration with multiple IdPs, buying a solution can ease the complexity, as pre-built solutions often come with these integrations.

How WorkOS simplifies identity management

WorkOS streamlines identity management, eliminating the build vs. buy dilemma and boosting value delivery. Here’s how:

  • One API, Countless IdPs: Connect with major identity providers through a single, API-based integration. You do not need to build and maintain multiple SSO connections yourself.
  • Self-service onboarding with the Admin Portal: The WorkOS Admin Portal gives your customers control, allowing IT admins to set up SSO and Directory Sync (SCIM) configurations independently. 
  • Real-time sync with Directory Sync and Events API: Sync with any SCIM-compliant identity provider and process provisioning requests at your own pace with the Events API.
  • Enterprise-grade security and compliance: WorkOS has built-in security features like MFA, password validation, and bot detection. Plus, it's SOC 2 and GDPR compliant, so you don’t have to worry about jeopardizing your compliance status.

Ready to start building? Sign up for WorkOS today, and start selling to enterprise customers tomorrow.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.