Build vs. buy part II: ROI comparison between homegrown and pre-built solutions

In part 1 of "Build vs. Buy," we highlighted common roadmap challenges engineering teams face when building SSO and Directory Sync (SCIM) from scratch. Part 2 goes one step further, analyzing the total cost of ownership, revenue impact, and the ROI of build vs. buy across a three-year timeline.

Total cost for an in-house solution is based on the amount of resources needed for each stage of development:

• Infrastructure: Initial work that includes customer research, customizing open source libraries, reliability testing, and more.
• Feature expansion: Developing additional features like domain verification and JIT provisioning for SSO and custom-mapped attributes and IdP role assignment for SCIM.
• Maintenance: Ongoing overhead for managing security incidents, bugs, and support tickets.
• Onboarding: Cost related to manually onboarding IT admins.

Revenue is calculated based on the expected enterprise customer growth. In the build scenario, this growth is slower because of the delayed time to market and the gradual process of improving scalability and adding new features.

Build Scenario

9% ROI = ($3,900,000 total revenue - $3,564,413 total cost) / $3,564,413 total cost * 100

Buy Scenario (WorkOS)

1,954% ROI = ($11,850,000 total revenue - $576,900 total cost) / $576,900 total cost * 100

The calculations are based on insights from engineering leaders with hands-on experience in developing enterprise features. This article is specifically designed for product and engineering leaders who want to explore the metrics in detail. It's an essential and practical tool for startups grappling with the build vs. buy decision.

Build cost

The cost for a homegrown solution is split into two main factors. The first is a fixed value, which includes the work required for infrastructure, feature expansion, and maintenance. The second is a variable onboarding cost that depends on the expected enterprise customer growth. Both of these cost drivers are calculated based on the estimated number of hours and the hourly salary.

Fixed cost

In addition to the number of hours and the hourly salary, there is a third component, which is the number of developers working on a task. Although team size can vary across companies, a common org structure that engineering leaders described was starting with a team of 2-3 ICs and reaching a cap of 8 as the solution becomes mature. Engineering leaders also specified that SSO and SCIM were maintained by different teams in their organizations.

For example, customizing open source libraries is a task that falls under the infrastructure work for SSO. For a team of three, this would take about 2 weeks or 80 hours to complete. Hiring an experienced developer based in SF would cost around $300K per year or $150/hr. This captures not only the base salary but also equity, administrative cost, benefits, payroll taxes, etc. The total cost for this specific task would be $36K.

$36,000 = 80 hours * 3 developers * $150/hr

Variable cost

The second factor, which is the onboarding cost, depends on how many enterprise customers you expect to bring in each year. SCIM is typically introduced after SSO in year 2. Since it caters to even larger organizations with stricter security requirements, adoption tends to be a bit lower than SSO. It’s also more complex to build, and organizations develop this after they have shipped SSO.

As mentioned earlier, the growth rate is slower in the build scenario. This also results in lower adoption rates for SSO and SCIM in the first year they are launched. Overall, the cumulative customer growth follows a baseline -> double -> double pattern.

In the buy scenario with WorkOS, you benefit from immediate deployment, reliability, and access to a complete feature set. This allows you to win more enterprise customers in the first year and accelerate growth.

Cumulative customer growth follows a baseline -> triple -> double pattern that is commonly seen in companies using WorkOS.

Infrastructure development

SSO infrastructure

Infrastructure development is the first task that needs to be completed for both SSO and SCIM. 

In Year 1, for a team of 3 engineers, it takes 400 hours or 3 months to complete the infrastructure work. This is broken down into conducting customer research, customizing open-source libraries, testing the integration, and security work. All of these can be bucketed as a once-and-done type of activity. 

There is a second component, which is custom work required for supporting each additional IdP. This typically requires about 40 hours, or one week, for the team to complete. In the first year, the plan is to support 2 IdPs, with 1 additional IdP added in both the second and third years. For context, Okta, Entra ID (Azure), and Google account for over 80% of all SSO connections among WorkOS customers.

SCIM Infrastructure

Infrastructure development for SCIM starts in year 2. While the tasks remain the same, the number of hours increases because the process is more complex than SSO. For a team of 3 engineers, it takes 600 hours or just under 4 months to complete.

Custom work required for each additional IdP is also more complex than SSO, requiring about 80 hours or 2 weeks to complete. According to WorkOS customer data, Okta and Entra ID account for approximately 80% of SCIM connections, while Google Workspace represents less than 10%. Given this usage data, it makes sense to deprioritize supporting Google Workspace, but there is another reason why it is a good idea to defer this to year 3.

Supporting Google Workspace for our SCIM solution took about 3 quarters. It's riddled with intricacies unlike other providers, and getting your app accepted into their user provisioning catalog can take several weeks of work.

Founder at a series B cybersecurity startup

This is why 240 development hours, or 1.5 months, have been allocated for year 3 to support Google Workspace, even though it involves only one IdP.

‍Just the initial SCIM implementation with a single IdP support would have taken at least a couple months of dedicated engineering time. With WorkOS, we could support complex enterprise use cases like role-based access control and just-in-time provisioning - all with a single engineer overseeing the integration. 

Iheanyi Ekechukwu, software engineer at PlanetScale 

Total infrastructure cost

The total infrastructure-related hours across 3 years will be 1,880 for SSO and 3,480 for SCIM. Multiplying the total number of hours by the hourly developer salary results in $804,000 in total infrastructure cost.

$804,000 = (1880 SSO development hours + 3480 SCIM development hours) * $150

Feature expansion

After infrastructure work is complete, and the solution has shipped to the first batch of enterprise customers, teams will focus on expanding the feature set. This is separate from critical work that is required to support additional IdPs or handle maintenance issues.

Examples of SSO features include:

• support for multiple OAuth providers
• custom domains
• domain verification
• domain capture
• organization auth policies
• JIT provisioning
• identity linking

Examples of SCIM features include:

• custom-mapped attributes
• IdP role assignment
• Data syncs with the Events API 

Developing these features in-house requires significant work. It involves understanding and integrating various protocols (SAML, OAuth, OIDC), ensuring compatibility across different providers, and releasing ongoing updates. Engineering teams can expect to spend 20-30% of their time building these features. 

Feature development is deferred to year 2, since the first year is likely focused on maintenance, bug fixes, and customer onboarding. As things become stable, engineering teams can allocate more time to developing new features, increasing their focus from 20% in year 2 to 30% in year 3. Since costs are calculated based on the percentage of engineering bandwidth over an entire year, there's no need to track the exact number of hours. The total cost for feature development amounts to $1,470,000.

$1,470,000 = (8 total developers in year 2 * $300,000 * 20% bandwidth) + (11 total developers in year 3 * $300,000 * 30% bandwidth)

Maintenance

During interviews, the consensus among engineering leaders was that engineers spend about 15-20% of their time on maintenance tasks. These tasks include managing security incidents, resolving bugs, renewing SAML certifications, and providing ongoing customer support.

We have a dedicated team that manages authentication, user logins, and SSO, and maintenance-related work takes up about 20% of their time.

Engineering lead at a publicly traded productivity platform

But there is one more layer of detail to the equation, which is maintenance performed by the customer success team. The model is designed to capture how engineering-led maintenance is gradually replaced by customer success over time.

For developers, the percentage of their time spent on maintenance decreases from 20% in years 1 and 2 to 15% in year 3. Meanwhile, customer success involvement increases from 0% of their time in year 1 to 10% in year 3.

$1,155,000 developer-led maintenance cost = (3 developers in year 1 * 20% * $300K) + (8 developers in year 2 * 20% *$300K) + (11 developers in year 3 * 15% *$300K) 

$75,000 customer success-led maintenance cost = (2 customer success reps in year 2 * 5% * $150K) + (4 customer success reps in year 3 * 10% * $150K)

Adding both of these costs equals $1,230,000 in total maintenance cost. 

$1,230,000 = $1,155,000 + $75,000

Onboarding

According to customer interviews, before integrating WorkOS, it took an average of 5 hours to onboard customers for SSO and 10 hours for SCIM. Over time, as the onboarding process improves, customer success teams gradually take over this task from engineering, which further reduces the time required.

Prior to using WorkOS, we were spending about 10-20 hours per customer for onboarding.

Dallin Hale, software engineer at Tactic

SSO onboarding

For SSO onboarding, the time required per customer decreases as more customers are onboarded: 5 hours for the first 10 customers, 3 hours for the next 40, and 2 hours for each customer after that.

In the first year, engineers handle all the onboarding. In the second year, the work is split 30% engineers and 70% customer success. By the third year, customer success handles 95% of the onboarding, with engineers only involved 5% of the time.

The total SSO onboarding cost for 100 customers across three years amounts to $29,438.

$18,375 (engineering-led) = (95 onboarding hours in year 1 * 100% * $150) + (75 onboarding hours in year 2 * 30% * $150) + (100 onboarding hours in year 3 * 5% * $150)

$11,063 (customer success-led) = (95 onboarding hours in year 1 * 0% * $75) + (75 onboarding hours in year 2 * 70% * $75) + (100 onboarding hours in year 3 * 95% * $75)

$29,438 = $18,375 + $11,063

SCIM onboarding

SCIM onboarding follows a similar pattern but starts at 10 hours per customer since it requires more troubleshooting: 10 hours for the first 10 customers, 6 hours for the next 40, and 2 hours for each customer after that. It also requires more engineering involvement than SSO.

The total SCIM onboarding cost for 30 customers across three years amounts to $30,975.

$28,950 (engineering-led) = (130 onboarding hours in year 2 * 100% * $150) + (90 onboarding hours in year 3 * 70% * $150)

$2,025 (customer success-led) = 90 onboarding hours in year 3 * 30% * $75

$30,975 = $28,950 + $2,025

Total onboarding cost

The total onboarding cost for both SSO and SCIM amounts to $60,413.

The research for building an onboarding UI for admins would take weeks. Having to get access to all the different IdPs, learn about their quirks, and create a comprehensive tutorial for end users...the amount of time and effort required would be staggering.

Chris Pickett, staff engineer at Prefect

Total Build Cost 

In summary, the total build cost including infrastructure, feature development, maintenance, and onboarding adds up to $3,564,413.

Buy scenario with WorkOS

Figuring out the cost of using WorkOS is straightforward. The pricing model is transparent and allows for easy forecasting as your customer base grows. Pricing is determined by the number of connections for both SSO and SCIM. It starts at $125 per connection for the first 15 connections and decreases to $65 per connection with tiered discounts in between. Unlike MAU-based pricing, which can fluctuate significantly, connections-based pricing offers a more predictable and scalable solution for your growth.

With the projected baseline -> triple -> double growth, the total cost of using WorkOS amounts to $528,300.

But there is another component that is true when integrating any third-party tool: maintenance. On average, WorkOS customers allocate one developer for a full day, or 8 hours, each month to manage the WorkOS integration. This adds up to about 100 hours per year, costing $15,000 annually. This amounts to $45,000 over three years.

My involvement in keeping the WorkOS integration stable is pretty minimal, and that's a good thing. It's out of sight, out of mind, which is great. It means I get to focus on things that actually do break and take up more of my brain space. 

Jeff Lloyd, tech lead at Warp.

Post-integration maintenance with WorkOS has been minimal, with the last update occurring three months ago.

Chris Pickett, staff engineer at Prefect

The final piece is the cost of using the Admin Portal, an automatically updated, self-serve onboarding UI for IT admins to roll out SSO and SCIM. It’s a flat $99 per month, which translates to $1,200 per year. Onboarding cost is completely replaced by the Admin Portal cost, resulting in $576,900 as the total cost of using WorkOS.

$576,900 = $528,300 (connections-based cost) + $45,000 (integration maintenance) + $3,600 (Admin Portal cost)

By enabling self-serve setup through the WorkOS Admin Portal, Prefect has eliminated most of the back-and-forth required to onboard new customers. We estimate that with the Admin Portal, our team has saved 300 hours for 100+ SSO connections that we have provisioned so far. 

Chris Pickett, staff engineer at Prefect

Our customers love the Admin Portal because it’s so easy to use, and it makes our enterprise plan seem really polished.

Nathan Rajlich, sr. software engineer at Vercel

Cost difference

The cost difference between building a solution in-house and using WorkOS amounts to $2,987,513. But to quantify the ROI, you need to figure out the revenue impact, which will be covered in the next section.

ROI

ROI is calculated by dividing the net profit (difference between revenue and cost) by cost.

To keep things consistent, $30,000 is the annual contract value allocated for each new enterprise customer. For the build scenario, this results in a total ARR growth of $3,900,000. 

Subtracting the total cost, $3,564,413, from $3,900,000 results in $335,588 as the net profit. This results in an ROI of 9%.

9% = ($3,900,000 - $3,564,413) / $3,564,413 * 100

In the buy scenario with WorkOS, the total ARR growth amounts to $11,850,000 with the net profit being $11,273,100.

The final ROI of using WorkOS equals 1,954%

1,954% = ($11,850,000 - $576,900) / $576,900 * 100

Benefits of using WorkOS

Note that some of the inputs included in the model, such as the projected customer growth, ACV, and the team size can be modified in a calculator that will be released soon. Understandably, there is variance in these inputs depending on your company’s current maturity, but the benefits of using WorkOS are clear.

Rather than spending years on R&D, maintenance, and ongoing customer support, you can choose WorkOS to ship enterprise features on day 1. It’s a smarter business decision that comes with faster time to market, immediate scalability, and proven reliability, even for the largest enterprise customers.

It’s the same reason why companies like Perplexity, Vercel, Webflow, Loom, Drata, Brex, Carta, Cursor, and Warp all chose WorkOS over building SSO and SCIM from scratch. For organizations that want to keep their engineering teams focused on innovating core products, WorkOS is the perfect solution.