Prioritizing innovation: why PlanetScale decided against building SSO and SCIM in-house
PlanetScale is a MySQL-compatible database that brings you scale, performance, and reliability — without sacrificing developer experience. As the company grew and started attracting larger customers, the need to support enterprise features like SSO and SCIM provisioning became critical.
Build vs. buy
PlanetScale had initially built an authentication layer using Devise, an open source solution for backends built with Rails. Devise offered more flexibility and customizations for email-based auth and OAuth compared to alternatives like Auth0, but for SSO, the homegrown solution was not sufficient.
They needed a solution that could seamlessly integrate with their existing auth stack. Similar to Devise, the team briefly considered building SSO in-house, but realized it would take significant engineering resources.
“Enterprise customers want SSO as well as SCIM to easily manage user onboarding and offboarding. At some point, we looked into open-source options for Rails.” said Iheanyi Ekechukwu, Software Engineer at PlanetScale.
SAML can be complex, and WorkOS’ abstraction was perfect for us. It integrated seamlessly with our existing authentication stack without any loss of functionality. It's been working great, and we've been very happy with it.
Key factors for choosing WorkOS:
PlanetScale chose to buy instead of build, and selected WorkOS as their SSO and SCIM provider. Key factors in the decision were:
- Ease of integration with their existing authentication stack
- Ability to support a wide range of identity and directory providers
- Transparent and affordable pricing
- Hands-on support from the WorkOS team
Ensuring proper access management with SCIM
By partnering with WorkOS, PlanetScale was able to offer enterprise-grade SSO and user provisioning to their customers in a matter of days, not months.
"User lifecycle management can be tricky because sometimes people get offboarded without us realizing it. With Directory Sync and webhooks, we can easily ensure they're no longer part of the organization if they leave and their account gets deactivated.” Iheanyi noted.“ These webhooks have been fantastic for proper offboarding and automating tasks like adding members to a team or granting access to the database. It's much simpler and more efficient compared to other methods where you can't always be sure that a user is correctly assigned."
Iheanyi estimates that just the initial SCIM implementation with a single IdP support would have taken at least a couple months of dedicated engineering time. With WorkOS, PlanetScale can also support complex enterprise use cases like role-based access control and just-in-time provisioning - all with a single engineer overseeing the integration. In steady-state, Iheanyi spends less than one day per month on WorkOS-related tasks.
Investing engineering resources in areas that matter
Nick Van Wiggeren, CTO at PlanetScale, remarked that it’s common to see teams of up to seven engineers just to maintain SSO support. Knowing this, Van Wiggeren was adamant in outsourcing SSO and SCIM support from the start. While his team did consider other point solutions, he found WorkOS far and away the easiest to integrate.
Versus doing it yourself, WorkOS takes a tenth of the time to integrate. Versus an alternative, it takes half the time.
By buying instead of building, PlanetScale has been able to focus their engineering resources on core product functionality that differentiates them in the market. The result is faster sales cycles, happier customers, and more time to innovate.
Database Platform
Add SSO,
the easy way.
WorkOS provides a single, elegant interface abstracting dozens of enterprise integrations.