Scaling with modularity: integrating SCIM on top of SSO to close even larger customers
Webflow is a visual-first web design tool that helps users create awesome web experiences with minimal coding. Their platform is used daily by enterprises like PWC, Dell, Rakuten, and Philips. To meet the needs of these high-profile customers, Webflow needed to move upmarket quickly, shipping features like single sign-on (SSO) and Directory Sync (SCIM).
David Kramer, a senior engineering manager on the enterprise features team at Webflow, has been involved with maintaining the company's SSO integration with WorkOS for the past three years. Webflow recently integrated WorkOS Directory Sync to meet the needs of larger enterprises, ensuring that when users are offboarded, their access to Webflow is automatically revoked.
The missing bridge to larger enterprises
According to Kramer, SCIM had been a longstanding request from the sales team. "We were leaving deals on the table because we just didn't have SCIM support and that was a hard requirement for larger organizations," he explained. IT departments wanted an automated workflow to immediately deprovision access once employees left the company, and this was considered table stakes during the procurement process.
Build vs. buy
The team also considered building SCIM in-house but quickly abandoned the idea when they realized the significance of the engineering cost.
Kramer estimated it would require a small team of 2-3 engineers working for upwards of a quarter to build a reliable SCIM integration with just a single identity provider (IdP). But the real cost would kick in once the team had to expand support for multiple providers and oversee all related maintenance tasks.
Integrating SCIM on top of SSO:
Since Webflow was already using WorkOS for SSO and had a positive experience, adopting WorkOS Directory Sync became the clear choice. Using the same platform would minimize complexity compared to introducing a separate vendor just for SCIM.
"Based on our positive experience with WorkOS’ reliability, support, and responsiveness, we knew we could count on their platform," said Kramer. "The ability to easily add Directory Sync connections made it incredibly cost-effective."
Another perceived value of using WorkOS was that there wasn’t any fear of vendor lock-in. Kramer explained, “It never felt like a one-way door to us. We could see how the POC went and decide to go with another vendor if we really wanted to.”
According to Kramer, the engineering time required to implement SCIM with WorkOS was very straightforward. It took less than a couple of weeks with one engineer while balancing other core tasks.
Streamlined onboarding for both SSO and SCIM with the Admin Portal
The Admin Portal has been a game-changer for onboarding SSO customers. The onboarding team was thrilled to realize that the same UI onboarding experience can be extended for SCIM.
"Personally, I appreciate the portal's step-by-step guidance for setting up connections, whether in Google Workspace or Okta. It simplifies the process, making setup straightforward and efficient," said Kramer.
Enterprise growth powered by WorkOS
With WorkOS Directory Sync, Webflow is better equipped to serve the entire spectrum of enterprise customers. While the feature was only recently rolled out, Kramer believes the need for SCIM will grow as Webflow continues pursuing larger accounts. Many companies manage user roles and permissions through their identity provider, so syncing that to Webflow via SCIM is a natural next step.
Webflow is also exploring WorkOS' new RBAC and Fine-Grained Authorization (FGA) solutions as the company evolves its own access control system. By adopting these key enterprise features that WorkOS supports, Webflow will continue to accelerate its expansion upmarket.
Web Development
Add SSO,
the easy way.
WorkOS provides a single, elegant interface abstracting dozens of enterprise integrations.