Heya,
I mentioned before that CIAM solutions are sticky. They are relatively undifferentiated, typically take engineering time to implement, and are critical to your application’s functionality. That means that ripping and replacing them is pretty painful.
What are reasons why an engineering leader or team might look at switching their CIAM solution?
I've talked to a lot of folks about why they are thinking about migration. It usually happens because of pain. Here are the broad categories of pain I see:
Cost: this could be the expense of a vendor product or it could be engineering opportunity cost. If cost changes radically because a vendor raises prices or changes terms, people look up and evaluate other solutions. If feature development is impeded because engineers are troubleshooting an auth issue instead of building or maintaining core features, that also causes people to look up and evaluate solutions.
Availability: this is more commonly an issue for SaaS solutions. If your auth vendor goes down one time and impacts your end users, you might forgive them. Twice, you start looking around.
End-of-life: sometimes a vendor will be purchased and their product shut down. Or an open source project might be abandoned. This isn't something that happens regularly, but when it does, engineering teams will be looking for alternatives. How urgently depends on when the service will be shut down and if there’s a self-hostable lifeboat. They also might look up and evaluate other solutions if a vendor is purchased, just because of the increased business risk.
Features: there may be auth features that troublesome (or impossible) to build and maintain, even with OSS libraries or a framework, that are required by a customer. Vendors offer a pre-built solution that has lower total cost of ownership. This could be something user facing, like MFA or password rules, or something more admin facing like SSO configuration or SIEM integration.
Risk: storing and securing user credentials is difficult to do properly. Offloading this to a vendor can help, so if an organization is worried about this or has been found non-compliant by their customers, that can cause a change to their CIAM solution. Vendors are usually required to have certifications like SOC2 or ISO 27001 to be considered as an option to alleviate this type of pain.
New capabilities: Sometimes using a vendor offers you new capabilities that would be difficult to build in-house, but that you really need. This is slightly different than features because it's more generic. An example would be localization. These tend to be discovered deeper in the evaluation process.
Bundled solutions: Integration work across multiple vendors can hurt, and it is appealing to replace multiple vendors with one. I know some CIAM vendors offer additional functionality such as fine grained authorization or subscription management on top of identity.
All these are reasons to consider migrating from an existing CIAM solution to another one.
Cheers,
Dan