Build vs Buy CIAM: A 2026 Framework for the Decision
Updated 2026-05-07 · 11 min read · By @guptadeepak
Key takeaways
- The build-vs-buy answer in 2026 favors buy for almost all SaaS startups, managed CIAM has matured and the CIAM-specific complexity (passkeys, SAML, SCIM, FGA) has grown faster than DIY can keep up.
- Self-hosting open-source CIAM (Keycloak, Ory, FusionAuth, Authentik) sits between build and buy, it owns the data and infrastructure but inherits a maintained codebase.
- Build-from-scratch CIAM is a rounding error of CIAM deployments in 2026; the only real reasons are extreme regulatory constraints or genuinely novel auth requirements.
- The hidden costs of build are SAML edge cases, SCIM provisioning, audit logging at scale, MFA enrollment UX, and the ongoing maintenance of a security-critical surface.
- The right framework: total cost of ownership over 3 years, including engineering time, security incidents, and the opportunity cost of features not built.
The 2026 default has shifted
The strongest argument against building is opportunity cost, engineering time spent reimplementing auth is engineering time not spent on the differentiated product features customers actually pay for.
The three options
Decision space:
Build from scratch. Custom auth implementation tailored to the application. Maximum control, maximum cost, maximum security risk.
Self-host open source. Run Keycloak / Ory / FusionAuth / Authentik / Zitadel on owned infrastructure. Ownership of data, no vendor lock-in, operational responsibility.
Buy managed. Use Auth0, Microsoft Entra External ID, Stytch, Clerk, MojoAuth, Frontegg, etc. Minimum implementation cost, vendor pricing, less control.
Most teams should choose between the latter two; build-from-scratch is rarely the right answer in 2026.
What buying actually covers
Modern managed CIAM ship as commodity:
- Email + password auth with secure storage
- Passwordless (magic link, OTP)
- Passkeys / WebAuthn
- TOTP, SMS, push, and biometric MFA
- OAuth / OIDC + SAML federation
- Per-Org SSO + SCIM (B2B)
- Adaptive risk-based auth
- Account takeover defense
- Audit logging
- GDPR / CCPA / SOC 2 compliance posture
- Multi-region availability and SLAs
Building all of this in-house, well, is genuinely a multi-year project for a small team. Most teams that try ship 60% of it, neglect the unglamorous parts (recovery flows, audit log retention, abuse rate-limiting), and end up with a system that meets their initial needs but accrues security debt over time.
What self-hosting open source covers
Keycloak, Ory, FusionAuth, Authentik, and Zitadel cover the same surface area as managed CIAM, with two trade-offs:
Pro: data residency, no per-MAU pricing, no vendor lock-in, ability to customize.
Con: operational responsibility, running multi-region stateful services with security, availability, and compliance posture comparable to managed CIAM.
For teams with strong DevOps capability, self-hosting at 10k-100k MAU often beats managed pricing. Above 100k MAU, it nearly always does. Below 10k MAU, the operational overhead usually outweighs the license savings.
What building from scratch costs
A realistic CIAM-from-scratch budget for a B2B SaaS targeting enterprise customers:
- 6-12 months with 2-4 senior engineers to reach feature parity
- $500k-$2M in fully-loaded engineering cost
- 3-6 months for the initial security audit and remediation
- Ongoing 1-2 engineers indefinitely for maintenance, vulnerability response, and feature additions
- Compliance certifications (SOC 2, ISO 27001) that managed vendors include become customer-paid line items
The total 3-year TCO for a homegrown CIAM that is actually production-grade is typically $1.5M-$5M. Compare to managed CIAM at $50k-$500k/year for the same period, the math rarely closes.
The hidden complexity
Teams that estimate "we'll build auth" routinely underestimate:
SAML edge cases. Every IdP (Okta, Microsoft Entra, Google Workspace, Ping, OneLogin) has quirks: signature canonicalization, namespace handling, attribute encoding, NameID format. Production-grade SAML is months of edge cases.
SCIM provisioning. Spec compliance plus per-IdP behavior plus rate-limiting plus initial-sync handling for 10k+ user populations.
Recovery flows. Lost password, lost MFA, lost passkey, account merge, each with security and UX considerations. Recovery is where most homegrown CIAM are weakest.
Audit logging at scale. Searchable, retained 365+ days, per-Org access for B2B, tamper-evident for compliance.
Abuse defense. Rate limiting, bot detection, credential stuffing defense, breach response. The volume layer is constant.
Compliance reporting. SOC 2 controls, GDPR data export, audit trail completeness, the controls that pass audits.
For each of these, the managed vendors and mature open-source projects have years of customer-driven refinement. Building from scratch starts at zero.
When build can still make sense
Three narrow cases:
- Extreme regulatory constraints. Sovereign cloud, classified networks, jurisdictions where managed CIAM cannot operate. Even here, open-source self-hosted usually fits.
- Genuinely novel auth requirements. Hardware-token-only environments, custom federation protocols, pre-quantum cryptography mandates ahead of vendor support. Rare in 2026.
- You are the CIAM vendor. If CIAM is your product, you build it.
Outside these, the answer is buy or self-host.
A practical framework
A simple decision flow:
- Pre-product / 0-1k MAU: managed free tier (Auth0 Free, Clerk Free, Stytch Free, Microsoft Entra External ID Free, MojoAuth Free). Worry about cost when you have customers.
- 1k-10k MAU, no compliance constraints: managed CIAM at the matching tier. Engineering time stays on the product.
- 10k-100k MAU, B2B SaaS: managed B2B CIAM (Frontegg, WorkOS, Auth0 Organizations, MojoAuth, SSOJet). The Org-level config alone justifies the pricing.
- 100k+ MAU, cost-sensitive: evaluate self-hosting (Keycloak, Ory, Zitadel) against managed renewal. Often the math closes here.
- Hard sovereignty / no foreign legal process: self-host on owned infrastructure.
For migration paths between options, see the Auth0 to self-hosted migration guide and Cognito migration guide. For the broader landscape, see the CIAM vs IAM vs IDaaS guide.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Authentik
Authentik is the modern alternative to Keycloak for self-hosted enterprise CIAM in 2026, Python-based, MIT-licensed, with a materially nicer admin UI than Keycloak's dated console. The trade-off is mid-weight operational profile and no managed cloud offering. For teams with Python operational competence and a strict-OSS mandate, Authentik is the lower-friction alternative to Keycloak.
FusionAuth
FusionAuth is the right answer when you want self-hosted CIAM without taking on Keycloak's operational weight, and want the option to switch to managed without changing vendors. Single-binary deploy, modern docs, and a genuinely usable Community tier make it the practical default for self-host evaluations in 2026, particularly for B2C and mid-market B2B SaaS that don't need FedRAMP or Zanzibar-style FGA.
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
Ory
Ory is the most architecturally modern open-source CIAM in 2026, Go-based, Kubernetes-native, composable components, strict Apache 2.0, with native Zanzibar-style FGA via Keto that no other full-platform vendor in this index ships natively. The trade-off is operational scope: running four composable services rather than one binary suits Kubernetes-native teams and frustrates everyone else. For teams that want OSS plus FGA from one vendor, Ory is the singular pick.
FAQ
- When does building CIAM in-house make sense?
- Three narrow cases: (1) extreme regulatory environments where no managed vendor meets compliance, (2) genuinely novel authentication requirements that no vendor supports (rare in 2026, passkeys, FIDO, SAML, OIDC, SCIM are commodity), (3) you ARE a CIAM vendor. For 99% of SaaS, buy or self-host open source.
- How much does buying CIAM actually cost?
- Managed CIAM pricing in 2026: Auth0 / Microsoft Entra External ID start free or $0.02-0.05/MAU, scale to $5-15+/MAU at enterprise tier. MojoAuth, Stytch, Clerk in the $0.02-0.10/MAU range for mid-volume. Build cost: 2-4 senior engineers for 6-12 months to ship feature parity, plus ongoing maintenance, typically $1M-3M+ all-in for a real production system.
- Is self-hosting Keycloak free?
- License-free, infrastructure-and-operations not free. Production Keycloak runs ~3-5 instances behind a load balancer with a clustered database, redundant region, monitoring, backup, and an upgrade cadence. Realistic operations cost is $50-150k/year in infrastructure plus a fraction of an SRE; below 100k MAU this often beats managed pricing.
- What about migrating later?
- Migrations between CIAM are doable but not cheap, see the migration guides. The lock-in costs are real, especially for hashed passwords, MFA enrollments, and tenant-aware role models. The migration plan should be considered upfront, not delayed until the wall is hit.
Sources
- Auth0 / Okta pricing pages
- Microsoft Entra External ID pricing
- Keycloak operations practitioner reports