The CIAM Vendor Selection Trap: Why Most B2B SaaS Teams Pick the Wrong Identity Provider for Their Stage

Roughly seven out of ten B2B SaaS teams I have audited in the last three years picked a CIAM vendor they would not pick again. The bill comes due around Series B, when a six-figure migration project is the only way out.

I built and ran LoginRadius from 2013 to a billion-plus end users. I have sat on both sides of this decision: as a founder selling identity to enterprise buyers, and as an advisor watching founders pick the wrong tool for the next stage of their company. The pattern is consistent, and it has very little to do with the quality of the vendors.

The trap is the evaluation itself.

Why feature-comparison-at-evaluation-time is the trap

The standard CIAM evaluation looks like this. A team writes a feature matrix. Social login, MFA, SSO, SAML, SCIM, RBAC, organizations, B2B tenancy, audit logs, compliance certifications. They send the matrix to four vendors. They demo. They pick the vendor that ticks the most boxes for the price they can swallow today.

Eighteen months later, three things have happened. The company moved upmarket. Enterprise buyers started asking for things that were on nobody's matrix at evaluation time (per-tenant data residency, IdP-initiated SSO with custom claims, JIT provisioning into specific role mappings, audit log streaming to a customer-owned SIEM). The vendor's pricing model, which was generous at 10,000 MAUs, is now punitive at 250,000 MAUs because the per-MAU rate did not scale down.

The feature matrix was a snapshot. Identity is a relationship with a vendor over five to seven years. You picked a snapshot.

The three things buyers actually evaluate, and the three they should

What buyers evaluate: features, price, developer experience. All three are observable at demo time.

What buyers should evaluate: pricing trajectory at 10x current scale, migration friction off the vendor in 24 months, and B2B-tenancy primitives that are not on the feature matrix but become load-bearing later. None of these are observable at demo time. All three are predictable if you know where to look.

The stage-fit framework

The single most useful question I ask founders evaluating CIAM: what stage are you, and what stage will you be in 24 months. The right vendor is the one whose pricing, primitives, and migration profile fit both ends of that range.

Seed stage (pre-product-market-fit, zero to 10,000 users)

You need: fast time to first login, social providers, password reset that works, MFA when a customer asks. You do not need: SAML, SCIM, organizations, B2B tenancy.

Right-fit vendors: Supabase Auth, Firebase Auth, Clerk, Stytch. The bet you are making: this vendor lets me ship in a week, and I will pay the migration tax if I outgrow them.

Wrong-fit vendor at this stage: Auth0. Not because Auth0 is bad. Because you are paying for primitives you do not use and pricing leverage will turn on you the instant you cross the free tier.

Series A (product-market-fit found, 10,000 to 100,000 users, first enterprise deals)

You need: SAML SSO for the first enterprise prospect, organization or workspace primitives, role-based access control, audit logs.

Right-fit vendors: WorkOS (if you are bolting enterprise SSO onto an existing auth stack), SSOJet (similar, focused on the SSO and SCIM layer), Stytch with B2B SKU, Frontegg. The bet: B2B tenancy and SAML are first-class primitives, not bolt-ons.

Series B+ (100,000 to 1M users, multiple enterprise tenants, compliance real)

You need: per-tenant configuration, SCIM provisioning, audit log streaming, region-pinned data residency, custom domains per tenant, SOC 2 evidence.

Right-fit vendors: Auth0 (now Okta CIC) with enterprise plan, Descope, Frontegg at the higher tier. The bet: you are paying for primitives that were overkill two years ago and are now table stakes.

Enterprise (1M+ users, regulated industries, multi-region)

You need: dedicated tenancy or self-hosted, custom legal terms, FedRAMP or equivalent, a vendor account team that picks up the phone.

Right-fit vendors: Okta CIC, Ping Identity, ForgeRock (now part of Ping), Transmit Security. Or you build in-house on Keycloak or Ory with a team that knows what they are doing.

The migration-tax math

Most teams underestimate migration cost by an order of magnitude. The honest range from projects I have either run or audited:

• Engineering time: two to four engineers for three to six months. At fully loaded cost, that is $150,000 to $400,000.
• Dual-write window: running both vendors in parallel while you migrate users, typically two to four months of double-billing.
• User-facing disruption: forced password resets for users whose hashes you cannot migrate (most vendors use different hash functions), which depresses re-login rates by 5 to 15%.
• Opportunity cost: the roadmap items the engineering team was not shipping. This is the biggest cost and the one nobody writes down.

I cover the operational shape of this in depth in Auth Migration Hell. The TL;DR: budget $200,000 to $400,000 all-in, and 12 to 18 months from decision to fully cutover.

Five questions to ask before evaluating any vendor

Run these five questions before you build the feature matrix. They will eliminate half the vendors on your shortlist before you watch a single demo.

1. What does pricing look like at 10x our current MAU?

Ask for the rate card at your current scale, 3x, and 10x. If the vendor will not put it in writing, that is the answer. The Auth0 alternatives piece walks through why pricing-by-MAU breaks down for B2B SaaS where one customer logo can mean 50,000 users.

2. What does the export look like?

Ask: if we leave you in 24 months, what do we get? Specifically, do we get password hashes (in what format), refresh tokens, MFA enrollments, audit logs, custom user attributes. The answer determines your migration tax.

3. What is your B2B tenancy model?

Organizations? Workspaces? Tenants? Are users globally unique or scoped to a tenant? Can a single user belong to N tenants with different roles in each? Is there a per-tenant configuration object (custom branding, custom claims, custom IdP) and what is its surface area? This question separates vendors that were built for B2B from vendors that retrofitted B2B on top of B2C primitives.

4. What is the roadmap for data residency?

EU data in EU, US data in US, Australian data in Australia, on a per-tenant basis. If the vendor says "we are working on it", you have your answer.

5. Who are three customers currently at the stage we will be in 24 months?

Ask for references, but specifically references at the stage you are growing into, not the stage you are at. A vendor that cannot produce three is the wrong vendor for the next stage.

Why this matters, and where it goes wrong most often

The structural reason vendors get picked wrong: the people doing the evaluation (founders, CTOs, head of engineering at a small team) optimize for the next quarter. The cost of the wrong pick lands two to three years later, often on a different person's desk.

I have written before about the broader shape of this, why legacy identity systems are dead and what replaces them. The thesis there applies here too: the vendor that fits the next stage is rarely the vendor that fits the current one. Pick for both ends of the range, or pick once and migrate twice.

The systematic version: CIAM Compass

The framework above is the napkin version. The systematic version, with per-vendor analysis, pricing teardowns, B2B tenancy comparisons, and a methodology that is published and dated, lives at CIAM Compass.

Specifically:

• The vendor directory has 46 CIAM vendors profiled against the same rubric.
• The methodology page documents how the rubric works, what it weights, and what it explicitly does not measure.
• The guides library covers the questions vendors will not answer in a demo (B2B tenancy, pricing models, build-vs-buy math, account recovery design).

If you take one thing from this post: do not buy CIAM on a feature matrix at evaluation time. Buy it on the 24-month trajectory, with explicit answers to the five questions above. The vendors are mostly fine. The mistake is the evaluation.

FAQ

What is the single biggest predictor of a wrong CIAM pick?

The team evaluated features at current scale and did not get a written rate card for 10x scale. Pricing trajectory is the number one cause of migration projects.

Is Auth0 ever the right pick at seed stage?

Rarely. The pricing model is calibrated for teams whose growth justifies enterprise pricing in 12 to 18 months. Below that growth rate, the cost-to-value is bad and the migration cost off is high.

What about open-source CIAM at series A?

Keycloak and Ory are excellent if you have a dedicated identity engineer. Without one, the operational cost is higher than a hosted vendor at the same scale.

How do I avoid the migration tax entirely?

For a vendor-neutral, continuously updated version of this stage analysis, the CIAM Compass ranks CIAM alternatives by the pain that triggers a switch and scores every platform on one matrix.

You usually cannot. The best you can do is pick a vendor whose primitives fit the next 24 months, get a written export commitment in your contract, and budget for one migration over the company's first seven years.