Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays New York 2025 - CIAM in the wild by Mic...

apidays New York 2025 - CIAM in the wild by Michael Gruen (Layr)

CIAM in the wild: What we learned while scaling from 1.5 to 3 million users
Michael Gruen, VP of Engineering at Layr

apidays New York 2025
API Management for Surfing the Next Innovation Waves: GenAI and Open Banking
May 14 & 15, 2025

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

Avatar for apidays

apidays

May 24, 2025
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. 1 AuthCon brought you by The Customer Identity Conference Where

    modern product and engineering teams go to ‘hit refresh’ on CIAM May 14, 2025
  2. 2 AuthCon brought you by CIAM In The Wild: What

    we learned while scaling from 1.5 to 3 million users Mike Gruen
  3. 3 AuthCon brought you by June 14, 2021 Marketing campaign

    goes viral “WarGames” lights up with alerts Support: There’s a spike in complaints… What happened, how did we get here?
  4. 4 AuthCon brought you by Helping orgs scale securely, from

    early stage to growth. About Me Outside of work, I’m a husband, father, mentor, community advisor, and co -host of The Pair Program , a show about technology, startups, and career development. I'm a tech executive with 30 years of software development experience, mostly at startups. I've held roles including VP of Engineering, Chief Security Officer, VP of Product, and even Interim Director of HR.
  5. 5 AuthCon brought you by CIAM: One subplot of a

    larger story… • Built on WordPress • Over one million registered users • Routine crashes multiple times a week • Chapter 1: Stability & GDPR compliance • Chapter 2: Iterative app replacement • Chapter 3: Cloud & database migration • Chapter 4: Marketing website migration • Chapter 5: Decommission WordPress 🎉🎉 Celebrating our victory over WordPress – piñata and beer! (No CMS systems were harmed in the making of this photo)
  6. 6 AuthCon brought you by Prologue 01 Decision making process

    and vendor selection Preparation 02 Planning and copying credentials Implementation 03 Development, integration, and transition Deployment 04 Lessons Learned 05 Summary of what went well and what I’d do differently Epilogue 06 What has happened since Our CIAM Migration Journey The good, the bad, and the ugly of post-implementation
  7. 8 AuthCon brought you by “Table Stakes” Requirements: Build vs

    Buy Pros to buying: • Solved problem, not core to our business • Leverage vendor expertise • Lower near-term costs • Reduce risk • Immediate access to admin interfaces • Strategic partnership opportunities Pros to building: • Fast delivery of user-facing features • Full control over the experience • No vendor lock-in or dependencies • Access to free, open-source libraries • Developer-preferred approach
  8. 9 AuthCon brought you by Buy - Refined Requirements Nice

    to haves and other considerations: • Dedicated support during rollout • Pre-built UI widgets and workflows • Risk (availability, stability, etc.) • Cost (millions of users, growing) • Contract terms • Strategic partnership opportunities Must haves: • Table stakes (secure, scalable, MFA, etc.) • Federation (SAML & OpenID) • Admin interface (support, reporting, etc.) • Global reach (Russia, China, India, etc.) • Easy implementation/integration
  9. 10 AuthCon brought you by Vendor Selection Why we chose

    Okta • Only vendor to meet all requirements • Very responsive and supportive • Strong sales and marketing alignment • Favorable terms (expanding into CIAM) Vendors evaluated • Auth0 • Okta (prior to acquiring Auth0) • AWS Cognito • Google Firebase • And others…
  10. 12 AuthCon brought you by Choppy Seas Known challenges: •

    Unverified email addresses • Usernames without email addresses • Unsupported WordPress hash algorithm • One of many replatforming priorities Navigating expectedly rough waters.
  11. 13 AuthCon brought you by The Shim Solution: Capture valid

    credentials as “unverified” accounts
  12. 14 AuthCon brought you by The Plan Lesser of 6

    months or 80% of existing users Cutover to a pre-built widget implementation Focus on improving the learner experience Use marketing campaigns to re-engage users Purge inaccessible accounts
  13. 17 AuthCon brought you by Smooth Sailing • Credentials populated

    flawlessly • Easy to develop using pre-built widgets • Good developer documentation • Supported us like a partner throughout Or the calm before the storm?
  14. 18 AuthCon brought you by Headwinds Unexpected challenges: • Ineffective

    re-engagement campaigns • Shift in stance on inaccessible accounts • Evolving registration requirements • Pressure for advanced CIAM features Solution: • Replace their widgets & reverse our shim
  15. 20 AuthCon brought you by 04: Deployment The good, the

    bad, and the ugly of post -implementation
  16. 22 AuthCon brought you by Tailwinds Highlights that continued post

    -deployment • SAML-based Fed ID configuration • OpenID Connect (OIDC) implementation • Tooling for tech support • Partnership continued
  17. 24 AuthCon brought you by Distributed Denial of Service Attacks

    (DDOS) How did this happen? • W e exposed Okta API endpoints • Assumptions during discovery Solutions: • Vendor suggestions were not feasible • Solved use of our W AF Weathering The Storms
  18. 26 AuthCon brought you by Blocking legitimate users due to

    traffic spikes How did this happen? • Changes in B2C Marketing • Failure to coordinate across teams • Failure to coordinate with vendor Solutions: • Unaffordable or unmaintainable Jun 14, 2021: Throttled!
  19. 27 AuthCon brought you by With about 9 months left

    in the contract, we began planning to migrate to a new solution • Recurring challenge • Difficult to coordinate between our marketing team and the vendor • Customer Success continued advocating for us Aftermath
  20. 28 AuthCon brought you by 05: Lessons Learned Summary of

    what went well and what I’d do differently
  21. 29 AuthCon brought you by Key Takeaways - No Perfect

    Solution What went well What I’d do differently Reduced risks and improved security posture Stay more attuned to decisions that could impact CIAM Populating credentials using MITM technique Dive deeper into rate limits and traffic classification Internal tooling saved time and improved user support Plan to build login & registration flows from the start Federation was easy to implement and configure Be more realistic organization-level tradeoffs Vendor partnership Don't assume today's user behaviors will apply tomorrow
  22. 31 AuthCon brought you by Left Cybrary Shortly After �

    For me: New adventures • Different vendors, similar challenges • Migrating CIAM is on our roadmap 🏢🏢 For Cybrary: Re-evaluated needs • SAML not as critical as anticipated • Migrated to Firebase