apidays New York 2025 - CIAM in the wild by Michael Gruen (Layr)

Transcript

1. 1 AuthCon brought you by The Customer Identity Conference Where

   modern product and engineering teams go to ‘hit refresh’ on CIAM May 14, 2025

2. 2 AuthCon brought you by CIAM In The Wild: What

   we learned while scaling from 1.5 to 3 million users Mike Gruen

3. 3 AuthCon brought you by June 14, 2021 Marketing campaign

   goes viral “WarGames” lights up with alerts Support: There’s a spike in complaints… What happened, how did we get here?

4. 4 AuthCon brought you by Helping orgs scale securely, from

   early stage to growth. About Me Outside of work, I’m a husband, father, mentor, community advisor, and co -host of The Pair Program , a show about technology, startups, and career development. I'm a tech executive with 30 years of software development experience, mostly at startups. I've held roles including VP of Engineering, Chief Security Officer, VP of Product, and even Interim Director of HR.

5. 5 AuthCon brought you by CIAM: One subplot of a

   larger story… • Built on WordPress • Over one million registered users • Routine crashes multiple times a week • Chapter 1: Stability & GDPR compliance • Chapter 2: Iterative app replacement • Chapter 3: Cloud & database migration • Chapter 4: Marketing website migration • Chapter 5: Decommission WordPress 🎉🎉 Celebrating our victory over WordPress – piñata and beer! (No CMS systems were harmed in the making of this photo)

6. 6 AuthCon brought you by Prologue 01 Decision making process

   and vendor selection Preparation 02 Planning and copying credentials Implementation 03 Development, integration, and transition Deployment 04 Lessons Learned 05 Summary of what went well and what I’d do differently Epilogue 06 What has happened since Our CIAM Migration Journey The good, the bad, and the ugly of post-implementation

7. 7 AuthCon brought you by 01: Prologue Decision making process

   and vendor selection

8. 8 AuthCon brought you by “Table Stakes” Requirements: Build vs

   Buy Pros to buying: • Solved problem, not core to our business • Leverage vendor expertise • Lower near-term costs • Reduce risk • Immediate access to admin interfaces • Strategic partnership opportunities Pros to building: • Fast delivery of user-facing features • Full control over the experience • No vendor lock-in or dependencies • Access to free, open-source libraries • Developer-preferred approach

9. 9 AuthCon brought you by Buy - Refined Requirements Nice

   to haves and other considerations: • Dedicated support during rollout • Pre-built UI widgets and workflows • Risk (availability, stability, etc.) • Cost (millions of users, growing) • Contract terms • Strategic partnership opportunities Must haves: • Table stakes (secure, scalable, MFA, etc.) • Federation (SAML & OpenID) • Admin interface (support, reporting, etc.) • Global reach (Russia, China, India, etc.) • Easy implementation/integration

10. 10 AuthCon brought you by Vendor Selection Why we chose

    Okta • Only vendor to meet all requirements • Very responsive and supportive • Strong sales and marketing alignment • Favorable terms (expanding into CIAM) Vendors evaluated • Auth0 • Okta (prior to acquiring Auth0) • AWS Cognito • Google Firebase • And others…

11. 11 AuthCon brought you by 02: Preparation Planning and copying

    credentials

12. 12 AuthCon brought you by Choppy Seas Known challenges: •

    Unverified email addresses • Usernames without email addresses • Unsupported WordPress hash algorithm • One of many replatforming priorities Navigating expectedly rough waters.

13. 13 AuthCon brought you by The Shim Solution: Capture valid

    credentials as “unverified” accounts

14. 14 AuthCon brought you by The Plan Lesser of 6

    months or 80% of existing users Cutover to a pre-built widget implementation Focus on improving the learner experience Use marketing campaigns to re-engage users Purge inaccessible accounts

15. 15 AuthCon brought you by 03: Implementation Development, integration, and

    transition

16. 16 AuthCon brought you by Pre-Built Widget Implementation

17. 17 AuthCon brought you by Smooth Sailing • Credentials populated

    flawlessly • Easy to develop using pre-built widgets • Good developer documentation • Supported us like a partner throughout Or the calm before the storm?

18. 18 AuthCon brought you by Headwinds Unexpected challenges: • Ineffective

    re-engagement campaigns • Shift in stance on inaccessible accounts • Evolving registration requirements • Pressure for advanced CIAM features Solution: • Replace their widgets & reverse our shim

19. 19 AuthCon brought you by Reverse Shim Implementation

20. 20 AuthCon brought you by 04: Deployment The good, the

    bad, and the ugly of post -implementation

21. 21 AuthCon brought you by Post-Deployment The Good

22. 22 AuthCon brought you by Tailwinds Highlights that continued post

    -deployment • SAML-based Fed ID configuration • OpenID Connect (OIDC) implementation • Tooling for tech support • Partnership continued

23. 23 AuthCon brought you by Post-Deployment The Bad

24. 24 AuthCon brought you by Distributed Denial of Service Attacks

    (DDOS) How did this happen? • W e exposed Okta API endpoints • Assumptions during discovery Solutions: • Vendor suggestions were not feasible • Solved use of our W AF Weathering The Storms

25. 25 AuthCon brought you by Post-Deployment The Ugly

26. 26 AuthCon brought you by Blocking legitimate users due to

    traffic spikes How did this happen? • Changes in B2C Marketing • Failure to coordinate across teams • Failure to coordinate with vendor Solutions: • Unaffordable or unmaintainable Jun 14, 2021: Throttled!

27. 27 AuthCon brought you by With about 9 months left

    in the contract, we began planning to migrate to a new solution • Recurring challenge • Difficult to coordinate between our marketing team and the vendor • Customer Success continued advocating for us Aftermath

28. 28 AuthCon brought you by 05: Lessons Learned Summary of

    what went well and what I’d do differently

29. 29 AuthCon brought you by Key Takeaways - No Perfect

    Solution What went well What I’d do differently Reduced risks and improved security posture Stay more attuned to decisions that could impact CIAM Populating credentials using MITM technique Dive deeper into rate limits and traffic classification Internal tooling saved time and improved user support Plan to build login & registration flows from the start Federation was easy to implement and configure Be more realistic organization-level tradeoffs Vendor partnership Don't assume today's user behaviors will apply tomorrow

30. 30 AuthCon brought you by 06: Epilogue What has happened

    since

31. 31 AuthCon brought you by Left Cybrary Shortly After �

    For me: New adventures • Different vendors, similar challenges • Migrating CIAM is on our roadmap 🏢🏢 For Cybrary: Re-evaluated needs • SAML not as critical as anticipated • Migrated to Firebase

32. 32 AuthCon brought you by Questions? Clear waters ahead…

33. 33 AuthCon brought you by Thank You! Primary Contact: [email protected]

34. 34 AuthCon brought you by Brought to You By: