I'm in the process of exploring the development of a SaaS product and am keen on understanding the landscape better from those who have walked this path before I jump into coding. Specifically, I'm looking into creating a B2B multi-tenant identity management platform for SaaS businesses.
These are the main questions that puzzle me most:
- Main Technical Challenges: What are the primary technical hurdles you've encountered in building and scaling SaaS products? Especially interested in aspects related to multi-tenancy, security, tenant management, and onboarding.
- Market Need: In your experience, is there a significant demand for a streamlined, multi-tenant identity management solution? How critical is identity management in your time-to-market considerations?
- Product-Market Fit: For those who have implemented or considered such solutions, what features or capabilities do you find most lacking or desired in the current offerings?
- Choice of Providers: Which identity management providers have you used for your SaaS products? What influenced your choice? Any pain points?
- User Experiences: What have been your experiences with these providers? Pros, cons, and any specific challenges you faced, especially in terms of multi-tenancy and security?
- Building Custom Solutions: Have any of you opted to build your own identity management solutions instead of using existing providers? What led to this decision, and how has it impacted your product development and time-to-market?
- Desired Features and Capabilities: In your view, what are the most critical features or capabilities that are lacking or could be improved in current identity management solutions?
My goal is to validate the need for a solution that simplifies identity management across different tenants.
Any insights, experiences, or advice you can share would be incredibly valuable and much appreciated. Thank you for your time and looking forward to the discussion!
So all of your messages end up passing some sort of customer identifier everwhere and you need to enforce checking it at the lowest possible levels
1. Custom domains per tenant (if relevant). For example, if you are building a platform like shopify where each tenant gets their own domain, this is an interesting challenge. Services like cloudflare for SAAS cost an arm and a leg and they restrict apex domains unless Enterprise plan (read six figure per year). You could build your own using something like Caddy with TLS Termination and auto certificate issuance but it's tricky to build for scale (I played around with a prototype for this so I have some learnings from it)
2. Initial Tenant Provisioning specifically their data. Do you have db per tenant or 1 single db for all tenants ? If SIngle DB for all tenants combined, how will you do data isolation and ensure that one tenant doesn't accidently see/process another tenant's data ? If you use multiple DBs, how do you ensure that a request from a tenant connects to that tenant's db without losing performance ? DB Pooling etc etc.
3. Tenant data management after provisioning. Let's say you have DB per tenant. How will you apply a migration across 100s of DBs effectively, accurately and with speed ? Can you customize one specific tenant if they are like enterprise ? How do you handle their migration now ?
There are some of the most challenging aspects. There are many others of course.
1. RBAC Policy When there are multiple types of roles in a parent-tenant (pt) and child-tenant (ct), there could be cases where some resources can be shared between pt and ct, while others cannot. Hence, conditions to access these data are not limited to RBAC, but also depend on the type of data and metadata. Checks are applied on metadata.
2. Architecting Multi-Tenant A significant challenge would be in schema design, especially the isolation of pt and ct. There are open-source solutions available that provide pre-cooked solutions, yet they may not be as effective as writing your own.
3. RBAC can go beyond ABAC and REBAC This is an advanced problem. Customers in the cloud-native space have demanded this before as it provides granularity. This is heavily backed by your RBAC architecture. If that's implemented incorrectly, then your ABAC and REBAC will also be affected.
It seems like a clear need in the market, and other players like Clerk and Stytch have pivoted from consumer->b2b auth too. Not to mention Auth0/Okta.
The CIAM category is so broad that I would suggest to start narrow in a more “niche” area, such as auth for healthtech products, or focusing on permissions/rbac. When you go narrow, you will be able to provide a stronger product than the incumbents which are constrained by their breadth.
Happy to chat more. I love helping founders. Feel free to email.