Leonardo Rodrigues' Blog

Identity and Access Management (IAM): A Strategic Analysis for Modern Software Leaders

by

Leonardo Rodrigues
in

By Leonardo Rodrigues – Software Engineer and Tech Leader

As software engineers progress in their careers, the complexity of systems we architect and lead inevitably brings us face-to-face with identity and access management (IAM). What started as a simple question about Keycloak evolved into a comprehensive analysis of the IAM landscape – one that I believe offers valuable insights for technical leaders navigating this critical infrastructure decision.

Understanding the Foundation: What is Keycloak?

Let me start with the catalyst for this analysis. Keycloak, Red Hat’s open-source identity and access management solution, represents a compelling middle ground in the IAM ecosystem. It’s a centralized authentication and authorization system that provides Single Sign-On (SSO), identity brokering, user federation, and multi-factor authentication support.

What makes Keycloak particularly interesting is its protocol compliance – supporting OAuth 2.0, OpenID Connect, and SAML 2.0 – making it a versatile choice for organizations looking to avoid vendor lock-in while maintaining modern security standards.

However, like any architectural decision, Keycloak comes with trade-offs. On the positive side: it’s free, feature-rich, highly customizable, and backed by a strong community. The downsides? Complex setup, resource-intensive operation, steep learning curve, and limited cloud-native features compared to commercial solutions.

Redefining Identity Providers vs. Access Management

During my research, I realized we often oversimplify IAM categorization. The distinction between “Identity Providers” and “Access Management” is more nuanced than the typical “who you are” vs. “what you can do” explanation.

True access management encompasses five critical dimensions:

  • What you can do (permissions/actions)
  • Where you can do it (location, network, device, application)
  • When you can do it (time-based access, temporary permissions)
  • Whom you can do it to (resource ownership, data classification)
  • How you can do it (context, risk-based conditions)

Most modern IAM platforms handle this full spectrum, implementing contextual access, conditional policies, and attribute-based access control (ABAC). Pure identity providers like Firebase Auth or AWS Cognito are becoming less common as organizations demand comprehensive access control, not just authentication.

Market Landscape: Understanding the Players

The IAM market is heavily consolidated, with clear leaders dominating different segments:

  1. Microsoft Entra ID (~40-50%) – The enterprise heavyweight, dominant due to Office 365/Windows integration
  2. Auth0/Okta (~15-20%) – Leaders in the pure-play IAM market, especially for modern applications
  3. AWS IAM (~10-15%) – Universal in AWS infrastructure environments
  4. Google Cloud Identity (~5-8%) – Growing with Google Workspace adoption
  5. AWS Cognito (~3-5%) – Popular for web/mobile applications
  6. Supabase Auth (~2-3%) – Rapidly growing in the developer/startup segment
  7. Firebase Auth (~2-3%) – Google’s mobile/web development solution

The long tail includes enterprise solutions like Ping Identity and ForgeRock, plus open-source alternatives like Keycloak, Authentik, and emerging players like Zitadel.

Strategic Skill Development: Which Technologies to Master

Given this landscape, I’ve identified a strategic approach to IAM skill development that balances market relevance with technical depth:

  1. AWS IAM – Foundation for cloud architecture
  2. Microsoft Entra ID – Enterprise necessity
  3. Supabase Auth – Modern development patterns and practical project value
  4. Keycloak – Open-source credibility and deep technical understanding
  5. Auth0 – SaaS/startup market patterns
  6. AWS Cognito – User-facing application experience

This combination provides coverage across enterprise (Entra), cloud (AWS), open-source (Keycloak), and modern development (Supabase) segments.

The Economics of IAM: When to Build vs. Buy

One of the most critical decisions software leaders face is the build-vs-buy analysis for IAM. Through detailed cost modeling, I’ve identified clear patterns:

Small Scale (100-1,000 users): Managed services win decisively. The setup and operational costs of self-hosted solutions far exceed licensing fees.

Medium Scale (1,000-10,000 users): This is the tipping point zone. Organizations with strong DevOps capabilities can achieve cost savings with open-source solutions around 2,000-3,000 users.

Large Scale (10,000+ users): Open-source solutions like Keycloak show significant cost advantages, potentially saving hundreds of thousands annually.

However, the hidden costs in self-hosting are substantial: high availability setup, security patching, backup/disaster recovery, performance monitoring, and upgrade management. The sweet spot for self-hosted solutions is organizations with 3,000+ users AND existing DevOps/Kubernetes expertise.

Practical Recommendations for Different Scenarios

For Personal/Small Business Projects: Resist the temptation to over-engineer. Supabase Auth offers an exceptional free tier (50,000 monthly active users), excellent developer experience, and integrated database security through Row Level Security policies. Other solid choices include Firebase Auth, AWS Cognito, or Auth0’s free tier.

For Learning/Skill Development: If you’re exploring open-source IAM for career development, Authentik offers a more approachable experience than Keycloak. It’s more modern, Docker-native, and easier to deploy, while still providing comprehensive IAM learning opportunities.

For Enterprise Environments: The choice often depends on existing infrastructure. Microsoft shops gravitate toward Entra ID, AWS-heavy organizations use IAM/Cognito, while companies with strong open-source cultures and DevOps capabilities find success with Keycloak.

The Supabase Revelation

One unexpected discovery was how Supabase Auth has quietly become a formidable IAM solution. While marketed as a “Firebase alternative,” it provides full identity provider capabilities plus sophisticated access management through database-level Row Level Security policies.

What makes Supabase particularly compelling is its generous free tier, modern developer experience, and the growing trend of database-centric access control. For startup and scale-up environments, it’s rapidly becoming the de facto choice, making it essential knowledge for technical leaders working in growth companies.

Looking Forward: Strategic Implications

The IAM landscape reflects broader trends in software infrastructure: the tension between control and convenience, the economics of scale, and the increasing importance of security in system design. As technical leaders, our job isn’t just to implement these systems, but to understand the strategic trade-offs and guide our organizations toward solutions that align with both current needs and future growth.

The consolidation around major platforms suggests that IAM expertise in the dominant players (Microsoft, AWS, Auth0/Okta) provides the broadest career value. However, understanding open-source alternatives and emerging players like Supabase positions us to make informed architectural decisions and identify opportunities for competitive advantage.

Most importantly, IAM decisions are rarely reversible without significant cost and complexity. The choice you make today will likely persist for years, making this analysis not just about current capabilities, but about betting on the future direction of identity and access management.

Conclusion

Identity and Access Management sits at the intersection of security, user experience, and system architecture. For software leaders, mastering this domain requires both deep technical understanding and strategic market awareness. The landscape is complex, but the patterns are clear: start simple, scale thoughtfully, and always consider the total cost of ownership – not just the license fee.

Whether you’re building your next side project, architecting enterprise systems, or developing your technical leadership skills, the IAM choices you make today will echo through your systems for years to come. Choose wisely, but more importantly, choose with full awareness of the trade-offs involved.

This analysis emerged from practical exploration of IAM solutions for both personal projects and enterprise architecture decisions. The landscape evolves rapidly, but the fundamental principles of cost analysis, strategic positioning, and technical trade-offs remain constant guides for software leaders navigating this critical infrastructure domain.