Workforce IAM and CIAM look similar on a whiteboard — both authenticate users and manage access. But the architecture is fundamentally different when your user base goes from 5,000 employees to 5 million customers. The scaling problems, the UX requirements, and the regulatory constraints all change.
This guide covers the architectural patterns that make CIAM work at scale, drawn from real deployments.
Why CIAM Needs Different Architecture
| Concern | Workforce IAM | CIAM |
|---|---|---|
| User count | 1K - 100K | 100K - 100M+ |
| Registration | IT-provisioned | Self-service |
| Identity source | Corporate directory | Social + email + phone |
| Session duration | 8-hour workday | Weeks to months |
| Latency tolerance | 500ms acceptable | 100ms expected |
| Consent management | Minimal | GDPR/CCPA mandatory |
| Branding | Consistent corporate | Per-product customization |
| Availability target | 99.9% | 99.99%+ |
You can’t take an Okta workforce deployment, add more users, and call it CIAM. The data model, the session architecture, and the user experience are structurally different.
Pattern 1: Centralized CIAM Hub
The simplest architecture — a single CIAM instance serves all applications and user populations.
┌─────────────────┐
Mobile App ─────────│ │
Web App ─────────│ CIAM Hub │──── User DB (PostgreSQL)
Partner API ────────│ (Auth0/Okta) │──── Session Store (Redis)
IoT Device ─────────│ │──── Audit Log
└─────────────────┘
When to use: Under 5M users, single geographic region, 2-10 applications.
Advantages: Simple operations, single source of truth, easy to reason about.
Limitations: Single point of failure, no data residency support, latency for geographically distributed users, vendor pricing scales linearly with users.
Pattern 2: Federated CIAM with Regional Instances
For global deployments, run separate CIAM instances per region with a routing layer.
┌─────────────────┐
Global CDN ─────────│ Routing Layer │
│ (by geo/email) │
└───┬────┬────┬───┘
│ │ │
┌────┘ │ └────┐
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│CIAM EU │ │CIAM US │ │CIAM AP │
│(Ireland)│ │(Oregon)│ │(Tokyo) │
└────┬───┘ └────┬───┘ └────┬───┘
│ │ │
┌────┴───┐ ┌───┴────┐ ┌──┴─────┐
│ DB EU │ │ DB US │ │ DB AP │
└────────┘ └────────┘ └────────┘
When to use: Over 5M users, GDPR/data sovereignty requirements, global user base.
Routing logic: The routing layer determines which regional instance handles a user. Options:
- By email domain:
@company.de→ EU instance - By IP geolocation: First request determines region, stored in a lightweight global index
- By user preference: User chooses their data region during registration
Cross-region challenges: If a user registers in EU but travels to the US, do they authenticate against the EU instance (latency) or the US instance (data residency violation)? The common solution: authenticate locally using a cached session token, but user data stays in the home region.
Pattern 3: Identity Broker with External IdPs
For applications with social login, enterprise SSO, and phone-based auth:
┌────────────────────┐
│ Identity Broker │
│ (CIAM Platform) │
└───┬───┬───┬───┬───┘
│ │ │ │
┌────────┘ │ │ └─────────┐
▼ ▼ ▼ ▼
┌─────────┐ ┌──────┐ ┌──────┐ ┌────────┐
│ Google │ │Apple │ │ SMS │ │Enterprise│
│ Login │ │Sign-In│ │ OTP │ │ SAML │
└─────────┘ └──────┘ └──────┘ └────────┘
The CIAM platform acts as a broker — users authenticate via their preferred method, and the broker normalizes the identity into a unified profile.
Account linking: When a user signs in with Google on their laptop and Apple Sign-In on their phone, the broker links both external identities to a single internal profile. This requires:
- Email matching (most common)
- Phone number matching
- Explicit user action (“Link this account to your existing profile”)
Scaling Considerations
Database Architecture
The user store is the bottleneck at scale. Options:
| Approach | Users | Latency | Complexity |
|---|---|---|---|
| Single PostgreSQL | < 2M | Low | Low |
| PostgreSQL + read replicas | 2-10M | Low | Medium |
| PostgreSQL with partitioning | 10-50M | Medium | High |
| DynamoDB / Cosmos DB | 50M+ | Very low | Medium |
| Custom sharded store | 100M+ | Very low | Very high |
At 10M+ users, you’ll also need to think about:
- Credential lookup performance: Password hash verification is CPU-intensive (bcrypt at cost 12 = ~250ms). At 100 logins/second, that’s 25 CPU cores just for password checks.
- Session store sizing: Redis cluster with 1M concurrent sessions ≈ 2-4 GB RAM. Plan for peaks — Black Friday traffic spikes can be 10x normal.
- Token signing throughput: RSA-2048 signature ≈ 0.5ms. At 10K token requests/second, that’s 5 CPU seconds — use EC keys (P-256 is 10x faster) or pre-sign JWTs in batches.
Caching Strategy
CIAM at scale requires aggressive caching:
- Session cache: Redis/Memcached for active sessions — avoid hitting the database on every request
- User profile cache: Cache frequently-accessed user attributes with a short TTL (5-15 minutes)
- Token cache: Cache introspection results for opaque tokens (30-60 seconds TTL)
- Rate limiting cache: Track per-user and per-IP request rates in Redis
Authentication Flow Latency Budget
Target: < 200ms total for the authentication round-trip.
| Step | Budget |
|---|---|
| DNS + TLS handshake | 50ms |
| User lookup | 10ms (cached) / 50ms (DB) |
| Password verification | 100ms (bcrypt cost 10) |
| Token generation | 5ms |
| Audit logging (async) | 0ms (non-blocking) |
| Total | 165-205ms |
If you’re running bcrypt at cost 14 (1 second), your login latency will be dominated by password hashing. Consider Argon2id with tuned parameters for better performance/security ratio.
Progressive Profiling
CIAM registration should collect minimal information upfront and gather more data over time:
Registration: Email + password (or social login). Nothing else.
First login: Ask for name and preferred language.
First purchase: Ask for shipping address and phone number.
After 30 days: Ask for communication preferences.
Architecturally, this means your user profile schema must be almost entirely optional fields. The CIAM platform should support conditional UI that shows different profile completion prompts based on user state.
Consent Management Architecture
GDPR, CCPA, and similar regulations require explicit user consent for data processing. CIAM needs built-in consent tracking:
{
"user_id": "usr_abc123",
"consents": [
{
"purpose": "marketing_email",
"granted": true,
"timestamp": "2026-01-15T10:30:00Z",
"version": "privacy-policy-v3.2",
"source": "registration_form"
},
{
"purpose": "analytics",
"granted": false,
"timestamp": "2026-01-15T10:30:00Z",
"version": "privacy-policy-v3.2",
"source": "cookie_banner"
}
]
}
Key requirements:
- Consent must be versioned — when you update your privacy policy, existing consents under the old version may need re-confirmation
- Users must be able to withdraw consent at any time
- Consent records must be immutable for audit purposes (append-only log)
- Downstream systems need real-time consent status to stop processing data when consent is withdrawn
Platform Selection
| Platform | Strengths | Limitations | Best For |
|---|---|---|---|
| Auth0 | Developer UX, Actions extensibility, social login | Cost at scale (per-MAU pricing), limited data residency | B2C SaaS, up to 10M users |
| AWS Cognito | AWS integration, cheap at scale, Lambda triggers | Limited customization, poor admin UI | AWS-native apps, cost-sensitive |
| Azure AD B2C | Microsoft ecosystem, custom policies | Steep learning curve (IEF/XML policies), slow iteration | Microsoft shops, complex B2B2C |
| Keycloak | Full control, no per-user cost, LDAP integration | Operational overhead, limited built-in social login | On-prem or regulated industries |
| Ory | Open source, cloud-native, API-first | Young ecosystem, smaller community | Developer-centric, microservices |
No platform is universally best. The decision depends on your user scale, regulatory requirements, development team expertise, and whether you’re willing to pay per-MAU or invest in operational overhead.
