Identity & Access Management Nederlands

Your first enterprise deal stalls at security review

I implement SSO and SCIM in your .NET SaaS so it passes the security assessment and the deal goes through.

Enterprise prospects that must comply with ISO 27001, SOC 2 or NIS2 require SSO and SCIM from their SaaS vendors. Without it, a six-figure deal gets blocked. I've built this multiple times in .NET SaaS products, including Azure Entra ID and Auth0.

Get in touch How it works
OAuth2 / OpenID Connect SCIM 2.0 Azure Entra ID .NET 20+ years experience
Chaïm Zonnenberg

The problem I solve

Your prospect must be ISO 27001 / SOC 2 / NIS2 compliant

Most SSO projects don't start with a feature request, they start with a compliance requirement from your prospect. Enterprise companies that must comply with ISO 27001 (A.9 Access Control), SOC 2 (CC6.1) or NIS2 must enforce centralised identity management across all their vendors. That means: they require SSO and SCIM from your SaaS. If you can't deliver that, you won't pass their security review.

Six-figure deal blocked

Your enterprise prospect sends a security questionnaire. "Do you support SSO?" No. "SCIM provisioning?" No. Deal blocked. Sales cycle delayed by 3-6 months, or the prospect goes silent. Their IT department won't approve a SaaS product that requires separate credentials.

Manual user management doesn't scale

Your customer's IT admin has to manually create accounts, reset passwords, and deactivate leavers. With 500 employees, that's a full-time job. With SCIM, it happens automatically from their Azure AD or Auth0.

Your team doesn't have identity expertise

OAuth2, OpenID Connect, SCIM: identity management is a specialisation on its own. Your team builds product features, not token services. Getting this wrong means security vulnerabilities. Getting this right takes months of learning.

How I work

From audit to enterprise-ready in weeks, not months
1

Audit

I review your current authentication stack, database model, and target customers' identity providers. You get a concrete plan: what needs to change, what stays, and how long it takes.

2

Implement

I build SSO (OpenID Connect) and SCIM endpoints in your .NET application. I integrate with your existing user model. Your team reviews every PR. No black box.

3

Onboard

I help you onboard your first enterprise customer. We test the SSO flow with their Azure Entra ID or Auth0 tenant, verify SCIM provisioning, and make sure their security team signs off.

4

Handover

I transfer knowledge to one or more team members so your team can independently manage the identity integration, onboard new customers, and troubleshoot issues.

What I bring

  • Multiple secure token services built from scratch using IdentityServer4, OpenIddict, and custom implementations. I know where each one breaks.
  • SCIM 2.0 provisioning endpoints for user and group provisioning that work with Azure Entra ID and Auth0. Tested against real enterprise tenants.
  • IdentityServer4 migrations because the open-source version is no longer maintained. I've migrated applications to Duende IdentityServer and OpenIddict.
  • 20+ years in .NET and enterprise software at major financial institutions and government organisations. I understand enterprise requirements because I've worked inside them.
  • Microsoft Entra test environment setup. I can help you set up a separate Microsoft Entra test tenant for SSO and SCIM so you can develop and test without touching production.
  • Own SaaS products in production. I run Invullen.nl and Factuur-Assist.nl on Azure. I implement identity for my own products too.

Where my SSO and SCIM implementations run

Government / law enforcement
10,000+ employees
Transport / public infrastructure
3,000+ employees
Financial services / banking
300,000+ customers
Education / national assessment
8,000+ participants/year

Why not WorkOS or another SSO platform?

Products like WorkOS, Stytch and Descope offer SSO-as-a-service. Keycloak is an open-source alternative. So why build custom in .NET?

One-time investment vs. paying forever

WorkOS charges $125 per SSO connection per month. With 10 enterprise customers that's $15,000 per year, and it scales with you. A custom implementation is a one-time investment. After delivery, you pay nothing per connection.

An SDK is only 20% of the work

Even with an SSO platform SDK, you still need significant integration work. Multi-tenant auth flows, just-in-time provisioning, role reconciliation, SCIM PATCH complexity, Entra quirks, audit logging, error handling for provisioning failures. That's 80% architecture and edge cases that no platform solves for you.

Data sovereignty (NIS2 / GDPR)

WorkOS, Stytch and Descope are US-based. With a custom implementation, all identity data stays in your own infrastructure. Increasingly relevant under NIS2 and GDPR, especially for European enterprise customers.

Fits your existing logic

You already have a user model, roles and permissions. An SSO platform requires you to adapt to their model. Building custom integrates with what you already have, without rewriting your existing authentication logic.

Full control

No vendor lock-in, no dependency on a third party for your authentication flow. Your team understands the code, can debug it, and can independently onboard new customers.

Why not Keycloak?

Keycloak is open-source and free, but it's a Java application you need to host, patch and maintain separately. It doesn't integrate into your existing .NET authentication logic, you adapt your application to Keycloak's model. For a .NET SaaS product that means a second tech stack, additional operational overhead, and limited SCIM support. With a native .NET implementation, everything lives in the same codebase and deployment.

My approach: open-source + expertise

I build with open-source components and custom SCIM endpoints. No licence fees, fully within your own .NET stack. All you need is someone who knows how to do it. That's where I come in. Including documentation, knowledge transfer to your team and integration tests. Your team can independently onboard new customers and handle day-to-day maintenance. For larger changes like adding a new identity provider, extending SCIM or migrations, you can bring me back in.

Technologies

OAuth2 OpenID Connect SCIM 2.0 Azure Entra ID Auth0 IdentityServer4 Duende IdentityServer OpenIddict .NET C# ASP.NET Core Azure SQL Server

Articles

In-depth technical content on identity in .NET

Replacing IdentityServer4 in .NET

IdentityServer4 is no longer maintained. What are your options? I compare Duende IdentityServer, OpenIddict, and Azure Entra ID, with practical migration advice.

Read article

SCIM User Provisioning in .NET

Enterprise customers expect automated user provisioning. I explain what SCIM is, why you need it, and how to build SCIM endpoints in ASP.NET Core.

Read article

Need SSO or SCIM in your .NET application?

Send me your security questionnaire or describe your situation. I'll tell you within a day what's needed and how long it takes.

Email me Call me

Chaïm Zonnenberg | Senior .NET Developer | I work with a maximum of two SaaS companies at a time