Skip to main contentArrow Right
All storiesArrow Left

BalkanID: Auth Infra Meets Product Scale

Descope BalkanID Customer Story Thumbnail

BalkanID, a modern AI-driven identity security and access governance platform company, needed to migrate to a modern CIAM solution that could support their growing infrastructure. Learn how they completed a full production migration to Descope in under three weeks, gaining self-service SSO capabilities and powerful low-code authentication flows.

About BalkanID

BalkanID is a modern intelligent identity security and governance platform company, that automates access management, access review certification and remediates entitlement sprawl across an organization’s SaaS, cloud and on-prem environments. The company’s mission is to help organizations reduce identity risk, achieve compliance, and enable Zero Trust through automation, analytics, and seamless integration.  

As a company focused on helping organizations achieve enterprise-grade identity security, BalkanID understands the challenges of scaling authentication. To better support their own upmarket journey, BalkanID made the decision to move beyond open-source authentication infrastructure.

They needed a solution that could support sophisticated multi-tenancy and tenant isolation, enable self-service SSO configuration, and reduce the engineering resources required for maintenance. 

Escaping the maintenance spiral

BalkanID originally chose Ory Kratos for authentication, a headless and open-source solution written in the Go programming language. However, based on extensive analysis and lived experience, maintaining an older version of Kratos became increasingly challenging. Upgrading often required changes that risked rendering existing code inoperable or introducing unexpected behavior. Over time, this led to significant engineering investment in custom logic, which became both time-consuming and expensive to maintain in-house. Ultimately, the overhead of working with Ory Kratos pulled focus from the BalkanID core product.

Meanwhile, the lack of self-service capabilities proved especially painful. Any SSO configuration change required their team’s direct involvement, creating bottlenecks as they scaled. Adding modern security features like passkeys or supporting MFA workflows through Kratos was complicated and often demanded intricate, fragile workarounds. Additionally, user lifecycle edge cases, such as employees who left and later rejoined an organization, introduced complications. Since identities had to be deleted and recreated, Kratos occasionally struggled to manage these transitions cleanly, adding friction to BalkanID’s otherwise streamlined IGA offering.

Vishesh Bansal, Director at BalkanID, said:

“We wanted to focus more on building our core product features rather than maintaining complex authentication infrastructure. The few managed hosting options available for Kratos were quite expensive and still required heavy ops involvement.”

The Descope experience

With a hard deadline to complete migration in under a month, BalkanID evaluated multiple vendors. They chose Descope because it met their strict criteria:

  • Developer experience: Descope’s combination of robust SDKs/APIs, low/no-code flow builder, and flexible branding options made it a perfect fit for BalkanID’s developers.

  • Security and compliance: Descope provided everything needed to implement enterprise-grade authentication — modern auth methods (passkeys, adaptive MFA, TOTP, enterprise-grade SSO), authorization models (RBAC and FGA), GDPR compliance, and extensive audit logging across all their environments.

  • Multi-tenancy and SSO: BalkanID praised Descope’s multi-tenancy and SSO features, highlighting the solution’s multiple connections per tenant, IdP-initiated flows, self-service SSO configuration, and tenant isolation.

  • Support and documentation: BalkanID was impressed by the clarity of Descope's documentation, as well as the responsiveness and availability of their support team.

  • Plug-and-play connectors: BalkanID was especially enthusiastic about Descope’s one-click connectors that handle account takeover prevention (e.g., Forter), breached password protection (Have I Been Pwned), and anomaly detection (Traceable).

BalkanID had a working prototype running in just a few days, with the full migration complete in under three weeks. Using Descope’s visual flow builder, BalkanID designed sophisticated, reusable authentication journeys in minutes rather than days. These flows made adding MFA and SSO as simple as dragging & dropping, and they seamlessly plugged into their existing UI with minimal code changes.

On the customer side, the self-service SSO setup suite proved invaluable. What was once a time-consuming, engineer-led process that could take several hours was now completed by customers in just minutes. With customers being able to configure SSO successfully without assistance, engineers were no longer tied up in onboarding sessions and could return their focus to the core product.

Vishesh said:

“What really set Descope apart was its intuitive low-code builder for authentication flows. Between that and the self-service SSO suite, our engineers regained precious cycles that were being spent maintaining our old solution.”

From maintenance mode to exponential growth

The migration to Descope fundamentally transformed how BalkanID approaches authentication. Their engineering team, previously bogged down in infrastructure maintenance, can now focus entirely on refining their AI-powered identity governance solution. Customers are self-onboarding SSO, flows are equipped with modern auth methods, and user journey flows can be modified without affecting the codebase.

The operational changes from migrating to Descope led to impressive returns on investment:

  • SSO configuration: 2 hours per week previously spent on manual SSO setup now returned to product development.

  • Identity management: Support for multiple login ID linking and aliases (critical for certain enterprise scenarios) saves up to 2 days a month.

  • Operational overhead: BalkanID reclaims countless hours previously spent exporting login logs, troubleshooting account lockouts, and cleaning up deleted or modified employee identities.

  • Infrastructure maintenance: A full week annually that was lost to upgrades and maintenance has been restored.

  • Manual identity projects: The approximately 5 monthly identity-related requests that required hands-on intervention dropped to zero.

  • Feature development: Authentication and security features that would have taken weeks to implement now happen in days using Descope’s flow builder.

Finding a solution that eliminates authentication maintenance woes and unnecessary overhead has proven a gateway to growth for BalkanID. The combination of rich SSO options, tenant isolation, and configurability makes their offering even more compelling to enterprise prospects. Now, the identity security and access governance platform can scale their authentication infrastructure as rapidly as their business requires, matching their technical capabilities with their upmarket momentum. 

Ankush Deep, Staff Software Engineer at BalkanID, said:

“While open-source gives you control, that comes with high maintenance overhead and slow adaptability. Migrating to Descope showed us the importance of aligning auth infrastructure with product scale, not just code flexibility.”

Looking ahead, BalkanID plans to extend Descope across more of their product portfolio, providing the same streamlined and secure authentication experience throughout their offerings. Currently, BalkanID is exploring the implementation of step-up authentication for their JITPBAC (Just-In-Time Access Control) to enhance their PIM offering, as well as integrating Descope’s Fine-Grained Authorization (FGA) into their platform in the upcoming months.

Descope is a flexible, drag & drop external IAM platform that helps organizations easily add authentication, authorization, and identity management to their apps, AI agents, and MCP servers. Customers use us for initiatives such as passwordless authentication, SSO, identity federation, strong MFA, identity orchestration, fraud prevention, and agentic identity

To get started with Descope, sign up for a Free Forever account. If you have questions about our platform, book time with our auth experts.

More customer stories

Read moreArrow Right

Read moreArrow Right

Read moreArrow Right

Chat with Sales

Anonymously - no Slack account required

G2 Users Love UsLeave a Descope review

All systems operational

Copyright © Descope Inc. All rights reserved.