I think the hardest part is the environment/support matrix, not getting it to run in the first place.

It’s usually pretty doable to make a system self-hostable on a happy path. The hard part is supporting it across lots of customer environments without being in the loop every time: custom IdPs, private networking, KMS/HSM/BYOK requirements, upgrade/migration paths, backup/restore, observability, and all the weird edge cases that only show up once other people operate it.

And yes, I think your last point is right: the customers who care most about this category are often exactly the ones who will require self-hosted.

What's your take? Curious what you found effective vs. what you deem hardest from your experience.

Currently we can use Bitwarden either hosted or self-hosted, which solves most of these problems (plus my own extra rig I built to generate OAuth tokens, for people which support that).

Could you elaborate on what challenges you face that can't be solved by the Bitwarden approach?