Customer Identity and Access Management

 

What should a good CIAM solution provide?

A Customer Identity and Access Management (CIAM) solution provides you, the application vendor with the means to create and manage online identities securely. If your website is small, this may not sound like a big deal, but if you deal with tens or hundreds of thousands of users (or even millions!) a CIAM solution can help protect your user and the service you offer from unwanted access.

The CIAM solution allows you to control who is allowed to sign into your site, how they do it and what they can access once they’ve signed in. It also allows you to manage those user identities once they have signed up. But not all CIAM solutions are the same. This article explores what main features you should look for in a good CIAM solution.

 
 
 
 

What is CIAM used for? 

A CIAM solution is used to allow end users to either self-register or be invited to join an online service in order to create a user account that they can subsequently use to login to. To login the user provides their username and password and the CIAM solution checks that the credentials are correct and then grants access to the application.

The great thing, if you’re an application developer, is that a CIAM solution can be used for authentication to any type of application that communicates over the internet – being it a web, mobile or desktop client application. CIAM is focused on any application being accessed by an end user in order to connect to remotely hosted services over the Internet/https.

A CIAM solution can offer a range of additional features to enhance or simplify the main authentication function. These can include:

 
 
Support for Social Sign-in, to allow users to sign-in using an identity they already have a trust. For example, using your Facebook ID to sign into an application
 
 
Support for Single Sign On (SSO) - a CIAM solution might also support Single Sign-on. Most CIAM solutions are based on an Identity Provider, which then allows a user to sign-in and, within the same session, be able to access one or more applications, without the need to sign into each separately. This is commonly referred to as Single Sign-On.
 
 

All market-leading CIAM solutions use similar, secure login flow – see the Google and Microsoft login pages below.

 
 

With a CIAM provider such as 10Duke, a simple and secure login flow can be implemented on a white-label basis.

See the example below, where 'Genius Company' would be replaced with your company's brand.

 
 
 
 


Key features of a Customer Identity and Access Management solution

A Customer Identity and Access Management solution can also include features to enhance the security of the authentication process, making it more secure for both the user and the application provider. These security features can include:

 
 

2FA/MFA - second factor authentication (sometimes also called multi-factor authentication) refers to the addition of at least 2 factors that help to authenticate the end user. This might be a text password and a one time 6 digit code, a password and a smart card reader, a password and a smart key or any similar combination.

Click here to learn more about MFA.

 
 

Identity Federation - federation refers to a process in which the main Identity Provider in a CIAM solution delegates responsibility for authenticating the end user to another authentication service/IdP and then trusts this 3rd party’s authentication decision. This is what happens during the process of social sign in, but most often federation is used to refer to a scenario in which the authentication decision is delegated to a corporate directory such as Active Directory (+ AD Federation Services). This is also sometimes referred to as “SAML SSO”.

Click here to learn more about Identity Federation.

 
 
Password security - best practices include minimum password strength, password salting and password hashing, and passwords being stored separately from user names
 
 
Communication between the application and the authentication service is secure, relying on industry-standard, tested, validated protocols and processes including SAML 2, OAuth 2. Getting this correct is difficult and a good CIAM provided should be able to provide good, clear, tested workflows that are secure.
 
 


Create a personalized experience for the end user with CIAM

As a CIAM solution stored user identities, it also offers the opportunity to utilize the data held in it, in order to personalize the online experience for the end users. The more an application is able to present information that is directly relevant to the end user the more valuable it will be.

With a good CIAM solution, there should be a wealth of user attribute information available which can be used to personalize the information presented to the end user.

Examples of this include:

    • Presenting new products to the end user based on products that you know they already have purchased 
    • Showing promotions for conferences to the user to attend, based on an awareness of their current location
    • Showing support or training content, based on their recent purchase history.
 
 

Manage user information easily with a CIAM solution

Another critical aspect of a good Customer Identity and Access Management solution is allowing the identity information of users (identities, permissions and properties) to be easily managed.

CIAM provides the ability to create and manage the information on users, either by means of the user self-registering and maintaining the information, the user being invited to the service initially and then asked to add any required personal information, or an administrator of the system administering information on users.


This may include: 

    • Standard user information, such as firstname, lastname, gender, age, location
    • A set of additional information, referred to as ‘profile attributes’ and include information such as Properties, age, gender, income, location, educational level
    • A profile can also then be automatically enhanced by the CIAM information  adding information to the user profile such as IP address, device type used to access the service, etc. 
    • Allow the user to self-register and add personal information themselves
    • Change password


A good CIAM solution should easily allow the identity information that it stores to be shared as appropriate with connected systems. As user information is critical across a business, the data held in a CIAM system is normally shared with a variety of connected business systems.

This means that in implementing a CIAM solution decisions have to be made in regard to whether there is a single source of truth for customer data or whether customer data is held in multiple locations. A successful implementation of a CIAM solution requires a clear understanding of its role and responsibilities in regard to CRM, ERP and e-commerce solutions.

 
 

Ensure your preferred GDPR compliance with CIAM

A good CIAM solution also provides the ability to ensure your compliance with GDPR, and other data regulations as easily as possible. Note that we're not saying 'provides compliance with GDPR'. The reality is that there are many views regarding how best to comply with GDPR. A CIAM solution offers the ability to centralize the storage and management of user information.

This same information is governed by GDPR and similar data regulations and your ability to comply with them is aided by the fact that it is centralized. A good CIAM solution can allow the end user to 'self-serve' in managing permissions to their personal data and also even allow the user to revoke your permission to store their data. If stored centrally in a CIAM solution, compliance then becomes much easier.

This is a core consideration when thinking about how best to integrate a CIAM solution with a CRM, ERP or ecommerce solution. If there are several repositories of user information, it becomes more difficult to easily manage that user data and therefore comply with GDPR. Overall, a good CIAM solution should offer you the flexibility to configure it as you wish in order to comply with GDPR as you prefer.

 
 

Access Management

One final key component of a good CIAM solution is the "Access Management" perspective. For simple web services this may be taken care of using RBAC (Role-based Access Control) in which each user is assigned a role within the system and their access to content or applications is defined by their assigned role.

In more sophisticated scenarios, particularly when it comes to more dynamic scenarios, access to any protected resource can be managed by a service like the 10Duke Entitlement API. Regardless of the means of implementation, any good CIAM solution will provide the means to control access to a protected resource for the end user once she has been authenticated.

If you are an application developer and you’re looking for a solution to help you manage the online identities of your users, then a CIAM solution will provide you with several advantages, from reducing the attack surface you present to potential hackers, to making it easier for your users to sign up and sign in, to making it easier to utilise the identity information within your CRM or comply with GDPR.

Whether it be the 10Duke Identity Provider or other competing solutions like AWS Cognito, or Azure B2C, you now have a list of key considerations to keep in mind when selecting and integrating a CIAM solution for your business.

 

You might also be interested in:

27th August 2020
Subscription model shouldn't be forced on all products.

When a Subscription Model Doesn’t Fit… Alternatives to the Subscription Model

The subscription model is the main license model supported by most payment providers. But not all products can be forced into a subscription model.
18th August 2020
Software Licensing Provider

What Your Software Licensing Provider Isn’t Telling You

All software licensing providers say they’re good. But are they, really? Find out as we examine the pain licensing providers may be causing to your company.
30th June 2020
Identity and Access Management

Top 5 Reasons for Identity & Access Management Strategy

Delivering an effective Identity and Access Management strategy has become a strategic imperative for all businesses operating online.
5th June 2020
Identity based licensing by 10Duke

What is Identity-based Licensing?

Identity-based licensing is a method by 10Duke of controlling access to a digital product based on the authenticated identity of an individual.
19th May 2020
What is federated identity?

What is Federated Identity / Identity Federation? Guide 2020

We get a lot of questions from partners regarding ‘federated identity’ or ‘identity federation’, so we thought we’d do a short summary to explain what it […]
6th May 2020
Alternative to FLEXlm

Alternative to FlexNet Licensing (FLEXlm)

Comparison between 10Duke Entitlements vs. Flexera’s Flexnet.
23rd December 2019
Multi factor authentication

What is Multi-Factor Authentication (MFA)? – Guide 2020

Multi Factor Authentication (MFA) involves two or more methods of authentication in order for an individual user to be given access to a system.
10th December 2019
usb license dongles

The Dodgy License Dongle – 7 Reasons Why Dongles Are Outdated

In the world of software licensing, the license dongle was once the solution of choice for software developers, but no longer. Today’s ISVs require flexible licensing […]
19th November 2019
To build or buy a software license manager

Software License Manager – The Build vs. Buy Conundrum

To build or buy a license manager – the huge question all growing software vendors will face. This blog will help you make an informed decision.
Request a Demo