From authentication to authorization, and automation via self-service configuration, secure endpoints for Customer Identity equal convenience and trust.
CIAM isn’t just about customer access, it’s also about identity management: a good CIAM integration should help you provide consistent and secure management no matter who uses your application.
Hi, I’m Peter Fernandez, and as a CIAM expert, I want to share some of my experience integrating modern customer identity management into modern applications.
Deployment Management
Adopting modern standards such as OAuth 2.0, OIDC and/or SAML typically means adopting a software service approach to CIAM. Implementing an Authorization Server and/or IdP as an application-independent deployment typically means another aspect that needs to be managed. Securely integrating as part of your existing development toolchain and/or CI/CD workflow(s) largely requires an automated approach.
Configuration Management
In a similar fashion, the configuration-as-a-service model adopted by many systems administrators requires mechanisms for performing automated configuration management, particularly in B2B SaaS scenarios where your customers may wish to integrate as part of their existing workflows(s). Whilst a dashboard-style interface is great for ad-hoc administration, securely integrating as part of existing (external) tooling typically requires a less manual approach.
User Management
However, it’s not just about systems management. From both a help-desk and (arguably more importantly) a user self-service perspective, the ability to integrate safely and securely with existing (and even 3rd party) user management is a must. Dashboard-style interfaces are great for ad-hoc administration, but if you have to build or rebuild UX, modify existing tooling, and/or create new workflows for folks to understand, it makes CIAM integration much more challenging!
Session Management
The ability to securely manage user sessions is a crucial tool in any cybersecurity arsenal, especially when provided as a self-service capability. If you’ve ever lost or had a device stolen on which you’ve logged in to your favourite application, then you’ll have undoubtedly appreciated the ability to (remotely) terminate your authenticated user session! But it’s not just about security: (self-service) user session management is also a great asset when it comes to the likes of license management, et al.
Profile Management
From a CIAM perspective, aspects of a user will likely change over time. A user may change their email address, postal address, preferences, and the like, and will almost certainly need to reset one credential or the other at some point. Integrating the ability to safely and securely perform these operations as part of any existing help-desk infrastructure is valuable; the ability to offer profile management in a self-service fashion is crucial from a security and compliance perspective.
An API-First Approach to CIAM
As systems evolve, it becomes crucial to rapidly deploy agile changes and continuously monitor them as part of the software development lifecycle (SDLC) — arguably more so in B2B SaaS applications, where the need to also integrate with customers’ existing systems is crucial to easing adoption. An API-first approach to modern Customer Identity & Access Management (especially the Management side of things) can help you address a broad array of scenarios, ranging from configuration and deployment to user management and privacy concerns, scaling for millions of users and ensuring seamless integration across multiple platforms.
Build vs Buy vs DIY
You could build an in-house custom solution yourself…it’s certainly an option. Particularly if you have a team with the time, capacity, knowledge, and expertise to develop:
- SSO,
- Leverage OIDC and/or SAML for Authentication, Social and/or (Enterprise) Federation,
- Implement Passwordless, Passkeys and/or MFA, with optional
- OAuth 2.0 for API Authorization, as well as
- Deploy and maintain Attack Protection.
The alternative is to integrate with a SaaS solution provided by one of the popular vendors, and the cost of subscribing to one of these typically depends on the features you use and the number of active consumer identities you have.
With vendor-based CIAM, the cost is typically associated with the platform hosting the backend service(s) that deliver Authentication, Authorization, Management and Protection from attack.
With consumer-oriented SaaS, much of this infrastructure is already in place: cloud-based “compute”, database, network resources, etc., could be a necessity for your solution, and delivering these at scale may be something you also need to do.
Deploying a standards-based (open-source) DIY solution within your existing infrastructure might provide a more cost-effective approach, delivering secure and robust CIAM without the need to build everything yourself and with the added benefit of more flexibility and control.
Questions? Comments?
Feel free to reach out!
