{"id":2709,"date":"2025-04-09T17:33:10","date_gmt":"2025-04-09T16:33:10","guid":{"rendered":"https:\/\/discovery.cevolution.co.uk\/ciam\/?p=2709"},"modified":"2026-04-05T13:23:35","modified_gmt":"2026-04-05T12:23:35","slug":"architecting-a-modern-ciam-solution","status":"publish","type":"post","link":"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/04\/09\/architecting-a-modern-ciam-solution\/","title":{"rendered":"Architecting a CIAM Solution"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> 11<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<p>There are numerous use case scenarios that occur within a typical <span class=\"popup-trigger popmake-2946\" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> solution: from user interactions via the front-end (browser) for <span class=\"popup-trigger popmake-2828\" data-popup-id=\"2828\" data-do-default=\"0\">SPAs<\/span> and classic <span class=\"popup-trigger popmake-2852\" data-popup-id=\"2852\" data-do-default=\"0\">Web Applications<\/span> to the native interfaces provided by <span class=\"popup-trigger popmake-2862\" data-popup-id=\"2862\" data-do-default=\"0\">Mobile<\/span> and <span class=\"popup-trigger popmake-2866\" data-popup-id=\"2866\" data-do-default=\"0\">Desktop Apps<\/span> \u2014 each connecting with the participation of <span class=\"popup-trigger popmake-2870\" data-popup-id=\"2870\" data-do-default=\"0\">Backends<\/span>, <span class=\"popup-trigger popmake-2873\" data-popup-id=\"2873\" data-do-default=\"0\">BFFs<\/span><span class=\"popup-trigger popmake-2876\" data-popup-id=\"2876\" data-do-default=\"0\">, APIs<\/span> and <span class=\"popup-trigger popmake-2822\" data-popup-id=\"2822\" data-do-default=\"0\">Services<\/span>.<\/p>\n\n\n\n<p>Managing customer identities and ensuring secure access in such scenarios has become a key challenge for organisations developing <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span> and <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> solutions, particularly where those identities can originate from multiple sources, too (e.g via <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> or <a data-type=\"page\" data-id=\"1136\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" target=\"_blank\" rel=\"noreferrer noopener\">Federation<\/a>).<\/p>\n\n\n\n<p>In my previous article, entitled <em><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/09\/what-can-ciam-do-for-you\/\" target=\"_blank\" rel=\"noreferrer noopener\">What Can CIAM Do For You<\/a><\/em>, I took a look at what a modern CIAM solution can provide for anyone building a SaaS solution. My name&#8217;s <span class=\"popup-trigger popmake-378\" data-popup-id=\"378\" data-do-default=\"0\">Peter Fernandez<\/span>, and in this article, I&#8217;m going to explore the architecture of modern CIAM, with an emphasis on the core components, technologies, and best practices to create scalable, secure, and customer-centric identity management.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-embed-handler wp-block-embed-embed-handler wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Anatomy of a CIAM Integration\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/2W_7VcN5jb4?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n<h2 class=\"wp-block-heading\" id=\"integrating-a-ciam-solution\">Integrating a CIAM Solution<\/h2>\n\n\n<p>Many reach for the option of building a <span class=\"popup-trigger popmake-1185\" data-popup-id=\"1185\" data-do-default=\"0\">CIAM<\/span> solution in-house, whilst others look to purchasing 3rd party CIAM vendor SaaS subscriptions or adopting a DIY approach using open-source technology.<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"W3C6yMZwjL\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/02\/22\/diy-or-buy\/\">Build, Buy or DIY your CIAM Solution?<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Build, Buy or DIY your CIAM Solution?&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/02\/22\/diy-or-buy\/embed\/#?secret=EP4N6ML5TD#?secret=W3C6yMZwjL\" data-secret=\"W3C6yMZwjL\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>Whichever route you take, a modern CIAM architecture relies heavily on several core components that work together to provide a comprehensive identity management solution, each contributing to the overall safety and security whilst enhancing user experiences across the various digital touchpoints:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/\" data-type=\"page\" data-id=\"6\" target=\"_blank\" rel=\"noreferrer noopener\">Authentication<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authorize\/\" data-type=\"page\" data-id=\"9\" target=\"_blank\" rel=\"noreferrer noopener\">Authorising<\/a> access to resources<\/li>\n\n\n\n<li><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/protect\/\" data-type=\"page\" data-id=\"24\" target=\"_blank\" rel=\"noreferrer noopener\">Protecting<\/a> sensitive customer data<\/li>\n\n\n\n<li><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/manage\/\" data-type=\"page\" data-id=\"18\" target=\"_blank\" rel=\"noreferrer noopener\">Managing<\/a> data privacy and compliance with regulations<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"540\" height=\"519\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24151607\/CIAM-Service-1-e1748096179864.png\" alt=\"\" class=\"wp-image-4022\"\/><\/figure>\n\n\n\n<p>Typically found out-of-the-box with vendors who provide 3rd-party SaaS CIAM solutions, or with DIY CIAM solutions based on open-source technology, both the core components above, and the various aspects below, will be entirely down to you if you go down the bespoke &#8220;build it yourself&#8221; route (though for either the 3rd-party or DIY route, you&#8217;ll typically require some additional bespoke customisation for integration within your own infrastructure):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Embracing scalability<\/strong>: Provide a solution that can scale to accommodate growing user bases and handle high traffic volumes without compromising performance.<\/li>\n\n\n\n<li><strong>Prioritising security<\/strong>: Implement robust authentication mechanisms, including multi-factor authentication (<span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span>), to ensure that all sensitive data is cryptographically secured.<\/li>\n\n\n\n<li><strong>Simplifying the user experience<\/strong>: Minimise friction by offering seamless registration, login, and self-service management, including <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> logins and <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span> to streamline the authentication process.<\/li>\n\n\n\n<li><strong>Ensuring compliance<\/strong>: Implement strong privacy controls and maintain compliance with relevant data protection regulations (e.g., <span class=\"popup-trigger popmake-399\" data-popup-id=\"399\" data-do-default=\"0\">GDPR<\/span>, CCPA, etc), supporting consent management and suitable data retention policies.<\/li>\n\n\n\n<li><strong>Monitoring &amp; auditing activity<\/strong>: Employ continuous monitoring of user activities and log all access events to detect suspicious behaviour and ensure compliance.<\/li>\n\n\n\n<li><strong>Leveraging extensibility<\/strong>: Enables seamless integration with various internal and external systems, crucial for scalability and functionality.<\/li>\n\n\n\n<li><strong>Adopting an API-first approach<\/strong>: An <span class=\"popup-trigger popmake-2876\" data-popup-id=\"2876\" data-do-default=\"0\">API<\/span>-first posture, typically protected by the Authorization capabilities of the CIAM implementation itself, that allows you to leverage automated command, control and configuration, which can scale with business needs and evolving technologies.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"V1NWaili64\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/04\/04\/an-api-first-approach-to-ciam\/\">An API-First Approach to CIAM<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;An API-First Approach to CIAM&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/04\/04\/an-api-first-approach-to-ciam\/embed\/#?secret=fqxcmFwOvs#?secret=V1NWaili64\" data-secret=\"V1NWaili64\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"authentication\">Authentication<\/h2>\n\n\n<p>Authentication lies at the heart of any CIAM implementation, as without it, it&#8217;s almost impossible to provide anything else; without authentication, there&#8217;s no telling in what context an operation is being performed and hence whether or not that operation is allowed. <\/p>\n\n\n\n<p>Authentication also provides a secure context in which user information (such as user account information and user profile information) can be stored and managed. This information helps provide a seamless and streamlined experience for the user, where handling their data in a safe and regulatory-compliant manner is extremely important.<\/p>\n\n\n\n<p>Industry-standard best practices and protocols should dictate the approach taken, and various mechanisms have been developed over the years that are proven to provide safety, security and flexibility when integrating a modern CIAM solution.<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"FbtnmrPHFY\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/\">OIDC, SAML and OAuth 2.0<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;OIDC, SAML and OAuth 2.0&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/embed\/#?secret=bK6QEVq9F1#?secret=FbtnmrPHFY\" data-secret=\"FbtnmrPHFY\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"idp\">Identity Provider<\/h3>\n\n\n<p>The preferred mechanism of choice when it comes to Authentication should be the use of an<strong> Identity Provider<\/strong>. An Identity Provider, commonly referred to as an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>, is typically deployed as an application-independent (centralised) service and is responsible for verifying a customer\u2019s identity when they attempt to access a service; you can my companion article, <em><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/25\/b2c-and-b2b-saas-authentication-architectures\/\u2197\" target=\"_blank\" rel=\"noreferrer noopener\">B2C and B2B SaaS Authentication Architectures<\/a><\/em>, to discover more about the value using your own IdP can provided.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145557\/CIAM-Server-IdP-300x300.png\" alt=\"\" class=\"wp-image-4016\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145557\/CIAM-Server-IdP-300x300.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145557\/CIAM-Server-IdP-150x150.png 150w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145557\/CIAM-Server-IdP-768x768.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145557\/CIAM-Server-IdP.png 816w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<p>An IdP will leverage industry standards, such as <span class=\"popup-trigger popmake-407\" data-popup-id=\"407\" data-do-default=\"0\">OIDC<\/span> (more <a href=\"#oidc\">below<\/a>) and\/or <span class=\"popup-trigger popmake-470\" data-popup-id=\"470\" data-do-default=\"0\">SAML<\/span>, enabling the likes of <span class=\"popup-trigger popmake-397\" data-popup-id=\"397\" data-do-default=\"0\">SSO<\/span> and determining whether the customer is who they claim to be. Various <span class=\"popup-trigger popmake-2228\" data-popup-id=\"2228\" data-do-default=\"0\">first-factor<\/span> authentication methods will typically be supported to provide front-line security while maintaining a seamless user experience, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Password-based authentication<\/strong>: arguably, still the most common method, where users input their username and password.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> login<\/strong>: allowing users to authenticate using the so-called social accounts (e.g., Google, Facebook, or LinkedIn).<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/federation\/\" data-type=\"page\" data-id=\"1136\" target=\"_blank\" rel=\"noreferrer noopener\">Federated login<\/a><\/strong>: authentication via a trusted relationship with an organisation&#8217;s own central Identity Provider (<span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>).<\/li>\n\n\n\n<li><strong><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authenticate\/login\/passwordless\/\" data-type=\"page\" data-id=\"1149\" target=\"_blank\" rel=\"noreferrer noopener\">Passwordless login<\/a><\/strong>: the classic approach of Magic Link (typically via Email) and <span class=\"popup-trigger popmake-2284 \" data-popup-id=\"2284\" data-do-default=\"0\">OTP<\/span> as an alternative to the password.<\/li>\n\n\n\n<li><strong><span class=\"popup-trigger popmake-1879\" data-popup-id=\"1879\" data-do-default=\"0\">Passkeys<\/span><\/strong>: a discoverable public key cryptographic credential that provides a flexible, modern passwordless alternative across multiple devices.<\/li>\n\n\n\n<li><strong>Multi-factor authentication (<span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span>)<\/strong>: adding an extra layer of security requiring users to verify their identity using additional factors, such as biometrics and\/or a one-time password (<span class=\"popup-trigger popmake-2284\" data-popup-id=\"2284\" data-do-default=\"0\">OTP<\/span>) sent via SMS or email.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"3vD7s5LBTa\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/25\/b2c-and-b2b-saas-authentication-architectures\/\">B2C and B2B SaaS Authentication Architectures<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;B2C and B2B SaaS Authentication Architectures&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/25\/b2c-and-b2b-saas-authentication-architectures\/embed\/#?secret=ptMxLOWrv6#?secret=3vD7s5LBTa\" data-secret=\"3vD7s5LBTa\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n\n<p>Being application-independent means that authentication scenarios (such as <span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span> and\/or <span class=\"popup-trigger popmake-1879\" data-popup-id=\"1879\" data-do-default=\"0\">Passkeys<\/span>, etc.) can be easily enabled\/disabled across multiple application platforms (e.g. Browser, Mobile, Desktop, etc.) without changing a single line of application code. <\/p>\n\n\n\n<p>Moreover, the IdP service can provide proxy capability between IdPs and authentication protocols, which enables connection to the <span class=\"popup-trigger popmake-3363\" data-popup-id=\"3363\" data-do-default=\"0\">upstream IdPs<\/span> crucial for supporting the Social and Federated logins typically associated with <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span> and <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS applications.<\/p>\n\n\n<h4 class=\"wp-block-heading\" id=\"identity-storage\">Identity Storage<\/h4>\n\n\n<p>The <strong>identity store<\/strong> is the repository for all customer-related data and is typically managed by the IdP implementation deployed. Whilst this is also a centralised asset, the store is typically implemented such that account and credential information is maintained separately for any given identity. <\/p>\n\n\n\n<p>For users, this enables functionality such as <span class=\"popup-trigger popmake-2232\" data-popup-id=\"2232\" data-do-default=\"0\">Account Linking<\/span> \u2014 a pivotal aspect of SSO \u2014 and provides secure storage for identity attributes, such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Personal information<\/strong>: Name, email address, phone number, etc.<\/li>\n\n\n\n<li><strong>Customer preferences<\/strong>: Communication preferences, marketing consent, privacy settings, etc.<\/li>\n\n\n\n<li><strong>Authentication data<\/strong>: Passwords, public passkey data, and multi-factor authentication (MFA) secrets.<\/li>\n<\/ul>\n\n\n\n<p>The identity store must be <strong>scalable<\/strong>, <strong>secure<\/strong>, and <strong>easily accessible<\/strong>. As with the IdP, most modern CIAM systems typically employ cloud-based identity stores that provide high availability and scalability, supporting millions of customer records. <\/p>\n\n\n\n<p>Security measures like <strong>data encryption<\/strong> (both at rest and in transit) and <strong>multi-tier data access controls<\/strong> are typically necessary to protect sensitive customer data.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-b4959989dfd0772fe7270cd6fd391d16 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Not all information associated with an identity will be stored by the <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span>. User purchase history, for example, or subscription information should be stored externally, using IdP-provided account identifiers to mitigate the proliferation of <span class=\"popup-trigger popmake-2915\" data-popup-id=\"2915\" data-do-default=\"0\">PII<\/span>.<\/em><\/p>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"oidc\">OIDC<\/h3>\n\n\n<p>For <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span> and <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS applications, the recommended approach to integrating CIAM Authentication is to leverage the <span class=\"popup-trigger popmake-407\" data-popup-id=\"407\" data-do-default=\"0\">OIDC<\/span> (OpenID Connect) Protocol to deliver an <span class=\"popup-trigger popmake-1393\" data-popup-id=\"1393\" data-do-default=\"0\">ID Token<\/span> that will be used to validate user authentication, namely <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">Login<\/span>, and (optionally) build the user session within the application. <\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09152027\/icon-id-token-300x300.png\" alt=\"\" class=\"wp-image-2929\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09152027\/icon-id-token-300x300.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09152027\/icon-id-token-150x150.png 150w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09152027\/icon-id-token-768x768.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09152027\/icon-id-token.png 816w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<p>In this scenario, each application swaps the direct validation of credentials \u2014 typically a UserID and Password, as well as any <span class=\"popup-trigger popmake-428\" data-popup-id=\"428\" data-do-default=\"0\">MFA<\/span> \u2014 for the validation of the ID Token generated by the IdP and representing the authenticated state of a user. <\/p>\n\n\n\n<p>Of course, if the user does not pass successful authentication, then no token will be generated, which will typically signal an unsuccessful authentication or an unauthenticated state.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"authorization\">Authorization<\/h2>\n\n\n<p>Once a consumer has been authenticated, authorization can be used to determine what resources can be accessed and\/or what actions can be taken. Authorization enforces access based on a user\u2019s role, attributes, specific permissions, and\/or consent. <\/p>\n\n\n\n<p>Authorization data is used to both inform the user interface (e.g. enabling or disabling functionality based on capability) and restrict a user based on what they are allowed or not allowed to do. <\/p>\n\n\n\n<p>Again, industry-standard best practices and protocols should dictate the approach taken, and various mechanisms have been developed over the years that are proven to provide safety, security and flexibility when integrating a modern CIAM solution (see the article entitled <a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/07\/oidc-saml-and-oauth-2-0\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>OIDC, SAML and OAuth2.0 for more<\/strong><\/a>).<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"authorization-server\">Authorization Server<\/h3>\n\n\n<p>In a similar fashion to an IdP (discussed <a href=\"#idp\">above<\/a>), an <strong>Authorization Server<\/strong> provides a centralised application-independent service \u2014 in this case, one responsible for verifying access to resources. <\/p>\n\n\n\n<p>An Authorization Server can be deployed as a stand-alone entity and will typically utilise an IdP to perform the necessary precursor authentication required. However, with many of the 3rd party vendor SaaS implementations, such as <strong>Auth0 by Okta<\/strong>, the IdP and the Authorization Server are delivered as a combined service, with the pricing strategy typically reflecting this too. <\/p>\n\n\n\n<p><strong>Keycloak<\/strong> \u2014 a popular open-source solution \u2014 is similar but, of course, is free to use, so the combination of functionality does not incur any additional charge. For more on the virtues of the various approaches, see my article entitled <strong><a data-type=\"post\" data-id=\"127\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/02\/22\/diy-or-buy\/\" target=\"_blank\" rel=\"noreferrer noopener\">Build, Buy or DIY your CIAM Solution?<\/a><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145711\/CIAM-Server-Authorize-300x300.png\" alt=\"\" class=\"wp-image-4018\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145711\/CIAM-Server-Authorize-300x300.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145711\/CIAM-Server-Authorize-150x150.png 150w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145711\/CIAM-Server-Authorize-768x768.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/24145711\/CIAM-Server-Authorize.png 816w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n<h4 class=\"wp-block-heading\" id=\"consent\">Consent<\/h4>\n\n\n<p>Using the industry-standard <span class=\"popup-trigger popmake-467\" data-popup-id=\"467\" data-do-default=\"0\">OAuth 2<\/span> protocol (more <a href=\"#oauth2\">below<\/a>), an application-independent Authorization Server can be leveraged to provide the <span class=\"popup-trigger popmake-2149\" data-popup-id=\"2149\" data-do-default=\"0\"><strong>Delegated Authorization<\/strong><\/span> services used to support modern user <a data-type=\"page\" data-id=\"1146\" href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authorize\/consent\/\" target=\"_blank\" rel=\"noreferrer noopener\">consent<\/a>. <\/p>\n\n\n\n<p>Consent allows a user to explicitly grant a (third-party) client \u2014 i.e. an application \u2014 access to protected resources held by a resource server, enabling the client to act on the user&#8217;s behalf without the user needing to reveal their credentials.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-ef8e75c9ce34bdf86cfc017085086623 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>As defined by the OAuth 2 protocol, an Authorization Server is responsible for generating and delivering the <span class=\"popup-trigger popmake-1400\" data-popup-id=\"1400\" data-do-default=\"0\">Access Token <\/span>used for resource access. That same token can also inform the service(s) used for Access Control.<\/em><\/p>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\" id=\"access-control\">Access Control<\/h4>\n\n\n<p>Referring to the control of access to which something or someone is permitted, <a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/authorize\/access-control\/\" data-type=\"page\" data-id=\"509\" target=\"_blank\" rel=\"noreferrer noopener\">Access Control<\/a> is commonly implemented around a number of access control models that can be used in a mix-and-match fashion to create rich access control strategies. Some of the commonly used models for access control include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Role-Based Access Control (<span class=\"popup-trigger popmake-1623 \" data-popup-id=\"1623\" data-do-default=\"0\">RBAC<\/span>)<\/strong>: This is one of the most common models used in CIAM, where customers are assigned roles (e.g., &#8220;Admin&#8221;, &#8220;User&#8221;, &#8220;Guest&#8221;), and access to resources is granted based on the assigned role.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-157fc294a9dc55d16f6cb070bce56c56 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Many 3rd party systems \u2014 either vendor-provided SaaS solutions or open-source implementations \u2014 come equipped with rudimentary <span class=\"popup-trigger popmake-1623\" data-popup-id=\"1623\" data-do-default=\"0\">RBAC<\/span> capability. Such implementations typically also allow the encoding of RBAC directly within an ID Token and\/or an Access Token.<\/em><\/p>\n<\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Relationship-Based Access Control (<span class=\"popup-trigger popmake-2333\" data-popup-id=\"2333\" data-do-default=\"0\">ReBAC<\/span>)<\/strong>: A model that can be used to restrict access based on the particular relationships established between one or more users and\/or other entities.<\/li>\n\n\n\n<li><strong>Attribute-Based Access Control (ABAC)<\/strong>: Where access is determined by the attributes of the user (e.g., location, subscription status, device type) rather than predefined roles or relationships.<\/li>\n<\/ul>\n\n\n\n<p>Access control often centres around policies \u2014 as in the set of rules that govern who can access certain resources, how they can access them, and under what conditions \u2014 and until recently, has been something that a <span class=\"popup-trigger popmake-1354\" data-popup-id=\"1354\" data-do-default=\"0\">B2C<\/span>\/<span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS solution developer has largely had to manage and implement themselves. <\/p>\n\n\n\n<p>However, with the introduction of 3rd party solutions (both vendor-supplied and open-source provided), authorization has become a key area of focus in the SaaS-provided CIAM space. For more on the subject, read my related article entitled:<\/p>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"FYvOCLWgD5\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2026\/03\/12\/auth-in-the-world-of-customer-identity\/\">Auth In The World Of Customer Identity<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Auth In The World Of Customer Identity&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2026\/03\/12\/auth-in-the-world-of-customer-identity\/embed\/#?secret=RZi18bMsR7#?secret=FYvOCLWgD5\" data-secret=\"FYvOCLWgD5\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"oauth2\">OAuth 2<\/h3>\n\n\n<p>The recommended approach to integrating CIAM Authorization is to leverage an Authorization Server via <strong><span class=\"popup-trigger popmake-3653\" data-popup-id=\"3653\" data-do-default=\"0\">Authorization Code Flow<\/span><\/strong> to deliver an <span class=\"popup-trigger popmake-1400\" data-popup-id=\"1400\" data-do-default=\"0\">Access Token<\/span> in the context of a consenting user, created by using the <span class=\"popup-trigger popmake-467\" data-popup-id=\"467\" data-do-default=\"0\">OAuth 2<\/span> Protocol. An Access Token \u2014 also known as a <em>Bearer Token<\/em> when delivered via an HTTP header \u2014 is comparable to an API Key, but where context, lifetime, and auditability can be assured.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-9371d106d8bb12e1163937c955c3eb7d is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Via <span class=\"popup-trigger popmake-2133\" data-popup-id=\"2133\" data-do-default=\"0\">Client Credentials<\/span> flow, an Access Token can also be created to provide access control in a non-user context, too.<\/em><\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image aligncenter size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"300\" src=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09155234\/icon-access-token-300x300.png\" alt=\"\" class=\"wp-image-2933\" srcset=\"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09155234\/icon-access-token-300x300.png 300w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09155234\/icon-access-token-150x150.png 150w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09155234\/icon-access-token-768x768.png 768w, https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/09155234\/icon-access-token.png 816w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/figure>\n\n\n\n<p>The Access Token is used to determine authorised state \u2014 where an <span class=\"popup-trigger popmake-2876\" data-popup-id=\"2876\" data-do-default=\"0\">API<\/span> (or other mechanism), via which a resource is accessed, can use it to determine consent, and\/or the control of access either directly or via a call to some additional service, like <em><a href=\"https:\/\/openfga.dev\/\" target=\"_blank\" rel=\"noreferrer noopener\">OpenFGA<\/a><\/em>. <\/p>\n\n\n\n<p>The validation of the Access Token (otherwise referred to as the <em>Bearer Token<\/em>) generated by the Authorization Server and leveraging authentication via an <span class=\"popup-trigger popmake-415\" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> is used to determine the authorised state of a user.<\/p>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-bb11294f1e403824236371e2cfbaab6c is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>Whilst a service like OpenFGA can be used to determine the effective access to a resource, it still requires Resource Server implementation et al to enforce whatever access is determined, typically by the process of validation via Access Token in the API.<\/em><\/p>\n<\/div>\n\n\n\n<p>Again, if a user does not pass successful authentication or is not authorised to use a resource, then no token will be generated, typically signalling an unsuccessful authentication or an unauthenticated\/unauthorised state. <\/p>\n\n\n\n<p>Use of an Access Token provides significant advantages over the use of an <em>API Key<\/em>, and I&#8217;ll be discussing this more in a future article.<\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"management\">Management<\/h2>\n\n\n<p>The ability to manage a CIAM implementation in a centralised manner largely goes without saying: the dashboard-like interface provided by most implementations, both from third-party SaaS vendors and via an open-source DIY approach, is commonplace. However, what can often be overlooked is the value and the richness of functionality indicative of also supporting the API-first approach.<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"system-management\">System Management<\/h3>\n\n\n<p>Adopting modern standards for Authentication and Authorization typically means adopting a service-oriented approach to CIAM. Implementing an Authorization Server and\/or <span class=\"popup-trigger popmake-415 \" data-popup-id=\"415\" data-do-default=\"0\">IdP<\/span> as an application-independent deployment typically means another aspect that needs to be managed, and securely integrating that as part of your existing development toolchain and\/or CI\/CD workflow(s) largely requires an automated approach.<\/p>\n\n\n\n<p>In a similar fashion, the configuration-as-a-service model adopted by many systems administrators requires mechanisms for performing automated configuration management, particularly in <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span> SaaS scenarios where your customers may wish to integrate as part of their existing workflows(s). Whilst a dashboard-style interface is great for ad-hoc administration, securely integrating as part of existing (external) tooling typically requires a less manual approach.<\/p>\n\n\n<h3 class=\"wp-block-heading\" id=\"selfservice-management\">Self-Service Management<\/h3>\n\n\n<p>Self-service capabilities in a CIAM implementation enable users to manage their accounts without the need for external assistance. These features enhance the customer experience by offering control and flexibility over their personal information, help reduce friction during user registration and management, ensuring a smoother experience while maintaining security, and generally include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Account registration<\/strong>: Customers can create an account by providing necessary information like their email address, phone number, or <span class=\"popup-trigger popmake-523\" data-popup-id=\"523\" data-do-default=\"0\">Social<\/span> login details.<\/li>\n\n\n\n<li><strong>Password reset<\/strong>: Customers can reset their passwords securely via email or SMS without needing to contact customer support.<\/li>\n\n\n\n<li><strong>Profile management<\/strong>: Customers can securely update personal information (e.g., address, contact details), communication preferences, and privacy settings.<\/li>\n\n\n\n<li><strong>Consent management<\/strong>: Customers can manage their preferences regarding the use of personal data, including opting in or out of marketing communications, and reviewing consent for data collection.<\/li>\n<\/ul>\n\n\n<h3 class=\"wp-block-heading\" id=\"privacy-and-compliance\">Privacy and Compliance<\/h3>\n\n\n<p>Given the increasing focus on privacy regulations such as <strong><span class=\"popup-trigger popmake-399\" data-popup-id=\"399\" data-do-default=\"0\">GDPR<\/span><\/strong> (General Data Protection Regulation), the <strong>CCPA<\/strong> (California Consumer Privacy Act), and others, a modern CIAM solution must prioritise privacy and regulatory compliance, with features for the latter not only ensuring adherence to laws but also help organisations build trust with customers by demonstrating a commitment to data privacy:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data encryption<\/strong>: Encrypting all personal and sensitive data both at rest and in transit to prevent unauthorised access.<\/li>\n\n\n\n<li><strong>Audit logging<\/strong>: Maintaining transparent records of all user activities (e.g., login attempts, profile updates, consent management, etc) for security monitoring and regulatory audits.<\/li>\n\n\n\n<li><strong>Data retention policies<\/strong>: CIAM systems should support policies that dictate how long customer data is retained, in accordance with regulatory requirements. Data should be deleted or anonymised after the retention period has expired.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-base-color has-accent-4-background-color has-text-color has-background has-link-color wp-elements-7233960c41bc4b6a6dc030976b455821 is-layout-flow wp-block-group-is-layout-flow\" style=\"border-radius:20px\">\n<p class=\"has-text-align-center\" style=\"padding-top:var(--wp--preset--spacing--40);padding-right:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:var(--wp--preset--spacing--40)\"><em>For B2B applications, the ability to integrate with the systems already employed by a corporate organisation can often make or break a deal when it comes to the purchase of a SaaS solution.<\/em><\/p>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\" id=\"brand-management\">Brand Management<\/h3>\n\n\n<p>Particularly pertinent for <span class=\"popup-trigger popmake-418\" data-popup-id=\"418\" data-do-default=\"0\">B2B<\/span>, the ability for organisations to leverage their own branding \u2014 ideally in a self-service fashion \u2014 offers customisation that&#8217;s typically expected by <span class=\"popup-trigger popmake-2946\" data-popup-id=\"2946\" data-do-default=\"0\">SaaS<\/span> (corporate) customers. This becomes even more relevant for B2B2C and B2B2B (the Business-to-Business-to-Consumer\/Business scenarios involving the repackaging of SaaS solutions), where brand recognition is even more important. <\/p>\n\n\n<h2 class=\"wp-block-heading\" id=\"protection\">Protection<\/h2>\n\n\n<p>Reducing the surface for attack is key to mitigating vulnerability. CIAM workflows, particularly <span class=\"popup-trigger popmake-1437\" data-popup-id=\"1437\" data-do-default=\"0\">Login<\/span> and other user interactivity, that detect and protect against the various efforts of bad actors, are crucial: the consequences of the numerous opportunities for malicious targeting could be catastrophic to your business. <\/p>\n\n\n\n<p>As detection is key to prevention, the ability to enable progressive monitoring within a CIAM implementation \u2014 either continuously, periodically, or preferably some combination of both \u2014 is key to ensuring that your efforts to reduce attacks are working.<\/p>\n\n\n\n<p>To reduce the surface for any attack, however, you first need to understand the various attack vectors and know when you&#8217;re being targeted; protecting a system is all very well and good, but if you don&#8217;t know what you&#8217;re protecting against, your protection mechanisms could be causing users needless friction, potentially doing more harm than good. <\/p>\n\n\n\n<p>An understanding of the various attack vectors is therefore fundamental, helping to protect your application(s) and safeguarding your users from the likes of:<\/p>\n\n\n\n<ul style=\"line-height:1.2\" class=\"wp-block-list\">\n<li>Brute-force attack<\/li>\n\n\n\n<li>Breached Password attack<\/li>\n\n\n\n<li>Man-in-the-Middle attack<\/li>\n\n\n\n<li>Suspicious IP attack<\/li>\n\n\n\n<li>Phishing <\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group is-content-justification-center is-nowrap is-layout-flex wp-container-core-group-is-layout-23441af8 wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-discover-ciam wp-block-embed-discover-ciam\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"YeVdFokrum\"><a href=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/11\/ciam-attack-vectors-and-protecting-against-them\/\">CIAM Attack Vectors and Protecting Against Them<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;CIAM Attack Vectors and Protecting Against Them&#8221; &#8212; Discover CIAM\" src=\"https:\/\/discovery.cevolution.co.uk\/ciam\/2025\/03\/11\/ciam-attack-vectors-and-protecting-against-them\/embed\/#?secret=TVZb3ctsZe#?secret=YeVdFokrum\" data-secret=\"YeVdFokrum\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>CIAM architecture includes several core components all working together to deliver a seamless and secure experience for users. By adopting best practices in security, privacy, and user experience, B2C and B2B SaaS developers can build trust with their customers while ensuring compliance with evolving data protection regulations. <\/p>\n","protected":false},"author":1,"featured_media":2802,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"authenticate":"","authentication":"","authenticatedMethod":"","authenticatedMember":"","authorizedPermissions":[],"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_links_to":"","_links_to_target":""},"categories":[7],"tags":[57,23,24,22,62,25],"class_list":["post-2709","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-integration","tag-architecture","tag-b2b","tag-b2c","tag-ciam","tag-modernciamarchitecture","tag-saas"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/discovery-bucket-ha60ib.s3.eu-west-2.amazonaws.com\/wp-content\/uploads\/sites\/22\/2025\/04\/07123553\/architecture.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/2709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/comments?post=2709"}],"version-history":[{"count":110,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/2709\/revisions"}],"predecessor-version":[{"id":5632,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/posts\/2709\/revisions\/5632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media\/2802"}],"wp:attachment":[{"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/media?parent=2709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/categories?post=2709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/discovery.cevolution.co.uk\/ciam\/wp-json\/wp\/v2\/tags?post=2709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}