In a previous blog, I wrote down which five features your API Management solution must have. In this blog, I am going to do the same for the Customer Identity and Access Management solutions currently in the market. CIAM is defined by Gartner as “Customer Identity and Access Management (CIAM) manages the authentication and authorization for customer identities.” That does not mean that, apart from these five features others are not important, but from a generic perspective, in my experience, these five features are key in a Customer Identity and Access Management solution.
When you are looking for a CIAM solution, vendors will present the features that are well implemented in their system and will hide or obscure the features that have a lesser implementation. This is of course, natural: because that is what everyone is doing. A job applicant will stress the things that he or she is proud of or good at. The lesser qualities, you do not want to highlight, not so much. But regardless whether you are hiring someone in your company or whether you are selecting a new Identity and Access Management solution, it’s important to know the main features that you need to be looking for to compare offers.
So, what are these five high level features that you should be looking for? These are, as far as I am concerned, the core of an Identity and Access Management solution.
1. Any User Store
First on the list is, of course, the ability to connect to a variety of user stores and different storage technologies. Whether it is LDAP, or an Active Directory or an RDBMS user store. In an office environment you often have a setup where there is already an Active Directory user store in use, or perhaps you have Azure Active Directory accounts for your Office 365 users, or even an AWS User Store. Your user stores may be diverse, you still should be able to use your CIAM solution as your Single Point of Administration. Or you might have an HR system with an LDAP that you want or need to connect to. The solution should be able to make a connection to that existing system in order to not redundantly store information is to be combined with a solid function as an IDP (identity provider) if you're not relying on third parties for authentication.
The second feature I would like to discuss is the support and extensibility for multiple technologies in this CIAM solution. This means that you should be able to support Single Sign On using SAML, OpenID Connect and other technologies as well as allowing custom technologies to be added to the system as an extension. When you are making connections between systems, and you need to exchange tokens, the ability to bridge between two technologies that normally would not be able to talk to each other is paramount.
The world of Identity and Access Management is a bit like the world of the Enterprise Service Bus. There are multiple systems that need to be connected that do not necessarily speak the same language.
Especially with CRM systems, CIAM can be a valuable source. As a basic option, CRM customers can automatically get their account for the website, app, or what it is you offer. It works the other way around too – anyone who registers in an app or on the web can be automatically entered in CRM. User metrics can even be more valuable – what applications are the customers using, how often, at what time in the day, it all adds value to their user profile. You can even raise an alert when user behavior changes, perhaps near the end of their contract, and improve customer retainment by pro-actively making them an offer.
3. Federated Authentication
Third on my list is the capability for federated authentication including just in time provisioning. This means that you can integrate a third party, a so called federated authenticator, something like Yahoo, Google, Salesforce, but also services like Bitly and office 365 and allow your users to authenticate them using these services, rather than the homegrown solution that you have.
Also, in this case, extensibility is something that is vitally important. The ability to add new federated authenticators to the system in order to continuously improve the platform's capability to make a connection. For instance a new identity providers that is currently in fashion, for instance, or a new social media platform that is taking the world by storm, and that a lot of your customers are already using. Integration of that identity provider as a federated authenticator in your CIAM solution will make it easier for people to use it.
4. Layered Security
Number four on my list has to do with layered security. Not all services need the same level of security, sometimes you want to have an additional level of security, either by definition or even in a dynamic setting.
In the sense that you should be able to add steps in the authentication process, for instance requiring a multi factor authentication, like for instance, a FIDO Alliance key, SMS OTP or another second factor to the login process in an easy way. And yes, I am talking about Adaptive authentication and Passwordless approaches.
5. Identity APIs
Finally, in fifth place, and the order in which these five features are mentioned do not tell anything about the importancy, is Identity APIs. Over the last couple of years, we have seen a drive from organization centric UI based configuration to the situation where more and more configuration occurs programmatically, in other words using Identity APIs. This is becoming a defining feature of CIAM / Identity API solutions.
This is important when the (self) management of user accounts and their permissions should not be handled in a separate portal, but embedded as part of the regular work people are doing already – be it a CRM application, a case management application, or a billing application, for instance.
These are the main features that I think a CIAM solution should have. The list could of course be longer. It all depends on the wishes and requirements of your organization. Therefore, you need to create your own list of requirements to make the right decision for a CIAM vendor.