Universal Identity and Access Management for Employees and Consumers

Universal Identity and Access Management for Employees and Consumers

Reading time: 15 mins

 

by Christian Cohrs and Marko Sommer, SAP SE

 

Technology landscapes have expanded significantly with the broad availability of mobile solutions, the cloud, social networks, and big data, along with intelligent technologies such as machine learning, Internet of Things (IoT), and blockchain. These changes have brought a growing number of processes and activities into the virtual world in various ways — for example, there may be a digital twin that represents a person or a device in a digital process, and in other cases, entities may only exist in a digital form.

To manage the identities and authorizations of employees in these types of landscapes, businesses use identity and access management (IAM) — policies and tools that help determine how to identify a person based on secure authentication and how to assign and manage that person’s authorizations for accessing digital resources. As digital technologies have expanded their reach, however, the need for secure authentication and identity management has grown beyond employee scenarios to include consumer-facing scenarios, such as web shops, online communities, and collaboration tools. To meet this need, and to support the customer experience that modern consumers have come to expect, organizations can use customer identity and access management (CIAM).

So, what exactly is the difference between IAM and CIAM, and what tools are available to help you determine who a person is and what that person can do in your digital business processes?

This article helps IT administrators, security experts, CIOs, and legal and compliance officers understand the concepts of IAM and CIAM, and how three cloud-based SAP offerings — the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning services for IAM scenarios and the SAP Customer Identity solution for CIAM scenarios — can help you manage user identities and authorizations in employee and customer-facing scenarios.

Identity and Access Management for Employees and Consumers

Identity and authorization management solutions and services help organizations secure access to critical resources. These solutions and services — such as IAM solutions, CIAM solutions, and social networking services — serve as identity providers that manage identity and authorization information.

Let’s take a closer look at how IAM and CIAM solutions work in business-to-employee (B2E) and business-to-consumer (B2C) scenarios.

IAM in B2E Scenarios

IAM solutions are typically used in B2E scenarios. These solutions — such as the cloud-based services SAP Cloud Platform Identity Provisioning, which is used to manage user identities, and SAP Cloud Platform Identity Authentication, which is used to authenticate users and enable single sign-on — support the identity life cycle of employees (see Figure 1) and secure access to corporate business applications within the internal corporate network through user provisioning and role management. Managing the identity life cycle of employees is important both for productivity and compliance reasons. Productivity suffers whenever an employee is unable to perform an expected task due to lack of access to the required resources, and regulatory compliance can become a significant problem if employees retain access rights to resources that are no longer needed.

 

Figure 1 — The identity life cycle of employees

Figure 1 — The identity life cycle of employees

 

In terms of productivity, the need for managed access is most obvious after hiring, when new employees will not have access to any company systems until someone or some process enables that access. A fully automated identity management system that creates accounts and assigns access based on hiring data will allow a new employee to start work right away. An identity management system will also continue to increase productivity after the initial hiring because it adjusts the employee’s authorizations as tasks or areas of responsibility change.

When it comes to compliance, the ability to adjust authorizations as roles change helps prevent employees from accumulating unneeded access authorizations whenever they change positions in the company. And if an employee leaves the company, all access must be revoked to prevent that person from continuing to use company resources.

In IAM-based B2E scenarios, the user is usually initially created in an HR system or a recruiting solution. Once a user is onboarded as an employee, an IAM solution such as SAP Cloud Platform Identity Provisioning provisions the user to various target systems, such as Microsoft Active Directory, to enable access to the company’s corporate network and to key business systems. A key component of this approach is central role management to ensure that users have the access they need for their work along with approval workflows and segregation-of-duties (SoD) checks to ensure that access is limited to the required needs.

Authentication and single sign-on are then managed with an IAM solution such as SAP Cloud Platform Identity Authentication. Authentication techniques used with IAM solutions include username and password, biometric authentication, client certificates (X.509 digital certificates), and smartcards. For enabling single sign-on and identity federation in IAM-based B2E scenarios, the SAML, OpenID Connect, and Kerberos/SPNEGO standards are commonly used.

CIAM in B2C Scenarios

CIAM solutions are typically used in B2C scenarios to manage the life cycle of external users, such as consumers (see Figure 2), and secure access to public-facing sites. Note that for this reason, CIAM solutions do not focus on the provisioning of user accounts, in contrast to IAM solutions. CIAM allows companies to find the right balance between leveraging information about customers and protecting customers’ personal data. With a CIAM solution, such as the cloud-based SAP Customer Identity solution,1 companies can continuously learn more about their customers and use this knowledge to deepen the relationship and uncover business opportunities, while customers remain in control of their personal data, which is a prerequisite for businesses storing that data.

 

Figure 2 — The identity life cycle of customers

Figure 2 — The identity life cycle of customers

 

In CIAM-based B2C scenarios, users usually self-register for a digital property, such as web applications, native applications, and IoT devices. During the enrollment process, they typically must provide their consent for the business to manage their personal profile data. The registration may start with a very lightweight user profile that is continuously extended (known as progressive profiling). The creation of this profile may even start before the self-registration process — for example, when a user browses a shipping catalog and subscribes to a newsletter with just an email address, which then evolves into a social login (a login using existing details from a social media account, or social identity provider) or username and password-based registration.

For authentication, username and password are most widely used with CIAM solutions, with login via social identity providers as an alternative. For single sign-on, OpenID Connect and SAML are commonly used standards. In addition to a standards-based approach, commercial CIAM solutions usually offer native integration capabilities, where the screens and application programming interfaces (APIs) of the solution can be directly integrated into applications such as web shops, online communities, and collaboration tools.

Single Sign-On for Employees and Consumers

Single sign-on is a commonly used authentication functionality that organizations use to increase both efficiency and security by reducing the number of required logins. Let’s take a look at how this functionality works in B2E and B2C scenarios.

Single Sign-On in B2E Scenarios

In B2E scenarios where employees have single sign-on access to their on-premise applications within the corporate network (usually enabled by a corporate identity provider such as SAP Single Sign-On), they expect the same single sign-on access to the company’s public-facing sites. To enable single sign-on for these types of hybrid scenarios, you must either expose the corporate identity provider to the internet or establish another identity provider outside of the firewall.

For security reasons, the first option is rarely chosen — most opt for establishing a second cloud-based identity provider outside the company’s firewall to avoid exposing the corporate identity provider to the external network and to take advantage of the reduced maintenance effort required for cloud solutions (see Figure 3). In this scenario, an IAM solution with single sign-on functionality, such as SAP Cloud Platform Identity Authentication, serves as the second identity provider. The challenge in this type of scenario is how to integrate the second identity provider — the IAM solution — with the existing single sign-on infrastructure.

 

Figure 3 — Using a second identity provider — SAP Cloud Platform Identity Authentication in this example — to enable single sign-on in a hybrid B2E scenario

 

One of the ways SAP Cloud Platform Identity Authentication addresses this integration challenge is by supporting the Identity Provider Proxy protocol, which allows one identity provider to forward authentication requests to another identity provider in a seamless way. This can even be configured based on the user’s email domain so that one group of users authenticates to the SAP Cloud Platform Identity Authentication service while other users are sent to another identity provider.

Single Sign-On in B2C Scenarios

In B2C scenarios, where external users access a company’s public-facing sites, they are authenticated via a CIAM identity provider (see Figure 4). Credentials, such as username and password, may be validated directly in a CIAM identity provider, such as the cloud-based SAP Customer Identity, or users may authenticate via a social identity provider. To enable single sign-on for these types of scenarios, the CIAM identity provider must have a strong means of authentication that can provide multiple verification methods — for example, username/password and a second token, such as a one-time password token (a six- or eight-digit number generated by an app, for instance) and sent to a mobile device — for critical applications.

 

Figure 4 — Enabling single sign-on in a B2C scenario

 

With B2C scenarios, a company must also decide how to “slice” single sign-on for their external users. Single sign-on can be established across all brands, or it can be separated by brand or region. For example, a holding company that owns a number of different brands can decide which specific brands are covered by a single authentication process. In the example shown in Figure 4, Consumer A will have single sign-on access across the Brand 1 and Brand 2 sites if the company decides to combine both brand sites into one site group using the CIAM identity provider. If the company instead wants to position the brands independently, two site groups can be established without single sign-on using the CIAM identity provider, illustrated by Consumer B, who has access only to Brand 2.

Choosing an Identity Provider Solution

So how do you go about choosing an identity provider for user management, authentication, and single sign-on in your own organization? First, you need a solid understanding of the requirements for your identity provider solution, which differ significantly depending on whether the solution is for a B2E or B2C scenario. Figure 5 provides an overview of the key identity provider requirements for B2E and B2C scenarios. Keep in mind that while B2E scenarios focus mainly on integrating into existing corporate security capabilities and processes, B2C scenarios focus on enabling a user-friendly experience for consumers.

 

Identity Provider Capability  B2C Scenarios (CIAM Solution) B2E Scenarios (IAM Solution)
Registration
User self-registration; progressive profiling Key feature Less important
Invitation flows Important Less important
UI integration capabilities; branding Flexible (ideally native) integration into websites; ability to customize specific flows A single corporate branding that is easy for employees to recognize
Consent management Sophisticated consent management is a core feature Less important but also sometimes needed
Authentication
Username/password; forgot password flow Basic authentication capabilities are essential
Risk-based authentication; multi-factor authentication A stronger means of authentication, such as SMS and time-based one-time password tokens, is required
Social authentication Important feature, especially for “lightweight” scenarios Not required
Client certificates (X.509 certificates) Not common Big enterprise customers often have a public key infrastructure (PKI) and allow certificate-based authentication for employees
Biometric authentication Becoming increasingly popular
Identity Federation, Integrated Corporate Single Sign-On
SAML identity provider/proxy Less important SAML is the de facto standard for single sign-on
OpenID Connect Very important OpenID Connect becoming increasingly important
Kerberos/SPNEGO Not relevant Important
Integrated corporate single sign-on Not relevant Very important
User Profile and Lifecycle Management
Local user store A flexible, extendable user store with programmatic integration capabilities is a key requirement Employee profiles in the identity provider usually require a standardized record focused on the authentication process
User provisioning Less important Key requirement — user profiles usually need to be provisioned to business systems before users log in for the first time
APIs Programmatic integration capabilities allowing custom attributes is important Programmatic integration capabilities should be based on open standards, such as the System for Cross-domain Identity Management (SCIM) protocol, to allow seamless integration into an enterprise system landscape

Figure 5 — Required identity provider functionalities for B2E and B2C scenarios

 

SAP Solutions for IAM and CIAM

SAP offers three cloud-based solutions that meet the requirements for IAM and CIAM identity providers: SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning for IAM scenarios, and SAP Customer Identity for CIAM scenarios. Let’s take a closer look at when to use which solution, so you can make the right choice for your own organization.

SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning are IAM solutions that address mainly B2E scenarios that involve employees and contractors, and that integrate well with one another. SAP Cloud Platform Identity Provisioning is recommended for identity lifecycle management and user provisioning in IAM scenarios, and SAP Cloud Platform Identity Authentication is recommended for authentication when there is an existing single sign-on infrastructure and identity federation is needed. SAP Cloud Platform Identity Authentication also supports flexible configuration of multi-factor authentication. In the future, SAP Cloud Platform Identity Authentication will be able to support B2B scenarios in which the integration is about partners collaborating with employees or establishing partner networks for collaboration between companies. Figure 6 shows the administration console for SAP Cloud Platform Identity Authentication.

 

Figure 6 — The administration console for SAP Cloud Platform Identity Authentication

 

SAP Customer Identity is a CIAM solution that addresses mainly B2C scenarios that involve consumers, customers, and prospects. It is the recommended authentication and single sign-on solution for self-registration scenarios with progressive profiling and to serve the needs of enterprise-wide consent management. It allows authentication with social identity providers, has sophisticated branding capabilities, and can seamlessly be integrated into customer sites with native integration functionality. In the future, SAP Customer Identity will also support B2B scenarios in which the integration is about partners consuming content or goods and the business requires personalization and consent collection to provide a tailored experience. Figure 7 shows the login configuration using the administration console for SAP Customer Identity — as you can see, you can customize how the login appears and behaves.

 

Figure 7 — Configuring the login using the administration console for SAP Customer Identity

 

When it comes to authentication and single sign-on functionality, while SAP Cloud Platform Identity Authentication and SAP Customer Identity support different types of scenarios, in some cases, you may want to use them together — for example, you may want to enable single sign-on for your employees when they want to access the company’s own public-facing communities and collaboration tools. Integration between the two products can be established by delegating authentication requests to the other identity provider. This can be achieved by either an interactive decision by the user (such as clicking a button or link) or via conditional authentication flow.

Upcoming Features for Authentication and Single Sign-On

While SAP Cloud Platform Identity Authentication and SAP Customer Identity are complementary solutions, with each serving authentication needs for distinct scenarios, some technology synergies between them are planned for the future, so customers will be able to use the same technologies in both scenarios. These synergies include infrastructure components, such as email and SMS service, as well as technology components, such as time-based one-time password (TOTP) generating applications.

In addition, for SAP Cloud Platform Identity Authentication, SAP plans to extend its support for B2E scenarios by adding integration with applications that make up the Intelligent Enterprise Suite, new multi-factor authentication functionality, and more security functions and authentication mechanisms. SAP also plans to add features to SAP Customer Identity to extend its support for B2C scenarios and to include B2B use cases going forward. These planned enhancements include global login functionality, additional login identifiers, OpenID Connect extensions, additional multi-factor authentication support, account hierarchies, attribute-based role decision, and delegated account administration.

Summary

Establishing consistent user lifecycle processes and protecting access to public-facing applications and platforms require a thorough analysis of a wide range of influencing factors, including usability, ease of consumption, integration, consistency, security, and legal compliance. To serve these needs, SAP offers SAP Customer Identity, SAP Cloud Platform Identity Authentication, and SAP Cloud Platform Identity Provisioning — complementary solutions that support B2E, B2C, and soon B2B scenarios with best-of-breed capabilities for user provisioning, registration and consent management, authentication, single sign-on, identity federation, and integration with third-party solutions based on open standards.

 

 

Identity and Access Management Resources

 

 

1 Note that at the end of 2017, SAP acquired Gigya and its solutions, which were rebranded to form the SAP Customer Data Cloud portfolio: SAP Customer Identity, SAP Customer Consent, and SAP Customer Profile. Learn more at https://cx.sap.com/en/products/customer-data-cloud. [back]


Christian Cohrs
Christian Cohrs (christian.cohrs@sap.com) is a Product Manager for Identity and Access Management at SAP SE. He has a background in computer science and has worked in various positions at SAP during the last 18 years, most recently as Product Owner for SAP Single Sign-On.

Marko Sommer
Marko Sommer (marko.sommer@sap.com) is a Product Manager for Identity and Access Management at SAP SE. He worked as a developer and project manager for SAP’s industry solutions for Healthcare and Insurance before joining the SAP Cloud Platform Security team.

More Resources

See All Related Content