Glossary

What is CIAM?

CIAM stands for customer identity and access management.

Typically, CIAM takes the form of authentication software used with an organisation’s public-facing websites, apps and other digital services. This software seamlessly integrates with a company’s branded digital properties to provide powerful security and frictionless access. CIAM solutions and their associated features are key to meeting consumer demands for a unified experience, while reducing the risk of a data breach.

CIAM vs. IAM

Identity and access management (IAM) typically deals with authentication and access within an organisation – for example, determining what happens in terms of changes to a user account and privileges when employees join, leave, or move roles within a company.

As opposed to IAM, customer identity and access management (CIAM) is outward-facing. It is also concerned with joining, moving, and leaving, but more usually in the sense of registering for an account, making changes to the account or the relationship (self-service account, consent and preference management), or asking to be removed.

The ‘C’ in CIAM does not mean, however, that the users who authenticate are always private individuals. They may be authenticating on behalf of a company or other organisation. In other words, CIAM addresses external authentication scenarios – both B2C and B2B.

Why is CIAM needed?

With any website or other internet service which requires authentication, the norm in the past was to build the authentication into the website, using a back-end database to store credentials. Although this involves significant work at the start of the process, once up and running, it becomes part of the website ‘furniture’ – and it does not look like a useful candidate for outsourcing.

However, built-in website authentication almost always has all of the following problems:

Does not provide single sign on across multiple web applications.
Does not apply password blacklists.
Does not supply sign-on analytics.
Does not automatically update to protect the website against new threats.
Does not outsource single sign-on (SSO) to upstream identity providers (IdPs) such as social or organisational IdPs.
Does not update to incorporate new features such as multi-factor authentication (MFA).
From an end user perspective, the lack of SSO and social login can cause frustration – and rather than create new identities, a percentage of them will take their custom elsewhere. But even more concerning is the increased risk of a data breach with a legacy solution.

Features and benefits

As a corollary to the above disadvantages of a home-grown authentication solution, CIAM features remove the friction from sign-up and sign in processes – and, critically, improve security.

Key benefits of CIAM:

Frictionless access

Single sign-on (SSO) across multiple web applications means users do not have to create more than one account when dealing with an organisation’s multiple web-based services.

Enhanced protection

For the user’s identity and the organisation’s resources – with a range of security measures including multi-factor authentication, threat detection and password blacklists.

Scalable performance

Customers expect anytime access to your services and resources – a CIAM solution needs to scale to demand to ensure the experience isn’t compromised during times of peak usage.

In addition, most solutions available today will provide:

Some graphical analysis of user behaviour, which is available out of the box
Ability to ‘outsource’ credentials to other identity providers (IdPs) such as social IdPs* or Office 365

*Social login has become particularly prevalent and valuable in CIAM solutions – allowing customers to authenticate with popular social media providers, such as Facebook, rather than set-up yet another username and password. Keep in mind that if it’s an outsourced service, it’s more likely to provide new authentication-related features as they become available.

The end result is happy customers, who trust your organisation and stay loyal to your brand.

Key technologies

GDPR-friendly identity-as-a-service.
High availability solution touching 1.75 billion identities.
Open Source product for building your own IAM solutions.
Single sign-on (SSO) with easy app registration including SAML & OpenID.
Registration-as-a-service and social login.
Customisable solution based around JavaScript.
Highly secure solution based on Microsoft’s Azure Active Directory.

In February 2019, it was reported that 617 million online account details had been stolen from 16 hacked websites – and were being sold on the dark web.

Why Microsoft Azure AD B2C?

Microsoft Azure AD B2C (“B2C”) is a comprehensive CIAM solution, but its security features are particularly compelling – offering highly advanced threat protection based on machine learning from Microsoft’s security graph.

The authentication journey, hosted in the Microsoft cloud, will react to the level of threat posed by the user’s credentials – if the credentials have been compromised, the perceived threat level is elevated and appropriate actions (e.g. locking the user out) can be taken by the B2C framework.

In addition:

B2C is highly available and scalable, built as it is on Microsoft’s world-beating Azure infrastructure. This puts it head and shoulders above other solutions in terms of reliability and capacity.

B2C is built on open standards including OAuth 2 and OpenID Connect, but also features an ‘Identity Experience Framework’ (IEF), a way to modify sign-up and sign-in journeys to include additional steps (or ‘user flows’) beyond typical out-of-the-box sign-up, sign-in, profile editing and password reset options.

FAQs

AAD and B2C live in separate directories (called ‘tenants’). When you invite B2B guest users into your organisation, they live in your main AAD tenant, whereas B2C users have their own tenant that does not mix with your AAD organisation. In addition, B2B has an invite model and B2C a registration model. Finally, the B2B login journey is not highly customisable, whereas the B2C authentication-related journeys are highly customisable (see below).
Using Microsoft’s Identity Experience Framework (IEF), you can make calls to attribute validators and attribute providers as part of the user journey. An attribute validator can check that user-provided attributes are correct, while an attribute provider can insert additional attributes into the journey. But as custom components, they can also execute other actions to fulfil your requirements. Essentially, you can model the journeys to your exact process.
Yes, Microsoft Azure AD can be treated as another identity provider with B2C as a relying party.
Microsoft provides a wealth of libraries and sample code for web applications, including c#.Net, NodeJS, and JavaScript for single page apps (SPAs). Microsoft has also published additional samples on GitHub including Python/Flask and PHP code.
Microsoft also provides sample code for mobile devices including iOS and Android.
B2C supports many identity providers out of the box, including Microsoft Accounts, Google, Facebook, LinkedIn, Amazon, Weibo, QQ, WeChat, Twitter, and GitHub. In addition, you can add a custom provider if it conforms to the OpenID Connect standard.