To Single Sign-On in 30 minutes
Due to the increased number of various digital services in the enterprise as well as in the customer environment, Single Sign-On became increasingly critical. On the one hand, it is an essential element to provide more user comfort and a smooth journey and on the other hand, it serves to improve security. Identity and access management play a central role in the realization of Single Sign-On.
Where do cloud identity and access management help?
A cloud identity and access management support the management of the various stakeholders. This begins with employees, customers and partners. This is not just about individuals, rather about customers and partners, it is obvious that stakeholders can also represent organisations, which in turn can be structured in hierarchies. An Identity and Access Management System must be capable of representing all this.
Internal/Enterprise IAM: The management of employees is becoming increasingly complex due to the numerous digital channels. For a long time, companies have therefore used a so-called IAM or IDM. In particular, the mapping of the authorization plays an essential role in implementing access restrictions, segregation of duty and thus the authorization concept. Both onboarding and further needs-based allocation of rights must be implemented efficiently, transparently and quickly. The requirements and processes vary greatly depending on the industry, organization and department. An IAM must therefore be able to cover the individual needs of a company to enable a clear, secure and efficient implementation of the authorization concept.
Customer IAM: Digital services are almost springing up out of the ground, particularly in the end customer environment. In every industry, in the B2B as well as the B2C environment, they will become an essential component, a decision criterion, in order to get to know customers better, to work together more easily, to inspire customers and partners and thus also to retain them in the long term.
Customers’ systems can usually be easily separated from their internal systems. The customer channels represent the communication channels that are provided to customers to offer new services. Then there are the systems that are mainly used internally, within the company, such as the CRM, the ERP system, time recording etc. Only employees have access to these systems. While in the case of customer channels employees often need access, partners are the extreme cases. Depending on the task, the partner is on the road both on customer channels and on the internal systems. Group management is therefore necessary.
With Identity and Access Management, such as cidaas, you create an identity of the user across all channels via the applications in a company, such as CRM, ERP, office systems, etc. and thus introduce Single Sign-On.
And for the customer area, the registration and authentication of the customer are carried out via Identity and Access Management. This enables you to recognize your customers via the various digital services such as cloud services, web services, shop systems, etc., know where they move, which channels they use and can offer them not only convenience but also exceptional, individual customer experiences.
Procedure of a Single Sign-On:
The de facto standards in the identity environment are OpenID Connect and OAuth2. These are the newer standards. SAML, especially in the SAML2.0 version, is the older standard, which is nevertheless still followed by many systems, especially in the internal environment. These standards are used to integrate an identity management system and to implement Single Sign-On.
- Calling domain 1: This could be a shop system, for example.
- Domain 1 says that a login is required here, which initiates the forwarding to cidaas.
- In the third step the user logs in.
- Cidaas stores the information in the cookie, in the browser storage. Other information is also stored to prevent bot attacks and fraud attempts.
- Afterwards the information is forwarded to the shop system.
- The shop system can work with the token sent with the order. With it the user can be authenticated and the use of the shop system can take place.
- The shop system can then store information in the domain 1 cookie
- User switches to the website in domain 2.
- A login is also required here, so that the forwarding to cidaas takes place
- Whereupon the redirection to the website with the issued token takes place.
- The Web page can now use the token and perform authentication. Information such as first name, surname, etc. can then be available in this token.
- Further information can be stored in the domain 2 cookie.