Introduction to IAM

Identity and Access Management (IAM) systems ensure user identification and access to functionality and data in applications. IAM is a term that has long been used for an individual organization’s need to ensure that the right people have access to the right parts of the internal digital environment. Nowadays, an organization’s digital services extend to customers, suppliers and partners, which results in completely new requirements on IAM such as, to be able to connect and use these organizations’ own ability to identify and ensure access to the digital environment. This is often called Customer Identity and Access Management or shorter CIAM.

Basic Concepts

At the very core of CIAM is of course Identity, which is someone or somewhat that wants to get access to your digital resources, such as web applications, APIs and so on. Often the identity is a user account that represents an end-user such as a customer, an employee, a member and whoever you want to allow access, but the identity could also represent non-humans such as software (another system, robotics, Internet of Things devices).

Authentication is verifying who a user is (determine the identity) and Authorization is verifying what resources they are allowed to access. In CIAM it is also important to determine what organization (tenant) the user belongs too.

Authway by IRM enables many capabilities that your scenario most likely will need some of:

  • Smooth sign-in experience: A professional sign-in that works on all devices, with your brand’s look and feel.
  • Easy sign-up: The best sign-up is the one you don’t need to do at all and we support full provisioning of users from their enterprise identity providers, but for private individuals the sign-up is just as easy as the sign-in.
  • Multi-factor authentication (MFA): With many users’ credentials stolen it is more important than ever to require additional proof of identity.
  • Re-authentication: Require the user to authenticate once more before allowing them to perform sensitive operations.
  • Step-up authentication: Require a user to use a stronger proof of identity, such as a legal identity provider, for certain operations.
  • Role-based access control (RBAC): Create groups of users to ease the management of access privileges.
  • Attribute-based access control (ABAC): When supporting many different organizations need for control of access privileges it will fast become impractical to create a RBAC model that fits all. Instead it is better to verify access to functionalities and additional attributes like the organization (tenant) that the user belongs too.
  • Impersonate: Provide better customer support experience with the possibility to run your services as if you were the user.

Authentication and Authorization

Authentication is the process of verifying the user, but the challenge when doing this for customers, suppliers, partners and other organizations is that each organization has their existing infrastructure of doing that already. Instead of forcing the user’s of these organizations to create new identities it is more secure and convenient for them to re-use the identity they already have.

Identitytypes.png Identitytypes.png

Authway by IRM supports many Identity Providers

  • Local username and password
  • Social identity providers, such as Google, Twitter, Microsoft and many more
  • One-time passwords (OTP)
  • Legal identity providers, such as Swedish BankId, Freja or other
  • Enterprise providers, such as Microsoft Active Directory (on-prem or Azure)

The Identity providers can be enabled or disabled per tenant and it is even possible to add custom OIDC or SAML identity providers for a tenant.

Authorization is the process of determine what resources the identified user is allowed to access and there are many aspects of this. Some of this aspects is handled fully or partial handled by Authway, but there is always a responsibility on your applications to apply the logic and make the final call about what a user can access and not. Authway helps you with authorization by:

  • Control which organization (tenant) is allowed to use which modules. This allows you to split your systems into parts that different organizations should be allowed to use without you needing to do anything.
  • Configure build-in groups that will be created for each organization allowing you to use role-based access control (RBAC).
  • Configure functionalities that your system needs to verify access too and allowing the organizations to configure access to the functionalities in a way that fits their own organization without you needing to figure out a one-size fits all access control model.
  • It is even possible to limit access to a functionality to specific organizations (tenants), for example if you have created a custom report for a specific customer.
  • Makes it easy to filter information based on which organization (tenant) a user belongs too.
  • Determine how the user have signed in and require them to use a stronger identification for sensitive operations.
  • Require a user to re-authenticate before performing a sensitive operation.