Skip to content

CIAM Overview

TL;DR

We do care a lot about software security, implementing CIAM we followed industry standards and TECI policies.

CIAM (Customer Identity and Access Management) is a subset of the larger concept of Identity Access Management (IAM) and it is focused specifically on managing the identity and the secure access to software applications for external users. CIAM includes the registration and login processes that allow a customer to sign in and use the Organization’s applications in need to authenticate non-corporate users. Moreover, it enables architects and developers to reduce identity provisioning time and secure online interactions. The CIAM reduces the identity management and entitlement management administration burden by including a fine-grained policy-based access control, and Single-Sign-On (SSO) bridging. CIAM allows easy account and configuration management, multi-factor authentication, password less SMS authentication models and user management. The CIAM stack is based on WSO2 Identity Server Platform.

CIAM Features

TL;DR

In its most basic nuance, CIAM is an authentication platform which is capable of guaranteeing secure access to external users and corporate users. The CIAM is ideal for B2C scenarios.

CIAM components

With the CIAM we can:

  • Generate OpenID Credential: OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It allows software solutions to verify the identity of the user based on the authentication performed by an Authorization Server as well as to obtain basic profile information about the user. To be part of this mechanism and obtain OpenID Credentials, an application needs to request a “client key” and a “client secret” which enables the application to be recognized a valid service provider;

  • User Registration: There are three methods to enroll users:

    • Self-Sign Up where a user completes his registration on his own;
    • SCIM API where an administration account adds a user by calling a standard API;
    • CSV File for bulk registration where the users are listed in a file that will be sent to a CIAM manager.
    • User Login: CIAM provides Single Sign-On (SSO) that lets customers log in just once and then transparently authenticate to all the digital services and applications they have been granted rights to eliminate the need for multiple logins or credentials. The login flow is managed by the CIAM engine itself. When necessary, the CIAM can delegate part of the login process to WFP’s Active Directory, to allow enterprise accounts to login;
    • Obtain Profile Information: CIAM implements different methods to retrieve user profile claims depending on Grant Type: Authorization code flow, implicit flow and Authorization code flow with Proof Key for Code Exchange (PKCE), user information with token.

CIAM Components

CIAM is a complete authentication suite consisting of different components:

  • Inbound Authenticator: It has the responsibility to identify the incoming request from a Service Provider, process it and build a corresponding response. There are different inbound authenticators supported by CIAM (SAML, OAuth, and OpenID connect);
  • ‘IN’ channel: It is the component whose responsibility is to check the correct mapping between the claim attached to the authentication request and the inbound authenticator configuration;
  • Local Authenticator: It is the component which manage the authentication process within the Identity Server itself. Local authentication happens by authenticating the credentials entered against the values in the User Store connected to the CIAM;
  • Federated Authenticator: It is the component, equivalent to the local authenticator, which manages the federated authentication within the CIAM. This component needs to be properly configured with respect to the external federated identity provider. Once the ‘IN’ channel sends the authentication request to the Federated Authenticator component, it checks the request by evaluating the specified credentials. WFP’s Identity Server takes care of verifying the identity of the user who is trying to access the resource. Once this check is done, the Federated Authenticator builds an authentication response and it sends it to the ‘OUT’ channel of the authentication framework. Here, the request response is built and sent to the Service Provider;
  • ‘OUT’ channel: It is the component whose responsibility is to compose the request response and send it to the Service Provider. Another responsibility of the ‘OUT’ channel is to implement the JIT provisioning (when eligible), in case the identity provided, with the authentication request, it is not present in the User Store;
  • User Store: It is a local database where the information about the users are stored. These include username, password, first name, last name and email address. A user store can also contain information about user roles;

  • Realm Configuration: It is the container of all the configuration settings required to initialize the CIAM Framework. This includes setting up the User Store Manager, the Authorization Manager and the System Administrator. These configurations are explained below in more details:

    • User store Manager: It is responsible for managing the user store and It is based on a UserStoreManager interface which can interact with different user stores implementations. The User Store Manager can be operated in both read/write mode and read-only mode. CIAM provides the following default User Store Manager implementations: JDBCUserStoreManager, LDAPUserStoreManager, ApacheDSUserStoreManage;
    • Authorization Manager: this is a uses role-based access control (RBAC) component which purpose is to protect resources and, as a component of the framework, it integrates with various other components in the CIAM. The default implementation of the Authorization Manager is JDBCAuthorizationManager, which uses a permission model specific to WSO2 Carbon (the platform on which CIAM is based) and uses the authorization data that is stored in tables in the user store;
    • System Administrator: It is the user who, typically, act as the super tenant user (and, by default, he has permission to perform all administration tasks in the CIAM environment)

Changelog

  • 30 Set 2020 - First version

References

CIAM: A WSO2 Reference Architecture
OpenID Connect Protocol
Authentication Flows