Skip to content

CIAM User provisioning models

User account provisioning is the creation, management and maintenance of end-user’s objects and attributes in relation to accessing resources available in one or more systems. Essentially, user account provisioning refers to the management of user rights and privileges. User account provisioning is one of many procedures involved with identity management, and it defines the different ways to manage individual’s digital identity, authentication and authorization rights. The identity provisioning framework is the main component that handles user provisioning in CIAM, and it can be separated into three main components:

  • Inbound provisioning: it is used by the external applications to provision users into CIAM;
  • Platform provisioning: a set of patterns and procedure to feed the CIAM user store;
  • User store management: it is used to persist users within the system.

Inbound provisioning

To register users into CIAM most commonly used method is with the APIs. CIAM support REST API for inbound provisioning. APIs have been encapsulated into the WFP Gateway. This approach allows to have a fine-grain control over the authorization for the service providers, given by the split of APIs for each service, which, moreover, gives the possibility to audit and control all the APIs call made. Another improvement consists on having two steps of authentication and authorization, one made by the WFP gateway and the other one made by the CIAM.

Platform provisioning

Other patterns to provisioning users are called platform provisioning, which are built in or can be used by an administrator. Those patterns are:

  • Using the management console: Using the management console it is possible to create users in CIAM by sending them an invitation to finalize the registration or, in case where the user does not have access to his email, it is possible to create a user without the requirement to finalize and validate the registration;
  • Bulk import from file: CIAM has also the capability to do a bulk import of users. This is done with an excel file that is either uploaded using the Management UI or via the Admin Services;
  • Just-In-Time (JIT) Provisioning: Just-In-Time (JIT) provisioning create users at the time of federated authentication. When CIAM is used for federated authentication, it redirects the user to an external Identity Provider, such as the WFP Active Directory, for authentication. JIT provisioning is triggered when the CIAM receives a positive authentication response from the external Identity Provider. CIAM provisions the user to its internal user store using the user claims of the authentication response.

User store management

In enterprise systems, some key components are centralized for painless management and user management is one such component that is centralized and carefully monitored. CIAM, by default, uses a user store based on a database deployed in multi availability zone on AWS, which guarantee high availability and a strong encryption of the data. Encryption of data is strengthened in CIAM by using a secure protocol for storing passwords.

References