0

With a number of digital platforms such as web and mobile, user profiles are also stored across multiple systems including systems owned by other parties that provide ancillary services. For example, the web channel provides the ability to purchase products and services however shipping is an ancillary service.

In this example, the user would purchase a product and login/register with our site. These details are held in our database.

At the end of the transaction the user is provided the ability to ship using an ancillary service provided by a third party. They login/register with the third party and the third-party stores all their details.

There is a requirement now to provide "single sign on" i.e. the ability to either use the credentials created on our site or the ones created with the ancillary services and vice versa as well as the ability to bring along identities from services such as Google, Facebook, etc.

There doesn't appear to be an easy way to achieve this without having to pass around credentials in a secure manner and the ability to exchange these with the likes of Google, Facebook, etc is unlikely i.e. for the user to login to Google with the credentials created on our site.

Is there a sensible way to approach this problem? What are the pros and cons?

EDIT

The post by APICrazy seems to be palatable although this would require the third-party provider to integrate with an authentication broker and provide us as one of the identity providers.

Would there be a way overcome this i.e. not have the third-party make any changes but still accept credentials from our identity store?

Motivated
  • 153
  • 1
  • 8

1 Answers1

1

The question you have posed is really broad. If I were to summarize, your organization is starting a Identity and Access Management (IAM) project that will focus upon Federation/SSO and User Provisioning. Your customers would perform SSO to your Identity Provider (IdP) server, either direct with credentials stored in your user credential store (AD/LDAP/etc) or via a cloud identity connector (Facebook/LinkedIn/etc). Once authenticated to your portal, cross domain federation with third party websites is done via identity standards such as SAML, OAuth, OpenID Connect. The SCIM standard will also be helpful as you will likely encounter the need for user provisioning across the third party websites.

There are a number of vendor solutions in this space that can solve your use cases above. I would look at vendors that support a broad set of use cases and federation standards. My recommendation we be to consult with an expert with IAM systems, here is a good article that describes IAM Architecture Approach. Another recommendation is to look at some of the highest rated vendors by Gartner, mainly Okta, OneLogin, Ping Identity, Microsoft, and Centrify. You will need to determine if the capability is to be cloud hosted or on-premise. Based on you broad description of requirements, the on-premise (which can be managed on an AWS instance) might be best since the cloud capabilities tend to be limited for high end use cases.

Eric U.
  • 356
  • 1
  • 3
  • Thanks Eric U. You noted an existing identity provider of which there are a few. The immediate challenge are identity providers that which we partner with and hold user credentials. For example User A is registered with us for purchasing and is also registered with the logistics company with a completely different set of credentials. What we would like to be able to do is to allow credentials for either side to be used. – Motivated Feb 14 '16 at 03:03