OpenIAM for Consumer Identity

Companies are increasingly delivering new services online to consumers. These services range from online banking to bill pay, or booking a flight for an airlines.

Consumer facing services have different challenges from IAM solutions that are targeted for internal corporate deployments. These include:

  • Scalability - The solution must scale to support millions of users.
  • Identity assurance - The ability to ensure that users are who they say they are.
  • Strong Security - ability to ensure identity during the authentication process and then control access based on the user’s access privileges.
  • Profile Management - Users may access the solution from different services and devices. Identity solutions need to build a complete profile of the user.
  • Single Sign-On with support for multiple protocols such as SAML, OpenID connect, oAuth and on-premise solutions.
  • Robust self-service functionality - When millions of users are accessing a service, you do not want them to call the helpdesk. The Identity solution must provide a robust self-service solution to drastically limit the helpdesk calls.
  • API Management - In some cases, the service may also be offered to other business partners and this integration may happen through an API. Google, Salesforce.com, ServiceNow and Box.net are example of services that expose APIs and allow their solutions to be used by a greater number of users. In this case, the company needs to ensure that only authorized users can access the API.

OpenIAM provides a comprehensive IAM solution that has been successfully deployed in large scale consumer facing deployments. OpenIAM’s integrated IAM platform provides businesses with the following benefits:

  • Solution that can scale to support millions of users.
  • Unified view of user identities and their attributes aggregated from multiple sources.
  • Robust access control model where custom roles and their access privileges can be defined.
  • Comprehensive identity provisioning solution that can manage the user life cycle for applications that may be on-premise or in the cloud.
  • Self-registration with workflow based identity assurance.
  • SSO solution that support multiple protocols and provide a reverse proxy allowing users to SSO to both on-premise as well as cloud systems.
  • Advanced authentication options such as embedded OTP.
  • Rich self-service interface to minimize help desk calls.

Use Case: Consumer Portal for a Major Insurance Company in the US

A major insurance company in the US wanted to provide their customers with an online portal where customers could view their insurance policies, make payments, etc. This portal needed to be accessed through a browser and a native mobile application.

The overall solution had the following high level requirements:

  • Support multiple user populations: External customers and internal employees who have purchased policies. Each type of user would access the system differently. External customers would use the portal authentication system whereas employees would federate into the portal from the corporate IdP.
  • Scalability to support a large user population.
  • Self registration with identity validation against an internal service.
  • SSO to the business applications that would be used by end users.
  • Provide an authentication and authorization repository for the mobile application.
  • Selfservice forgot password functionality.
  • Helpdesk role to allow help desk staff to manage users support questions.
  • Impersonation functionality for the helpdesk staff.
  • Audit and the ability to export audit events to a central system.
  • Reporting.
Solution Overview

OpenIAM was selected as the Identity and Access Management platform for this solution.

The solution required integration with a set of business applications that the customers would use to manage their policies. These applications did not support a federation protocol such as SAML or OpenID. To enable SSO to these applications, the OpenIAM reverse proxy was used. The reverse proxy also provided for role based access control.

To gain access to the solution, external users registered using the self-registration page. The out of the box self-registration functionality was used with the integrated workflow engine to validate the user’s information against an internal service to confirm identity, policy numbers, etc. Only after this automated validation, the user accounts were provisioned into the system.

consumer-ins-usecase

Internal employees have the option to use the self-registration page or they can use the just-in-time provisioning feature with SAML if they federate into the portal. In this case, the SAML request includes attributes that are needed by the validation process.

Mobile applications are able to integrate with the solution using the RESTFul API in OpenIAM for authentication, authorization and user management.

To manage both the end-user experience and help desk volume, OpenIAM’s out of the box self-service features were used to provide end-users with tools to manage their passwords and cases such as locked accounts and forgotten password.

For helpdesk users, a Role was defined in OpenIAM to provide helpdesk staff with access to manage user profiles. It also enabled impersonation which allowed helpdesk staff to see what end-users were experiencing and further accelerate the time needed to resolve support issues.

OpenIAM’s out of the box Reporting met their audit and compliance needs. Select audit events were exported in near real time to the central audit repository.

The OpenIAM solution is now in production and supports a rapidly growing number of customers. The solution meets the business requirements and the business has a platform that will evolve with their changing needs in an industry that is heavily regulated.