I’ve said it before and I’ll say it again – passwords are dangerous. Authentication and authorization subsystems are hard to build and are difficult to protect. If you are building a product, why in the world would you try to build this subsystem yourself? You shouldn’t. There are a number of off-the-shelf IAM solutions on the market, and all of them are better options than rolling your own.
What is IAM? IAM stands for Identity and Access Management. It is an industry term that represents a service that provides identification, authentication, and authorization features. There are two primary types of IAM systems: EIAM, which allows an enterprise to manage identities of its employees and contractors; and CIAM, which allows you to manage identities of your customers.
EIAM vs CIAM
Enterprise Identity and Access Management
Twenty years ago, tracking employee identities was trivial. All servers and workstations were on-premise and were most likely all joined to a Windows domain. Fast forward to the current time and IT resources are spread globally. There is a strong mixture of company-owned devices and employee-owned devices. Further, there is often no logical, central place to manage employee identities.
EIAM aims to solve this problem. Rather than stuffing identities into an on-premise user directory, an EIAM allows an organization to store this information in a cloud provider. Since the cloud becomes the party responsible for authenticating and authorizing a user, this allows an organization to harness identity and access management in all of its disparate, disconnected, and globally spread resources. Additionally, an EIAM often provides services to IT groups to allow them to auto-provision a new user when a new employee is hired.
Customer Identity and Access Management
As a software developer, I have constructed numerous applications from the ground up. Some of these applications have been internally facing systems, but many have been publicly facing ones. Public and internal facings systems provide unique challenges for authentication and authorization. In an internally facing system, I can typically harness an on-premise LDAP directory to authenticate my users.
Publicly facing systems are radically different, though. There is no single LDAP directory you can query. How do you identify a customer? How do they prove their identity? What are the password requirements? How do you store these credentials? How do you allow the user to change their password? The list of questions goes on and on.
There are too many places to make mistakes, which is probably why passwords sit at the top of the list as the root cause of data breaches. With the development of SSO technologies like SAML and OpenId Connect, it became possible for a developer to outsource the responsibility of authenticating and authorizing a user.
This is precisely what CIAM, aims to accomplish. When a development team outsources the problem of authentication and authorization it frees them up to focus on business logic. A group of security professionals can focus on building a top-of-the-line CIAM solution, and this solution can even offer sign in options to a plethora of other web applications, not just the ones created by that single development team.
What’s the Difference?
What is the difference between EIAM and CIAM? The difference is quite subtle, at least on the surface. You may think that you could just use an EIAM solution to track your website’s users. And, although you could do this, it isn’t typically in your financial interest.
A company typically has a number of employees ranging from a couple of dozen to a couple of thousand. However, it is not uncommon to see a popular website have millions of users. An EIAM solution will typically have a much higher cost per user, ranging from 2 to 8 bucks per user. A CIAM solution will typically offer you a bundle of users for a small fraction of the price. And it isn’t uncommon for a CIAM to provide you the first 1,000 users for free.
The Most Popular CIAM Providers
CIAM is a growing industry. As such, there aren’t many alternatives on the market. A simple Google search will be quite misleading. For example, g2crowd.com documents dozens of CIAM providers. However, many of these are actually EIAMs. There are a few cases in which they are hybrids (both EIAM and CIAM). And there are a few providers that claim to be CIAMs, but offer no proof on their websites.
The list below are the most popular CIAM products that I could find, organized alphabetically:
- Akamai Identity Cloud
- Auth0 Customer Identity Management
- AWS Cognito
- Microsoft Azure Active Directory B2C
- Okta Customer Identity
- Ping Identity PingOne for Customers
Breakdown of Features by Product
Here are some of the features that I look for in a CIAM provider:
- SSO Protocol: does it support OAuth 2.0? And, if so, does it support OpenID Connect (OIDC)? Depending upon your needs, you may require SAML, as well.
- MFA: does the provider support multi-factor authentication?
- Social Identity Providers: can a user login to your system using a Google or Facebook account?
- Custom Attributes: do they allow you to track custom attributes about the users that are logging into your system?
- Login Page Customization: are you able to customize the login page? Can you rebrand it to make it look like your company?
- User Management: what means to they grant you to manage your users? Do they offer you API access to perform these functions? Can you import users from an alternate system? Can a user self-service himself (e.g., change his own password, request a password reset, etc)?
- Triggers, Hooks: are there triggers and/or hooks during the authentication and authorization process so that you can perform certain activities automatically?
And here are how these CIAM providers stack up against each other:
|IAM Solution||Social Identity Providers||Multi-Factor||OAuth 2.0||Open ID Connect||SAML||Triggers / Hooks||Custom Attributes||Page Customization||User Management|
|Akamai Identity Cloud (previously Janrain)||~30 Providers||X||X||X||X||X||X||X||X|
|Auth0 Customer Identity Management||~30 Providers||X||X||X||X||X||X||X||X|
|AWS Cognito||Amazon, Facebook, Google||X||X||X||X||X||X||X||X|
|Microsoft Azure Active Directory B2C||Amazon, Azure AD, Facebook, GitHub, Google, LinkedIn, Microsoft, Twitter||X||~||~||X||X||X||X||X|
|Okta Customer Identity||Facebook, Google, LinkedIn, Microsoft||X||X||X||X||X||X||X||X|
|Ping Identity, PingOne for Customers||X||X||X||X||X||X|
The leaders here are Auth0, AWS Cognito, and Okta.
Ping Identity – Insufficient Documentation or Missing Features
I could find no definitive documentation for PingOne, and thus I am left with a few questions regarding their feature set. It seems like they have been an EIAM for a while. Perhaps they have just recently introduced their CIAM solution and haven’t worked out all of the details yet.
Microsoft – Missing the Mark with a Partial OAuth 2.0 Implementation
Microsoft has only partially implemented OAuth 2.0. Why is this an issue? For starters, partial implementations always pose compatibility issues. If you decide that B2C isn’t for you, there is a high probability that you will have to rewrite a portion of your application.
The most obvious problematic area to me is in the trimmed down list of OIDC endpoints. It appears that there is no user info endpoint URI to request information on claims associated with a user token. Instead, Microsoft appears to have opted to include all of the claims in the token itself. This means that the token will be longer. A longer token in each request means that your application will require more bandwidth. This really isn’t an issue unless you have a high-traffic app, or if you have requested a large number of claims. If you request a large number of claims, the token size can grow so large that attempting to use it as part of a query string could break your app on certain browsers.
Breakdown of Ratings by Product
I don’t put much stock in ratings. I’ve seen companies pay for positive ratings and reviews. I’ve also seen companies able to negotiate with certain entities to get bad ratings removed. Still, I have a tendency to look at ratings before I purchase a product.
I pulled ratings from G2Crowd and from Gartner. I put much more stock in Gartner reviews, but there weren’t reviews for all products.
In both cases, Okta seemed to walk away with the highest number of reviews. On G2Crowd, Okta was the definitive leader as far as rating was concerned. However, on Gartner, Okta had a menial rating of 4.5, which isn’t anything to be ashamed of.
AWS had a strong representation on G2Crowd but had a measly 3.9 rating. And although it had a strong showing on Gartner, Gartner’s reviews were for AWS as a whole, not specifically for Cognito. Therefore, I omitted it from the graph.Ping Identity had the highest rating on Gartner and the lowest rating on G2Crowd. This statistical anomaly makes me want to immediately throw Ping Identity out of the list of recommended CIAM providers. There just isn’t enough data. Which is the same for Akamai.
Breakdown of Finances by Product
When purchasing from a software vendor, you need to consider their financial position. Are they public or private? Have they posted a profit or a loss over the past couple of years? Are they looking to be purchased and assimilated into a larger company? All of these questions point to an underlying risk.
Even an established company can shed off a part of the business that isn’t making money. Remember Zune, Kin, Windows Phone, or Silverlight? What about Google+ or Picasa. It can be dangerous to financially invest in a product when that product could meet its doom in the near future.
Microsoft, Amazon, and Akamai are not new to the market. All three of them are well-established, publicly traded companies. But what about Auth0, Okta, and Ping Identity?
Okta – A Rapidly Growing Company
Okta is a publicly traded company with an estimated market value of $9.3 billion dollars. With an impressive valuation such as this, you would think that Okta is on its way to being a real contender in the identity management market. However, if you were to investigate a bit deeper, you might be a bit surprised.
Okta launched its Initial Public Offering on the Nasdaq in April 2017. As such, they have filed financial records on the SEC. According to the latest Form 10-K filed in 2019, Okta has actually posted a net loss for four straight years in a row. What is more surprising, is that this net loss has increased by as little as 9% and as much as 37% since 2016. This hasn’t phased investors, as stock prices have risen dramatically from its IPO value of $17.00 per share in 2017 to $86.83 as of today. So, even with four consecutive years of posted losses, it sure doesn’t seem like Okta is going away any time soon.
Auth0 – A Startup On the Rise
What about Auth0? Because this company is private, it is a little more difficult to ascertain its financial well-being. According to the SEC, they have performed at least five rounds of venture capital financing and have raised upwards of $116 million dollars. Auth0 has had no difficulty raising funds. Unfortunately, there is little way to determine how these funds have transferred to profitability.
With Auth0’s latest venture capital round raising $60 million dollars, it is not difficult to assume that they have serious financial obligations. Like most startups, I don’t expect them to be profitable for a while. The question is if and when will they cross that line. This means that Auth0 is a much riskier choice than Okta.
Ping Identity – A Silent Competitor
Ping Identity is also a privately owned company. They have filed many Form D’s with the SEC. They haven’t secured venture capital since 2014. The total investments on the SEC add up to about $50 million dollars. This probably means that Ping Identity is posting profit. However, because it is privately-owned, there is no way for us to know how well they are doing. I think that this places Ping Identity in a less risky position than Auth0, but I still think that Okta is a better choice.
There are a lot of variables that you need to balance when you consider purchasing a CIAM product (or any software product, for that matter). Hopefully this post will give you some guidance on selecting a CIAM product that matches organization’s needs. In future posts, I hope to walk through the process of creating a prototype app that utilizes each one of these solutions.