What’s the Best Approach to SSO and Consumer Session Management for Your Businesses?
If you want to see an argument break out among identity professionals, mention single sign-on (SSO) and consumer session management. As fast as this technology’s evolved is as fast as it’s become one of the most contentiously debated topics in the field.
As a senior customer identity and access management (CIAM) technical consultant, I believe this problem stems from an overuse of the term “session” in software development. Customers and security, legal, and marketing teams all use the term differently.
For the customer, it’s simple: A session is the amount of time they’re logged in or “authenticated” to one or a group of logically associated sites and applications.
For security and legal teams, it’s more involved. User relationships in a large company may span many business units. They need to protect both the user and the company from fraud. So these organizations will have a considerably broader definition of session than a customer.
For legal and marketing teams, there’s an alphabet soup of privacy regulations. Most are predicated on knowledge that the customer has agreed to certain terms of use for their information. I have heard marketing teams refer to the agreements’ validity periods as sessions, too.
Enter Industry Standards to Settle the Argument
Before OpenID Connect (OIDC), a number of authorization frameworks (i.e., OAuth, OAuth 2, SAML, SAML 2) provided industries with workflows to authenticate users. These had varying degrees of security and provided no agreed-upon framework for consumer (aka user) session management or SSO best practices.
Most common solutions ended up relying on the use of third-party cookies to provide unified session experiences for end users. These are no longer an option.
Now, the industry’s agreed-upon OIDC authentication framework, along with the OAuth 2 authorization framework, offers several approaches to a secure solution for consumer session management. But you still need to choose the correct approach. To do so, ask yourself the following questions:
- What experience does my customer expect from a session?
- What does my security organization expect from a session?
- What do my legal and marketing organizations expect from a session?
Using Your Business Model to Configure Your Solution
Your answers to the questions will depend on your use case for consumer SSO and session management. They often vary by business structure. The three most common are:
- Well-known, strong relationships between business units
- Well-known, loose relationships between business units
- Relationships between business units that are not strong or well-known
In the following, I’ll explore each of these use cases from customer, security, and legal and marketing organizations’ perspectives. I’ll also direct you to specific Akamai Identity Cloud resources designed to help you configure an effective solution. Identity Cloud is a leading CIAM platform.
Use Case 1: Well-Known, Strong Relationships Between Business Units
Question 1: What experience does my customer expect from a session?
When your business consists of tightly integrated sites and applications, your customer will expect a very centralized approach to session management. When they log in, they want to be treated like they’re in a shopping mall where they can then freely access a number of other stores. They also expect that when they leave one store, or log out, none of the other stores inside the mall can do business with them; there are no individual sessions.
Question 2: What does my security organization expect from a session?
Keeping with the analogy, your security organization will want to monitor when consumers walk into the mall and how frequently they make transactions. In other words, when the user logs into their account. They may also want to have the ability to log the user out — kick them out of the mall, so to speak — if they suspect bad behavior. More important, customers value security and expect this experience as well.
Question 3: What does my legal and marketing organization expect from a session?
In this use case, legal and marketing organizations often have the most hassle-free approach to tracking customer relationships. The customer expects their marketing communication preferences and legal terms to be centralized for all of the applications under your business. Going back to the analogy, they don’t need a distinct credit card or contract to do business with each store in the mall.
Using the Akamai Identity Cloud Solution
Luckily, Identity Cloud offers an out-of-the-box ability to separately version and enforce legal acceptances, along with adding as many custom preferences as you would like. You can also set different token refresh rules for different applications to support the customer’s expected experience.
Use Case 2: Well-Known, Loose Relationships Between Business Units
Question 1: What experience does my customer expect from a session?
Say you offer a number of services that may not necessarily require the same way of doing business. A user who logs into one service, say video streaming, expects that session to last at least as long as the movie they’re watching. At the same time, they may log into another service, say an online retail application, and expect to be logged out after the transaction has been completed. These time frames will often be drastically different.
This approach is as common as the centralized approach to session management. It’s also the approach that the OIDC spec most easily addresses.
Question 2: What experience does my security organization expect from a session?
This never really changes. Your security organization is going to want the same information they did with the fully centralized model. This works for consumers, too. When they provide you with personal information and do business with you in several ways, they expect security. It starts with business tracking and notifying the customer of sessions that have started and that they themselves may not be aware of.
Question 3: What experience does my legal and marketing organization expect from a session?
Legal and marketing organizations may have a more complex relationship with the customer in this approach, where a customer’s preferences and legal terms may not necessarily make sense to group together.
Using the Akamai Identity Cloud Solution
Luckily, Identity Cloud offers an out-of-the-box ability to separately version and enforce legal acceptances, along with adding as many custom preferences as you would like. You can also set different token refresh rules for different applications to support the customer’s expected experience.
Use Case 3: Relationships Between Business Units That Are Not Strong or Well-Known
Now let’s say you have a very large business organization with many subsidiaries, each with unique and sometimes overlapping relationships with your customers. Here you may have a mix of both of the above-mentioned approaches. The key to making it work: Only group consumer sessions together with businesses and brands that the customer expects to do business with the same way.
Question 1: What experience does my customer expect from a session?
Let’s go back to our analogy of the shopping mall. Businesses locate themselves in a mall with a basic assumption that the customers they’re trying to reach will be shopping at that mall. However, for many consumer businesses, it doesn’t make sense to share the same location, even if it makes sense to be near each other.
Let’s take the example of a lumberyard and rock quarry. These businesses operate with an assumption that their customers will show up with the basic equipment and knowledge to haul their purchases safely. It makes sense for them to be located near each other, just like a customer may expect two clothing stores to be next to one another in a mall.
Shared sessions between similar services make sense to your customer and should be as complex a solution as you consider when implementing identity in this approach.
Question 2: What experience does my security organization expect from a session?
As I said earlier, this never changes. Security teams want to know everything about each user across all of the business units that share a relationship with them. This is a best practice because your customers will welcome any protection they can get against fraud, just as readily as your business does.
Question 3: What experience does my legal and marketing organization expect from a session?
As you can imagine, your legal and marketing approaches to shared sessions can get pretty complex in this use case.
I generally recommend companies start with customer expectations, and group sessions around services in which customers would likely to centralize their preferences. This works nicely when it makes sense to have the same sort of legal relationship between your business and your user at the same time.
It is also becoming increasingly common to use one set of terms and conditions for all of your business units and require all users to accept updates to it globally, even if the businesses are not logically related.
Using the Akamai Identity Cloud Solution
Talk to one of our specialists to learn how to implement this sort of hybrid approach with Identity Cloud.
Identity Cloud lets you leverage self-service configuration tools and guided implementation workflows to create authentication solutions to support all three of the above use cases.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Keith Folz. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/CWC2rFw48gY/whats-the-best-approach-to-sso-and-consumer-session-management-for-your-businesses.html
