Welcome to this session where we'll concentrate on how we can use OneLogin to deliver a seamless and frictionless solution when it comes to the CIAM space. So this is titled, "Don't Compromise on Your CIAM Solution." I'm Mark Cockbell, Senior Manager of the Access Management Solution Engineering team across EMEA and APJ. And I have Mark McGuire with me. Mark, would you like to introduce yourself?
Yeah, thanks, Mark. So my name is Mark Maguire. I'm a Solution Architect on the EMEA presales team. And doing a lot of work lately with CIAM and all of our adventures in this space. So I'm happy to be here.
All right, so just a brief agenda of what we're going to cover off, then. I'm going to give a quick overview of what the OneLogin CIAM platform looks like from a high level overview, what we can provide out of the box, maybe what we can deliver through customer interfaces, and then going on to how we bring this all together as an overall solution. So let's start off with the OneLogin platform itself then. OneLogin, of course, is very well known for the workforce space. But we can also deliver CIAM within exactly the same platform as we do our workforce environment.
Of course, what is CIAM? Well, we're providing our external users or customers or partners with access to our digital assets. And the key thing we're looking to deliver is a great user experience whilst also maintaining security through good and strong data protection. Of course, with a CIAM solution, if we're looking at driving customers maybe to a retail environment, we want to make sure they're getting the best possible experience. Because what we want to make sure they're doing is they're returning to that platform over and over again to continue spending within that environment.
Let's look at OneLogin as a platform in terms of where we're hosted. OneLogin, of course, is built as an IDAS platform out of the AWS platform-as-a-service. We have two distinguished shards, one in the EU and one in the US. And they're kept entirely separate from each other. Within each of those shards, we've got two regions.
So in the EU shard, we've got Ireland and Frankfurt. Within the US shard, we have the Oregon and Ohio regions of AWS where we utilize those services. And within each of those regions, data is hosted on a minimum of three data centers. So a customer's tenant sat in one particular shard within OneLogin will be on a minimum of six data centers at one time.
So you can see how there we can give you resilience, failover redundancy just from that data center infrastructure. But of course, it's not just about how we architect the actual data locations. OneLogin is built on a very elastic and microservices-based structure. So our services are seen to be reducing inefficiency. We'll spin up new services. So in the background that all just happens. So you're able to get a very stable and secure service.
Now, added to that, one of the key questions we get is around latency. How can you ensure that your customers, your partners, et cetera, are able to access the solution in as minimal time as possible? And we rolled out Global Accelerator, also WAF and Shield, which we'll cover off later on. But what Global Accelerator allows us to do is ensure that your users are able to access the OneLogin platform in as low latency mode as possible.
And how we do that is, utilizing Global Accelerator, we can allow the users to gain access to the AWS backbone via points of presence. And as soon as they're on that AWS backbone, they're able to utilize AWS's own infrastructure-- that's high speed, low latency infrastructure-- to access the OneLogin services. And that not only helps us with the latency side of things, it also helps us with the scalability, being able to failover to different environments.
It can reduce that failover time and allow us to switch over very, very efficiently. And we can see at the bottom there AWS has actually got a global network of 104 points of presence. And that's across 48 countries across the world. So wherever your users are accessing from, they should be able to access the OneLogin services in a very low latency manner.
I've mentioned WAF and Shield already. But what these services allow us to do is provide automated mitigation of DDoS situations. So if the OneLogin infrastructure starts to receive a DDoS attack, we can automatically mitigate that with WAF and Shield and prevent that from being successful. So out of the box, we've got automatic blocking of IPs, bad user agents. And that's something that's consistently updated in the background by AWS themselves.
Of course, we can put in our own IP blocking as well if we wanted to. But on the whole, we're just utilizing that known database that AWS are keeping in control of. And we're in the process of migrating to AWS's own Aurora database infrastructure. And this allows us to, again, start to add more scalability options in here, more failover options, and as well as migrating to full infrastructure as code, as well, allowing us to then very easily spin up new infrastructure, provision new things, and ensure that we're doing that in an efficient way and removing the possibility of user error.
So that's a brief introduction to OneLogin as the infrastructure side of things, the background. Let's have a look at the out-of-the-box functionality that OneLogin can provide you with. And I'm going to hand it over to Mark so he can give you a brief overview here.
Great. Thank you. So yeah, so let's delve into the art of the possible here now. So we've got three different modes in which you can really leverage OneLogin for your CIAM solution. So we've got obviously here the out-of-the-box mode, we've got an API-based mode, and then a combined mode, which we'll see shortly. So if we just, first of all go through what you can expect to benefit from in and out of the box functionality scenario. So this is where you are fully depending on taking all of the different capabilities that are available on the platform with very, very little customization or effort needed from any development teams in house, et cetera.
So this is really the fastest way to get up and running with this mode. So from a foundational aspect, so obviously we've got our highly available and scalable, secure cloud directory, which is obviously underpinning everything. And we've got then the ability to integrate and connect to any existing LDAP directories that you might have in place. So with our LDAP lightweight directory connectors, so these are very easy lightweight agents can be installed on your existing LDAP servers to connect into the OneLogin platform.
And we can then obviously with that in place, we can migrate your authentication traffic from occurring against your LDAP directory to using our cloud authentication capability. This is through our smart passwords feature on our LDAP connector. So this is a very, very powerful way to start off with authenticating your users against your existing LDAP directory. And then as they authenticate, cut them over to using the cloud-based authentication without any kind of user interaction or involvement needed.
The next piece, then, we have our administration API or our CSV upload capability. Both allow you very easy and powerful ways to upload existing user base that you may have. So this is for sure needed in your migration design and considerations. Then we have our self-registration capability. So if you want to allow users to register in a self self-driven process, we've got out of the box self registration pages. So you can have any number of different self registration pages enabled, each with different authentication or sign-up flows with email, magic link, or OTP available.
So then in terms of the end user journey you can expect, so with our out-of-the-box functionality, we would be offering our hosted login page, which supports our standard branding. But also a level deeper than this then is our App-level branding, which allows more granular control over your user experience and allows to have really different brands based on the different applications customers may be trying to access.
We can then obviously bring some further items in here then around things like social registration, social IDPs. So authentication from your social IDPs, your registration with your social IDPs, self-service password reset flows, obviously branded email notifications, and SSO experience. So if you've got multiple CIAM applications, if they're all integrated into the platform, your customers can experience that single sign on experience and not have any friction at all, from that perspective.
And we can also offer optional or enforced MFA registration. So maybe on some user bases you might want to mandate MFA, where other user populations you would like to have this as optional and user driven. They can decide if they want to or not. It's completely optional. So this is very, very popular on the SIAM perspective. Then from a management perspective, we've got a lot of capabilities here, as we can see.
So really important things like delegated administration-- you can really granularly control the different administration privileges to manage the platform. And we've got a configuration-as-code approach as well with our Terraform provider. You can configure and manage and maintain the configuration of your OneLogin environment entirely from a Terraform provider. So this is a very powerful way to control configuration across different production and non-production environments and making sure you've got a very minimal amount of configuration drift in any environments that you have.
And we've got things down like our custom subdomain, vanity URL. So this is available as well. We've got sandbox solutions. And we've also got our mappings capability down, so allowing a lot of automation and data transformation and manipulation as well through our mappings capability, which is controlled via a rule base in the platform. So this is another key feature on the out-of-the-box functionality.
Cool. Thank you, Mark. As you can see, there's a huge amount of capabilities there that we have out of the box that you can utilize straight away with very low code or no code at all implementation. But of course, that doesn't suit everyone. So there are some things that we can do when it comes to using our APIs to try and simplify the complexity side of things. So Mark, handing it back to you to go through how we can do this.
Yeah, absolutely. So obviously, we have a high level of flexibility in terms of things like branding, as I mentioned on the previous slides. But there are always cases where, you know, you may just need to go that level above and have that really custom implementation. And so this is absolutely available and possible and underpinned by all of our various administration and authentication APIs.
So from the foundational perspective, we have the possibility to integrate custom solutions with our highly performant and reliable administration and authentication APIs. And with that you can obviously fully customize user registration flows. So you may have unique requirements that you need to fulfill as part of your user registration. You can carry out all of those unique workflows in your customized registration page. And when this has been fully completed, then you can obviously make a call to our administration APIs to create the user and apply the relevant profile as needed.
And we can also obviously support, then, that customized user profile management and authentication factor management. So this is obviously giving the user the ability to maintain and update various factors around their profile and security authentication factors as well. And then we can have customized application logic implemented, so consuming custom claims, which we can actually mint into the security tokens that the platform issues. So this is a very powerful way to control the experience that's actually delivered to end customers of your application.
So then, from the user journey perspective again, so with the API-based approach, so obviously heavily reliant on our authentication APIs to implement this kind of capability. So we can support fully customized password-based authentication flows with our authentication APIs. And we can also then support the customized authentication flows with our OIDC APIs. With this, we're able to respond with the ID token and access tokens and custom access tokens that may be required in your application.
And we also have fully customized passwordless authentication flows. So this is delivered using our MFA-only APIs. So perhaps it's just a customized passwordless experience you're looking for. Well, this is simply a case of plugging into our various MFA APIs. And that will support that use case for you. And additionally then we can layer on things like adaptive authentication-- so this is our SmartFactor MFA-- on top of any existing custom authentication solutions you may have.
So you may already have a custom solution in place and that you're quite happy with, but you're just in the scenario where you want to layer on some additional security controls on top of that. So with our SmartFactor MFA, this is the perfect solution for that where we can follow on from your existing authentication solution and layer on this adaptive authentication approach to bring in risk-based and additional contextual security controls to your custom application.
And finally, then, we've got obviously the ability to deliver step-up MFA scenarios. So with our MFA APIs, they can be leveraged and accessed in scenarios where you need to step up authentication for your customers who are performing sensitive actions, perhaps in your application or managing their profile from a sensitive perspective where step-up MFA is always a great value add for your customer, from a security perspective.
Then from management perspective, we've got the ability to, again use mappings. So even in our custom interfaces mode, the ability to leverage our mappings capability is still available. So this can be used for performing data transformations and populating custom fields which can trigger and organize various automation in the platform. These are also all available here.
We also have then our App Rules capability. So this is bringing in the transformation of security claims, claims held in the security tokens and conditional logic, which you can maintain in the rule base in your configuration. And then, finally, we can still implement a lot of the transformation and standardization of identity-related data using various automation capabilities built into the platform. So it's not just going it yourself and having to build everything yourself. There's still all of those automation capabilities on the platform that are available to you, even if you are just using our APIs for, you know, registration and profile management, as well as authentication as well.
Awesome. Thank you, Mark. As you can see, there's a huge amount of stuff we can do there when it comes to the custom side of things with our APIs, utilizing OIDC and other things as well. But of course, not every customer will want to go down the route of having to do everything at a code level. And that's where we can start to combine the two together, where we do a mix of out of the box along with some of that custom work. And Mark's going to go through a little bit more around what we can do in this space. So Mark, back to you.
Yeah, great. So this is actually, my personal favorite approach, I have to say. This is where we are able to combine the best of both worlds, where we can, you know, deliver customized solution where needed, but leverage the platform capabilities in from the strengths that they can offer in terms of authentication and having that managed service approach to those critical aspects of your application security. So with this mode, really, we're talking about things like having a customized registration and profile management page.
So you can, you know, obviously fully customize your registration and your profile management journey to match exactly what's needed in your particular product and the needs of your product and your organization. And you can leverage then the flexibility of the OneLogin platform at the end of that customized registration process by then populating various custom fields in the platform. So those custom fields then can be used to trigger mappings, which will then ensure that various actions are applied on the platform.
And, for example, things like assigning security policies, you know, making data transformations on various attributes, and ultimately controlling the configuration that's applied to each user in the platform-- all driven by your custom fields that have been collected or added to the user creation process through your customized registration and profile management flow. So as an example of that, we have here where we can imagine that an authentication factor could be automatically registered at the point when the user is created. And this would allocate a security policy to the user.
So for example, if we consider things like a passwordless sign in using email and magic link. So when the user has indicated this preference in the sign-up flow in your custom registration page, this will obviously make some additional logic in the API call to our administration APIs and apply, for example, some custom fields. And with that custom field in place, that will then trigger a mapping which will then trigger a group to be allocated to the user. And then that group controls the security policy that's applied to that user, which ultimately dictates what kind of authentication experience the user will face when they actually go to log in. So that's just a really, really quick example of how to use a custom field to actually dictate the user experience from an authentication perspective.
So then on the other side, we have from the hosted perspective. And this is using, obviously, the out-of-the-box capabilities with our hosted login page. So you can benefit from being able to leverage the same access management technology that's used to secure the most complex workforce environments for your CIAM solution. So you can imagine, this is a case of really selecting which parts of the platform you want to choose.
And obviously there are significant differences between CIAM requirements and Workforce. But the point here is that you have a vast array of controls and capabilities available that suit, you know, the most complex workforce environments. And it's about being able to just pick and choose which of those items you need in your CIAM solution. So then the application developers are able to then concentrate on your product and not worry about developing and maintaining a custom authentication solution. So this is really empowering the developers to concentrate on your actual business product and leave the authentication and security controls to the platform.
And we then have to the ability to supplement all of those built-in security controls and capabilities with user policies and automation and mappings that we mentioned previously. We can overlay that then with some custom logic which can be defined and configured by each customer. So this is using our Smart Hook's capability, which is basically a serverless JavaScript function that runs on the platform on your behalf and allows the customer to really overlay and finalize the configuration with additional conditional-based logic to dictate things like which user policies are allocated to users and in which scenarios authentication may, may need to be, you know, outright blocked, which scenarios require particular authentication factors, et cetera.
So this is really a way of controlling that, the final control on that end-user journey. So as an example of that, then, we have the picture here where we have a user who signs in for the very first time. And the Smart Hook service is able to temporarily allocate a particular policy for that sign-in flow. So this is based on the fact that we can see that this is the first time the user has signed in. So that piece of contextual information is used to trigger, you know, an allocation of a security policy.
And in that case, we might have a security policy that actually includes something like a customized welcome message. So rather than having this welcome message presented every time the user signs in, we can contextually apply that policy with that message to the user on the very first sign in and not have to change security policies or have an administrator change policies to control the subsequent behavior after that point. So just an example of how with the two, the best of both worlds, the custom registration and the managed authentication flows, you can deliver a really dynamic experience to your customers.
Thank you, Mark. As Mark's hinted here, this is definitely the best way we can deliver a OneLogin based CIAM solution where we're using a hosted login page to deliver the best-in-breed solution, the most secure solution when it comes to the actual log on approach. And then we can start to look at the really customized registration and profile management solution by hosting our own web pages that are delivering that overarching solution and using OneLogin's APIs for that purpose.
So there's one other thing we want to cover off before we look at how we bring this all together, and that's how we then look at integrating third party solutions. Of course, it's not just about the OneLogin platform. It might be some additional functionality you want to bring in to maybe look at a best-of-breed external solution and how you bring that into the OneLogin platform and start to use it. So I'm going to hand it back to Mark. And he's going to go into this in a little bit more detail.
Great, yeah. So let's have a look again through our various areas here in terms of integration areas and items of interest in this space. So from the foundational perspective, again, we can talk about things like our Smart Hook's capability, which I just mentioned. But we have the ability here to actually use a user migration Smart Hook in this case. So this is allowing you to migrate your users from perhaps your current incumbent solution into OneLogin on the fly in the background while the user is going through their first authentication experience with your OneLogin CIAM environment.
So this is a really powerful way of validating the existing username and password against the current solution. And if that's successfully confirmed, obviously then going and creating the user in the OneLogin platform on the fly as that happens and immediately signing them in all in the one transaction. So this is a really nice way of integrating to your existing platform while you perform or go through your user migration process. And ultimately it allows users to migrate as they authenticate on that same transaction.
So then we can also think about things like our inbound SCIM interface. So we can support external systems that are going to be empowered to create users in the platform. So we can support the creation of users/roles and groups, then, from these external SCIM clients, allowing you to have integration there to manage the users and profiles of everything and not having to build some custom tools and custom logic. Purely just here we can rely on the SCIM standard, which is for sure a very easy way to migrate your users into the platform.
We can also then integrate to external systems then from an app provisioning capability perspective. So we can actually then obviously provision outbound to external systems that support the SCIM standard as well. So with this, you might want to push out certain information to an external system for whatever reason. As long as you have that SCIM interface in place there, you can leverage our app provisioning capability to create that connection to that external system as you need.
And then the last piece here is the ability, obviously, to have our API access management capability to be implemented to provide customized access tokens, which can be used then for authorization to your custom APIs that you might have in your back end. So this is another item to be aware of and supported in both the out-of-the-box and the custom authentication API's approach as well.
So then from a user journey perspective, so what can we do here in terms of external integration? So for sure a very powerful item here is our ability to connect to external systems that support OpenID Connect. So we can redirect users to external identity providers with our Trusted IDP as a factor capability. And with this, which we'll see in some demos later on, we can basically offload the authentication transaction against an external system as an authentication factor, as long as the OpenID Connect protocol is supported.
So with this, then, we can also bridge multiple different external identity providers together using the Trusted IDP as a factor capability in a user and an app security policy. So you can consider you might have two external systems you want to integrate into during an authentication flow. You can use OneLogin in the middle to bridge those two solutions together.
We then have the ability to trigger calls to external APIs from our Smart Hooks capability. So with our pre-authentication Smart Hook, this is our Smart Hook that will fire in the authentication flow. And with this, we have the ability to trigger and make calls to any external APIs that you may need to integrate into. So this is for sure another powerful way to bring external integrations into place into your solution.
And then just the final piece here is around our trusted IDP capability. So this is our ability to federate and integrate into things like our social sign-in providers, B2B identity providers, and even things like government EID, identity-proofing vendors, et cetera. As long as they're supporting the standards that we have in place, which is the SAML, OIDS, and Oauth2 standards for our trusted IDP. You can integrate there and allow both a sign-up and a sign-in experience to your solution using that capability.
And then from a management perspective, some of the items we can discuss here, really, are interesting is our custom SMTP server. So you can integrate into any SMTP servers you may already have and you may need to use for your solution. So this is available, but in the out-of-the-box mode. And we also, then, have our custom SMS gateways. So if you're going to be leveraging our SMS authentication factor, you can customize which authentication or which SMS gateway you need to use in your environment.
And then finally here we have a very powerful capability with our webhooks functionality, which is where we can stream any OneLogin events that occur in your platform to an unlimited number of external systems. So you may think here of things like integrating into your SIEM environments, automation platforms, for example, and obviously also monitoring solutions as well. So this is really allowing, you know, that really last level of integration capability by streaming out your activity events to an external system, which can then obviously be configured and built to react to those events and perform various custom workflows as you may need.
So we've covered a huge amount of ground there when it comes to what's possible in OneLogin itself, either with out-of-the-box functionality, through integration with API, maybe a little bit of both, maybe some integration with some external systems as well. But what does that actually look like? Of course, this is what we're going to go into next. And Mark's going to cover off a few demos here to show us what's possible within the world of OneLogin when it comes to delivering a CIAM solution. So, Mark, I'm going to hand it back to you to go over these demonstrations.
OK, so now we've got a number of demos we can show you. And let's just bring it all together, as it says, and see how this really looks in the real world. So our first demonstration, we're going to go through is using a simple flow with a custom registration page. And then the user is going to sign in, then, after they've created their account and sign in with our hosted login page. And see how this looks.
So we have our Cedar Stone environment here, so our fictitious gaming site here. And we're going to see now how this flow looks from the user perspective. So we have our sign up button here. We can see that the user can go and sign up, create an account here. So simple form-- username, first name, last name, email, and the password. And then complete the capture here. And we should be then able to click the register button.
So we can see this now will create the account. So we can see our user has been created. And now they can go and enter their email in here and get redirected to the hosted login page now. So we're now on the hosted login page here. We can see the email has been passed through, and the OIDC hint already. Just enter the password.
Select here now whether we want to do MFA or not. So we can skip. It's optional. And then we're presented with terms and conditions. And then the user is signed into the application now for the first time. And we can see here some of the claims that have been passed through in the ID token back to the application. So that's just an example of a very simple custom registration page and the hosted login option.
So our next demonstration then is using a trusted IDP, in this case, a social sign in, so Google. So we're going to use sign up with Google and then sign in once that account's been created and show how that experience looks from that perspective. So again, we have our gaming Cedar Stone environment here. And we'll just kick this off here so we can see. We have our sign in page.
And on this, we have a custom button for sign up with Google. So this is going to initiate integration to Google with our trusted IDP capability. So we can sign in to our Google account here. In this case, we'll just use our password and any passkey. And the authenticate to Google here, and this will now redirect us back to OneLogin where our account will be created just in time, provisioning and on the fly.
So then we can add Google as an authentication factor here. We can see this has been added seamlessly. We already have a session open to Google there. And we get now redirected into the application and signed in. And we can see, you know, we've created an account and signed in. And our claims are visible once again. So now just to show then, the next sign-in experience.
So we can now that we've created our account, we can put in our email here into the login form. And we get redirected again, just like before with our email address passed across as an OIDC hint. And then we are sent to Google to authenticate, which we already have a session here in this case. And then we are redirected back and signed into the application just like before with our claims and everything is visible. So a very simple example of social sign up and sign in, in this case with Google.
Our third demo, then, is this time using a high-trust identity provider, in this case BankID. Again, this will be through our Trusted IDP capability and our hosted login, then, once the user account has been created. So we'll sign up with our BankID account and then use that same authentication factor to sign in again. So again, with our Cedar Stone environment here, this time we have our retail brand we can see. And we can go and click on sign in option and continue to sign in.
And this will bring us down to our hosted login page. And we can see down at the bottom, we have an option to sign in with BankID. So we're going to go with this. We're going to authenticate to our BankID with our Social Security number and whatever authentication factors BankID needs. In this case, it's an OTP and our BankID password. And then we will consent to sharing our information. Then we'll log in here. And we get redirected back to our Cedar Stone application.
Again, we can optionally set up MFA or not. We get our terms and conditions, just like before, and we can accept those. And then we are redirected back into the application where our account as being created. You can see now Jim Smith. So this has been created from our BankID account. And everything is working really well there. So that's just an example, again, using Trusted IDP and in this case BankID rather than a social sign-in provider.
Then, our last demo, then, is taking a look at our Smart Hook's capability, and in this case, our user migration Smart Hook. So in this example, we're going to show how you can seamlessly migrate a user just in time, on the fly from an Auth0 environment into your OneLogin environment and without the user even realizing that the migration has happened. So it's a very seamless experience, as you can see here.
So we have our Smart Hook, just as a little example here of our configuration. So we have our Terraform configuration here and our Smart Hook defined in this environment. And we can see we're calling an Auth0 environment here. And if we have a look in the admin console here, do a quick search, you can see that this user doesn't exist already, another.customer@gmail.com.
So we're going to go and have a look now at how the sign-in flow and the user migration actually looks from a user perspective. So we have our Cedar Stone environment again. We can go to the sign-in page. And we're landed on the hosted login page. So here if we just enter our existing username and password from the system when it was using Auth0, just like before, we can enter these credentials here. And our smart hooks are firing here in the background, which will make a call to the Auth0 API and validate those credentials.
If it's scored, it will create the account. We get our MFA option and our terms and conditions and our account has been created on the fly in the OneLogin platform. And we're signed in, then, to our CIAM application here. And just like before, we can see some of the claims and our ID token content there as well. So this is just showing how easy it is just to migrate a user on the fly in real time from an existing CIAM service into OneLogin without any disruption to the user. So that's concluding our demonstration and our presentation today. So if there are any questions, please feel free to let us know. Thank you.