Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Preferences
I disagree
I agree
BACK TO BLOG

What’s OIDC and why should you use it for CIAM?

Stephen Cox

May 18, 2023

Who remembers the days when cars all came with two keys—one to start the engine and one to open the trunk? 

Add to that the key to the front door of your home, another for the back door, and yet another for your building or office. Pretty soon, you had a full, heavy, awkward ring to cart around.

Fortunately, technology has eliminated the need to carry so many keys in your pocket. 

However, if your customer identity and access management (CIAM) system isn’t using the right protocol, you might as well be asking your customers to carry around a bunch of keys.

For example, let’s say you’re a clothing company, but you have three brands — one for men, one for women, and one for children — and each brand has its own website. If you were using the most basic CIAM approach, a customer would have to create a new username and password to order clothes from each site.

Better than basic: OAuth and SAML federation protocols

Nobody strives to be basic. So if you’re managing a brand like the clothing company example above, chances are you’ve heard people throwing around terms like “identity federation protocols” and their close cousins OAuth (short for open authorization) and SAML (short for security assertion markup language).

Federation protocols are big words for standards that let one site identify a user when they’re coming from a different site. It’s simpler than it sounds. Think of OAuth and SAML as different languages – like Spanish or French. As long as both sites use OAuth or SAML, when a user goes from one site to another these protocols let one site say “Hey…I can verify that this user logged in on my site. Here’s who they are. You can trust them so they don’t have to log in again on your site.”

In our clothing company example, federation protocols like OAuth and SAML would allow a customer who signed into one site to be automatically logged into the other two brands.

It’s super convenient for the customer. And it’s safer, because all federation protocols use a secure server, called an identity provider, behind the scenes so that the sites don’t need to share sensitive authentication credentials.

OIDC and why should you use it for CIAM?

What makes OIDC so great? 

OIDC, or OpenID Connect, originated about 8 years ago, making it a relatively new type of federation protocol when you consider the longer arc of IAM history. Since then, it has quickly become the de facto standard for modern CIAM implementations. 

What’s cool about OIDC is that it makes your customer experience infinitely simpler – especially when your customers use different devices (and who doesn’t?) to log onto your app. You can create personalized omnichannel experiences and OIDC also makes it a lot easier to implement social login. Best of all, OIDC is straightforward to implement.

How does OIDC work its magic? Well, it starts with a simple system that doesn’t require much coding and uses JSON Web Tokens (JWTS), which are easily transportable, human readable, and support multiple digital signature and encryption algorithms.

Less coding means less troubleshooting, so it’s easier to maintain than OAuth or SAML. Plus, it’s easier to customize if you need to support different sign-in journeys. 

Time to shine: how OIDC supports omnichannel marketing

Think about a brand that you really love, which makes it easy to shop, purchase, subscribe, or whatever else you want to do – when and where suits you best.

You might have unconsciously perceived that the experience is exactly the same between your mobile phone, your iPad, and your desktop. Technologies like OIDC make that possible, allowing the brand to define a common sign-in journey regardless of the device it’s running on. 

It’s a way better experience for you as a customer. And that seamless customer experience across devices translates into a greater chance customers will click “buy” on those items in their shopping carts. 

If you’re thinking about adding social login providers to your site, most of them also use OIDC.  So if you use an OIDC-based CIAM provider, it’ll be a lighter lift to let your customers sign into your site using their Facebook, Google, or Amazon credentials. Everything just flows. 

Making the jump to OIDC from SAML

OIDC is the new-ish but clearly more awesome kid on the block when it comes to federation standards. So, if you’re building a new site or app, it’s a no-brainer to use OIDC.

But if yours is one of the many sites that still uses SAML, it’s not always easy to make the jump to OIDC in one swoop. As an older standard, SAML still uses XML and SOAP interfaces. Swapping those out can be tricky. 

If that’s the situation you’re in, a good CIAM solution should be able to bridge the gap by translating OIDC tokens into SAML assertions and vice versa, acting as what we call a secure token service (STS). It’s definitely an area where Strivacity shines.

Wanna see how we do it? 

Get in touch with us today to learn how OIDC protocols can enhance your customer sign-in journeys and eliminate some of those pesky keys they’ve been lugging around.