CIAM Weekly

Share this post

CIAM Weekly
Direct user creation
Copy link
Facebook
Email
Notes
More

Direct user creation

Dan Moore
Jan 08, 2024

Share this post

CIAM Weekly
Direct user creation
Copy link
Facebook
Email
Notes
More
Share

Hiya,

We previously discussed self-service registration and federation, two ways user data is loaded into a customer and identity access management (CIAM) system. With both options, users add themselves.

  • With self-service registration, they are registering for your application.

  • With federation users are allowing sharing of user profile data stored elsewhere.

Another option is to add users rather than allow them to add themselves. This can happen in a couple of ways:

  • admins manually adding users

  • a proprietary API for adding them

  • the System for Cross-domain Identity Management (SCIM), a standard for moving user profile data

More about these options

Admins manually adding users is a good option for smaller companies or one-offs requests. If this is important to you, make sure you check out the admin UI for any CIAM solution. That's usually around for user management anyway, but quality varies. However, this option doesn't scale and also has the downside of having a human in the loop. When a customer signs up to a web or mobile application, they usually expect access fairly quickly.

Another alternative, using a CIAM solution's proprietary user creation API depends on a number of factors:

  • Does that API exist?

  • How full featured is it?

  • Is there developer time available to integrate with it?

  • Are there SDKs or libraries that can help accelerate development?

Since CIAM solutions almost always require development effort to fully integrate them, these factors are typically not insurmountable. However, you should always consider the opportunity cost.

Using this option also lets you integrate customer account creation into an existing application or applications. Perhaps you offer the ability to create teams of users within your application, or you want to let parents create accounts for their children. If you want maximum control and seamless integration, use APIs.

SCIM is a good solution if your users live in another user data store which can act as a SCIM client. A SCIM client means it is a source of record for user profile data and can push user data including profile data, credentials and group membership, into a recipient data store using a standardized protocol. The recipient identity store is, confusingly, called a SCIM server, and that is what receives the data.

The SCIM website includes a list of implementations, but in my experience, SCIM clients tend to be employee focused directories. Both Azure AD/Entra and Okta are SCIM clients. This option is a good fit for a CIAM solution aiming to support employees. For example, a SaaS selling to businesses where the businesses wants to control user provisioning automatically is a good fit for SCIM.

Credentials

You'll also want to think about credential management. Since you are creating the user, the secrecy of a credential such a password is compromised. There are also credentials that not initially usable, such as passkeys.

In the case of SCIM, the client provides the password. It's a full copy of user data, regularly updated.

For the other two cases, think about how to deliver credentials such as a password safely. Options include:

  • Don't allow passwords and only allow passwordless options like magic links or federation.

  • Create a one time password that you share with the user. The next time they log in, force them to change it.

  • Set the password to a random high-entropy string and have the user access account recovery options to reset it.

Offboarding

Because the option of adding users yourself is used when you need more control, you're more likely to handle account locking/disabling to offboard users as well. While you might deactivate user accounts who have registered or logged in using federation, it's common to leave those accounts active, perhaps with lower levels of permissions, rather than deactivating them.

SCIM lets you remove accounts automatically when the account is removed from the source. Other options require more effort. Using an API can automate offboarding. If the situation happens rarely, manual removal or locking of accounts can be adequate.

Questions to ask:

  • When do you need to disable a user?

  • Do you need to be able to re-activate a previously disabled user?

  • Does loss of access need to be instant when revoked? If not, how quickly does access need to removed?

In general, your system will scale better if you automate offboarding.

User account creation is a great way to add users if you need to integrate such functionality deep into your application or control access with precision. While it can be done manually or automatically, at most scales automation is preferred. If you are working with user data sources which support it, SCIM can automate account creation.

Dan

Share this post

CIAM Weekly
Direct user creation
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Dan Moore
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More