Recently we had a client that was using Salesforce Visualforce portals with custom code to authenticate users in Salesforce with a username, password and community license.
To enable growth and ease custom development outside SalesForce, the client decided to move to a Customer Identity and Access Management (CIAM).
Customer Identity and Access Management (CIAM) is a subset of the larger identity and access management (IAM) concept that focuses on managing and controlling external parties’ access to a business’s applications, web portals, and digital services. CIAM solutions help organizations manage customer identities, providing security and an enhanced experience.
Axurcio was engaged to provide options for a CIAM implementation and provide a recommended solution, costs and implementation estimates.
Area | Requirement | MUSCOW | Scope | |
---|---|---|---|---|
User Registration | Sign Up | MUST | Account object - First Name, Middle Name Last Name, Address, Email, Phone • Flags and params for ID verification with Frankie One, • Flags and params for open banking details with Basiq,• Income details (Child object), • Employment details (Child object) • Open banking accounts (Child object) • Monthly expense details (Child object), • Assets details (Child object), • Household account details in case of a join app (parent), User object – Username, Email, Phone, • User profile (community user profile), • User license (SF community plus license) | |
Verify Email | MUST | After user registration, the user receives an email link to verify login | ||
Verify SMS | MUST | After user registration, the user receives a SMS with a unique token to verify login | ||
User Login | TOTP | MUST | User can login from unique link from email or token code from SMS | |
Step Up Auth | SHOULD | Designated areas require extra authentication means | ||
2FA | MUST | Multiple authentication methods will be required to login | ||
User Experience | Branding | MUST | Login and site packages must have ability to customise branding | |
Templates | SHOULD | Emails and SMS should allow customisation | ||
Reporting & Analytics | User Management | MUST | Display a user management dashboard to view, modify and delete sessions, metadata, roles and accounts | |
Analysis | COULD | Trend analysis on usage/signup/logins | ||
Administration | Account Lockout | MUST | 5 failed tries - lock account and notify admin | |
Uptime monitor | MUST | Service notifications on health | ||
Data Residency | MUST | Data must reside on Australian shores | ||
Oath 2 Flows | MUST | OAuth 2.0 authorization code flows, like PKCE (Proof Key for Code Exchange) | ||
Migration | Import existing users | MUST | Allow PIN | |
Non-Functional Requirements | Scaling | MUST | Handle 100 logins per day. Peek 1000 for MAU < 50000 | |
Environment | MUST | Provide non-production environment for development and testing purposes | ||
API Access Management | SHOULD | Authorise users and roles to APIs | ||
Development SDK | SHOULD | Provide client libraries for easy application integration |
A recommended authentication protocol for modern web and mobile authentication is OpenID Connect (OIDC). This is an open standard that provides a simple and secure way for users to authenticate with web applications. It is based on OAuth 2.0 and uses JSON Web Tokens (JWTs) to exchange identity information between the user, the client application, and the identity provider (IdP).
The Proof Key of Code Exchange (PKCE) is an extension of the standard authorization code grant OAuth flow. It is designed to be a secure substitute for the implicit flow for single-page applications (SPA) or native applications.
SPAs and native applications are vulnerable to reverse engineering practices. For SPAs, the source code of the application is available within browsers. Native apps can be decompiled. Because of those reasons, SPAs and native applications cannot securely store their client credentials (especially client secrets) and are considered public clients.
Authorization code grant with PKCE introduces a technique to prevent unauthorized access to resources in the case of code interception.
OIDC with PCKE is the recommended approach to enable a secure authentication solution.
Meets Requirements
Ability to satisfy the desired functional and non-functional requirements identified as in-scope. Methodology to assess options is available in this document’s appendix.
Security & Compliance
The solution must meet all security and compliance requirements required for handling Australian consumer data detailed in the Australia Privacy Act 1988, Privacy Amendment Act 2012 and Privacy Amendment Act 2017
Pricing
Consideration will be given to the total cost of ownership, including initial setup, licensing, maintenance, and future upgrades.
Deployment time
The effort required to setup the Identity Management Provider solution in production. This can vary depending on type of hosting i.e., SaaS, COTS or OSS self-hosted solution. Includes all configuration, environment creation and customisations such as branding.
Scalability
The system should be able to handle the growth of the organization, both in terms of users and data volume. Pricing should scale according to use of service/compute. Ideally the ability to handle ~6000 MAUs within 2 years should be supported and price effective
Support
The level of support provided by the vendor, including technical support, updates, training, and documentation, is crucial.
Flexibility
The solution should be able to adapt to future changes in technology, business requirements, and regulatory environment.
Overview | Continue with custom Salesforce SAML authentication and authorisation |
---|---|
Benefits | Minimal changes in the immediate termExisting SAML login process built and in production |
Disadvantages | Logins use a Salesforce Community License Limit on free tier |
Risks | Custom development required to build identity management features that exist in 3rd party solutions Cost to manage features inhouse on user authentication and authorisation exceed outsourcing to a vendor product |
AWS Cognito
https://aws.amazon.com/cognito/
Auth0
Fusion Auth
Keycloak
Kinde
AWS Cognito | Auth 0 | Fusion Auth | Keycloak | Kinde | |
---|---|---|---|---|---|
Meets Requirements | 80% | 85% | 83% | 73% | 80% |
Deployment | Cloud-based | Cloud-based | Self-hosted or cloud-based | Self-hosted | Cloud-based |
Pricing | Pay-as-you-go | Pay-as-you-go | Freemium, starter and enterprise plans | Free for development and testing | Free for up to 10,000 active users |
Features | Basic IAM features, including user authentication, authorization, and social login | Wide range of IAM features, including single sign-on (SSO), multi-factor authentication (MFA), and user provisioning | Wide range of IAM features, including SSO, MFA, user provisioning, and advanced customization options | Basic IAM features, including user authentication, authorization, and social login | Wide range of IAM features, including SSO, MFA, user provisioning, and feature management |
Security | Robust security features, including data encryption and access control | Robust security features, including data encryption, access control, and regular security audits | Robust security features, including data encryption, access control, and open-source code for transparency | Robust security features, including data encryption, access control, and regular security updates | Robust security features, including data encryption, access control, and penetration testing |
Scalability | Highly scalable to support businesses of all sizes | Highly scalable to support businesses of all sizes | Highly scalable to support businesses of all sizes | Highly scalable to support businesses of all sizes | Highly scalable to support businesses of all sizes |
Ease of use | Easy to use with a user-friendly interface | Easy to use with a user-friendly interface | Easy to use with a user-friendly interface | Can be more complex to configure than other options | Easy to use with a user-friendly interface |
Pricing - Free Tier | Up to 50,000 MAUs | Up to 7,500 MAUs | Self-hosted - unlimited SaaS costs $38 per month hosting with Community Plan |
Self-hosted - unlimited | Up to 7,500 MAUs |
Recommended Monthly Pricing | Free | $1,085 | $400 | Free (hosting ~ $300) | $283 |
Open Source | No | No | No | Yes | No |
Uptime SLA | 99.90% | 99.99% | 99.95% | 99.90% | 99.99% |
Time to deploy full solution | 4-5 weeks | 2-3 weeks | 2-3 weeks | 5-6 weeks | 2-3 weeks |
Annual Maintenance Effort | Small | Small | Medium | Large | Small |
Recommendation: FusionAuth
From an analysis of several solutions in the marketplace that offer Customer Identity and Access Management features was checked for fit against the business goals, functional and technical fit, which resulted in 5 being shortlisted
These were then compared on complexity, cost and time to deliver, resulting in the final decision
FusionAuth Starter Plan on Business Hosting
Plan is offered via the AWS Marketplace and is accessible from the website: https://fusionauth.io/download
Name: FusionAuth Starter Plan on Business Hosting Monthly Cost: $400 Annual Cost: $4,560 Estimated setup and config time: 2-3 weeks
The Starter plan includes premium auth features including advanced MFA, single sign-on, password less and social login, LDAP connectors, application theming, breached password detection, machine-to-machine authentication, and more.
On the Starter plan, support is provided through the community, including forums, Slack, and GitHub. The Starter plan allows up to 10,000 monthly active users.
The service runs on a dedicated EC2 instance. This is a single server with 3 days of backups. A single domain can be configured.