To protect a user’s privacy, digital services (a website or app) may externamsie the identity of users into a CIAM (consumer identity & access management platform) to maintain the identity of a user in its secure repository.
By taking “identity” out of webservers and e-commerce platforms, privacy-sensitive data and passwords are only present and managed within the CIAM.
In order to prepare access and authorisation decisions, a CIAM not only maintains general characteristics (core-identifiers) but also characteristics in relation to the enterprise (relationship-identifiers). While core-identifiers may include gender and birthdate, relationship-identifiers are unique for the enterprise and include claims such as “I’ve paid for this subscription,” “I’m a certified veterinarian,” “I’m a customer-breeder.”
In the words of Gartner, Homan Farahmand: “Enterprises need to view core-identifiers and relationship-identifiers as two distinct constructs. Core-identifiers can be federated, but each enterprise has to manage its own relationship-identifiers for each person to address other identity governance and access management requirements.”
A CIAM enables a user’s claim to be verified against an authoritative source, such as a national register and an enterprise’s CRM. After this so-called “identity proofing”, the status of the claim is updated from ‘pending’ to ‘confirmed’ or ‘rejected.’ Confirmed claims can then be used for access and authorisation, as described below.
OIDC 1.0 standardises the representation of identity in JWT tokens. In combination with ISO 29115:2013, it further standardises how the level of authentication is passed on by a CIAM in the form of “level of identity assurance.”
Conclusion: externalising identity management yields significant advantages relative to privacy, identity assurance and identity proofing.
Note that OAuth 2.0 (see my post here) allows access control to be anonymous. OAuth 2.0 allows the use of anonymous access tokens that only bear the authorisation to access a resource and do something with it. This way, identity clearly does no longer need to be close to your application and can best be externalised.
Controlled AI services 