Access and Authentication

Modernizing your B2C Portal Security – Desired End State

Share this post:


As we have seen in part one of this series, managing customer identities for a portal can be a challenge and distraction for the business.  In this part of the series we will outline how a modernized solution for a portal security can simplify operations and free your team up to focus on the business at hand.

Shared Responsibility:

The new portal security would be based on a shared responsibility model with strict separation of risks and operational activities, relying on a discrete interaction model between the identity and authentication portal and the consumer business portal.

In this model the Cloud-based identity provider would be responsible for all of the following:

  • Securely store the credentials and related identity information
  • Scale in an elastic manner to provide virtually limitless user population growth
  • Scale operationally to support user activities on an ongoing basis and to support special peek loads
  • Future proof the portal by extending new capabilities on an ongoing basis
  • Allow for customer branding of the portal, making it an integral part of your virtual presence
  • Provide a frictionless experience for the end consumer managing their own identities
  • Provide the customer information to the business on a need to know basis
  • Ensuring secure access and identity guarantees to the backend
  • Provide a unique identifier for a customer to the backend

The actual customer business portal would simply consume a federated credential provided by the browser and generated by the identity provider.  This credential would contain the negotiated information ensuring the correctness and timeliness of the data.

With this approach a single user identity can become the key for multiple portals and offerings to the end customer.  Allowing for a frictionless and modern user experience while the enterprise can focus on providing the core business value to its customers.

The business portal would be using the unique identifier as the entry point and single connection to the end customers information stored in the identity provider portal. This separation of PII information from the business-related information reduces the regulatory requirements for the Line of Business operators and providers.

It would also be the business portals responsibility to take on specific actions related to a user accessing the portal such as:

  • First time access
  • Consent management
  • Collection of additional data to link a user to internal records, such as Medical Record Number, Customer Number, Subscriptions, etc.
  • Business Specific information

Architecture Model

The following diagram provides an architecture model describing such a portal implementation.

Customer Administration

With the Cloud based identity provider providing the storage and self-care, the task of administrating the clients from a help desk scenario would remain with the customer.  Such a help desk would operate and interact with the cloud storage using the cloud-based interfaces provided.  Access controls to this portal can be managed via the integration with an on-premise Enterprise Registry.  This ensures that access controls are enforced and can be demonstrated for audit and regulatory requirements.

Customer Lifecycle and Automation

In addition to all the available user interfaces provided by the Cloud based identity provider, an additional rich set of REST based API’s exist to enable the automation of any bulk operations or lifecycle operations that need to be performed on the end user population.  These interfaces can also be used to allow the customer portal access to the user information as needed


As we have described the desired end state, in our experience, we have seen many customers that cannot simply move from the existing portal implementation to a new model.  The next part of this series will show an approach on how to move an existing portal to this end state using an approach to limit the overall impact to the business team and customers and provide value rapidly.

Click here to rate this article

Rate this article :

Senior Architect, World Wide IAM Domain Leader

More Access and Authentication stories
By Gerard Boekhoud on July 24, 2019

IF001 for IGI now available

On July 19, 2019 we made  IF001 on top of IGI publicly available on FixCentral. This iFix include some strong performance improvements especially within the Access Certification module. Improvements are made in the following areas: a. Time to launch Campaign Summary Page (Especially in the event of a high number of campaigns). This improves by […]

Continue reading

By ADAM CASE on May 10, 2019

Getting started with IBM Verify

Getting started with IBM Security Verify for Multi-factor authentication With IBM Security Verify you have the ability to apply multi-factor authentication anywhere, using one authenticator. From Linux shell access to Windows remote desktop, even custom development with IBM Security Verify APIs, you can take full advantage of no infrastructure costs, third party subscriptions for voice, […]

Continue reading

By David Edwards on April 15, 2019

IGDM Part 3 – Implementing the Identity Governance Data Model

This blog is the third in a series of three looking at a proposed common Identity Governance Data Model (IGDM). This model attempts to address the needs of managing heterogeneous complex target system access models in an Identity Governance and Administration (IGA) environment. The proposed IGDM is designed to standardize identity management and governance data […]

Continue reading