customer engagement starts with single sign-on · journey by providing single-sign on (sso). single...
TRANSCRIPT
E-BOOK
(BUT IT DOESN’T END THERE)
CUSTOMER ENGAGEMENT STARTS WITH
SINGLE SIGN-ON
TABLE OFCONTENTS
EXCEED EXPECTATIONS WITH CUSTOMER SSO
SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE
TODAY’S STANDARDS & WHY THEY MATTER
SSO AND YOUR MOBILE CUSTOMERS
STEP-UP AUTHENTICATION
CIAM SOLUTIONS GO BEYOND SSO
05
07
10
12
15
17
ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO
03
ANSWERING HIGH EXPECTATIONS WITH
CUSTOMER SSO
ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO
E-BOOK 4
CUSTOMER EXPECTATIONS ARE HIGHER THAN THEY’VE EVER BEEN. This is true not only as it relates to the quality and relevance of products and services, but also
for the quality and relevance of your customers’ experience with your brand. They expect secure,
seamless and consistent interactions, regardless of the channel or application they’re using.
Authentication is an easy place to fall short, since your customers have to sign on and authenticate
every time they interact with your digital properties. If a customer has to create and remember
multiple login credentials to access the various channels, applications or services you offer, they’ll
quickly get frustrated.
Many companies begin their customer identity and access management (customer IAM or CIAM)
journey by providing single-sign on (SSO). Single sign-on is a great first step and critical to making
your customers’ authentication experience as convenient as possible. But SSO is just one small
piece of the puzzle.
Your enterprise will likely outgrow the need to only provide SSO to in-house applications. As you
integrate with more and more internal and third-party apps, you’ll quickly find that managing
access on your own is no longer realistic and hinders your speed to market.
Implementing a federated SSO solution allows you to accelerate new offerings, while also
delivering consistent and secure experiences to your customers. The Ping Identity Platform
does this and more with its standards-based, customer IAM platform.
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
EXCEED EXPECTATIONS WITH
CUSTOMER SSO
FASTER TIME TO MARKET FOLLOWING M&A ACTIVITYMany Ping Identity customers mention the ability to more quickly deploy revenue-
generating applications following mergers and acquisitions. One customer says:
Several customers called out the ability to quickly integrate and then white-
label applications with revenue impact as a notable benefit of the Ping Identity
Platform. For example, an enterprise can align with a business partner to offer
services under a revenue-sharing arrangement, while maintaining its branding
on the product.
SSO DRIVES CUSTOMER EXPERIENCE & REVENUEEliminating the need for repeated user sign-ons is one of the top reasons to implement
a customer IAM platform. SSO increases user satisfaction and enhances security
by eliminating password sprawl. It can also have a direct impact on improving the
customer experience and driving revenue, according to Ping Identity Platform users.
INCREMENTAL REVENUE FROM IMPROVED CUSTOMER ENROLLMENT RATESThe Ping Identity Platform offers federated SSO, as well as many other customer-
specific identity management capabilities. Leading enterprises praise its ability
to enable more seamless enrollment into customer-facing applications. One Ping
customer explains:
Other customers noted that integrating customer enrollment applications enabled them
to decrease their sales cycle.
EXCEED EXPECTATIONS WITH CUSTOMER SSO
E-BOOK 6
“We’re a diversified company and have certain applications
for which it would be unacceptable for the customer to fill out
their information every time they wanted to initiate access to
a specific product or service. We couldn’t make our customers
re-enter that information every time. With Ping, we’ve been
able to quickly integrate applications.”
“If we have an application serviced by an external
third party, we can integrate the application using
Ping, so the customer never knows that there’s a third
party involved, and the interface has the look and feel
consistent with the rest of our website. This would be
extremely challenging to do in-house on our own.”
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
SSO IS WINNING THE CUSTOMER
EXPERIENCE BATTLE
SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE
E-BOOK 8
In this age when customer experience is king, customer IAM is critical. If your customers
can’t easily register, sign on for services or conduct transactions, then it really doesn’t matter
how your website, mobile app, services or support channels are built. And if your customers
aren’t satisfied with their interactions with your brand across channels, they can and will
move on to your competition.
If there’s one thing customers hate it’s managing passwords. The fatigue of trying to
remember dozens of login credentials can lead customers to write passwords down, reuse
passwords across multiple sites and take part in other insecure practices. Aside from this
all-too-common reality, relying on passwords alone can also increase your abandonment
rates, leading to lost revenue. There’s a real possibility your customers may not complete
transactions if they can’t remember their login password. Or they may not register at all if
they don’t want to create yet another password they’ll have to remember.
This is where federated SSO really shines. It plays a critical role in delivering a seamless
authentication experience across all of your digital properties. It can even include features
like social login that allow your customers to leverage their credentials from sites like
Facebook and Google. Providing these capabilities for your customers speaks volumes.
It says you want to make things simple, convenient and secure. That makes for happy
customers.
On the other hand, not investing in customer IAM and federated SSO can jeopardize your
relationship with your customers. Their tolerance for clunky, disjointed experiences is
dwindling as more and more companies—including your competitors—are providing the
seamless experiences customers expect. By not providing federated SSO, you may be
sending the unintended message that the customer experience isn’t important to you and
unwittingly aiding those same competitors.
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE
E-BOOK 9
BASIC SSOCommonly known as password replay, basic SSO is based on two concepts. The first is
password vaulting. This is the storage of the user’s password in a directory or password
vault, that’s usually cloud-based. It’s risky, because if that vault is ever compromised, all
of the passwords become vulnerable, even if they’re encrypted.
The second concept is password replay, where passwords are retrieved from the vault
and replayed to the web application. While convenient, this approach isn’t as secure as
federated SSO. Keeping the passwords synchronized across all of the applications can
be problematic and expensive, particularly when manual password resets are involved.
Plus, the practice of password reuse is still possible, presenting additional security risk.
FEDERATED SSOFederation is the ability for a user to authenticate (or prove they are who they say they are) just
once, and then use that authenticated session to access all of the applications they’re authorized to
use. For federation to work, a trust relationship between an organization and an external third party,
such as an application vendor or partner, must be established through standard protocols.
This method has one critical advantage over password replay. Rather than storing and forwarding
many usernames and passwords, federated SSO replaces passwords with signed assertions or
tokens. Using identity standards, like Security Assertion Markup Language (SAML), OAuth, OpenID
Connect and SCIM, federation allows for the secure transmission of user access and provisioning
information. This safeguards web and mobile applications, as well as the APIs that support them.
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
TODAY’S STANDARDS AND
WHY THEY MATTER
TODAY’S STANDARDS & WHY THEY MATTER
Identity federation standards are an essential part of implementing scalable and secure
federated identity across an organization. Not only do they reduce the integration efforts
between multiple organizations when sharing applications and data, but they also bring
security to any device, browser or client that’s accessing information from applications. For
this reason, embracing standards is also key to reducing time-to-market for new applications.
Each standard uses a different approach to sharing and managing customer identity data,
scopes, credentials and more. So your CIAM solution should provide support for multiple
standards, including:
SCIMThe System for Cross-domain Identity Management was developed in 2011, using
modern protocols like REST and JSON in order to reduce complexity and provide a more
straightforward approach to user management. The adoption of SCIM allows easier, more
powerful and standardized communication between identity data stores.
E-BOOK 11
SAML
SAML is an open XML standard for exchanging authentication and authorization of
data between an identity provider and a service provider. It enables federation so that
organizations can safely share identity information across domains.
OAUTH 2.0
OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, it’s a
standard framework that allows an application to securely access resources on behalf of the
user without requiring their password. This open authorization also lets the user understand
what kinds of access and information the application is requesting, and then provide consent.
OPENID CONNECT
OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation
specifications. It enables identity federation, as well as delegated authorization, and it
includes other features and mechanisms that enhance dynamic interoperability.
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
SSO AND YOUR MOBILE CUSTOMERS
SSO AND YOUR MOBILE CUSTOMERS
E-BOOK 13
When addressing customer experience, you must consider the
mobile experience, too. Customers expect to do more and more
with their mobile devices—including making purchases and
other revenue-generating activities. They don’t want to fuss with
remembering passwords and won’t tolerate clunky login procedures.
And regardless of how many separate development teams it took
you to develop your mobile app and other digital properties, your
customers expect their authentication experiences to be consistent
across all of them.
To be relevant in a mobile channel requires speed. People
immediately reach for their phones when they want something and
expect immediate gratification. If you provide a fluid, seamless and
secure user experience with SSO, customer engagement is yours
for the taking. But if your mobile authentication experience is poor
or different from that of your other channels, your customers won’t
stick around. It’s that simple.
High-profile retailers, like Wawa, Starbucks and Chick-fil-A, say that
the SSO capability in their customer IAM solutions is critical to
providing a good mobile experience and driving increased customer
engagement. These leaders are paving the way with best practices
for SSO mobility.
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON
WORLDWIDE MOBILE APP REVENUES IN 2015, 2016 AND 2020 (IN BILLION U.S. DOLLARS)
Source: Statista
SSO AND YOUR MOBILE CUSTOMERS
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ONE-BOOK 14
WAWA: A (MOBILE) CUSTOMER SSO SUCCESS
Wawa is a 100-year-old, $9.3 billion convenience store retailer on the East Coast who
decided to meet its customers where they are—on the road in search of gasoline and
snacks. Eric Barnes, Wawa’s applications manager, says that customers had been
asking for a loyalty program and a more convenient way to pay for purchases.
A mobile app was just the ticket, but it had to be easy to use.
Before they launched their mobile app, Wawa had primarily one-sided communication
with its customers. As a top convenience retailer, Wawa worked hard to ensure that
convenience translated to its mobile application; multiple sign-ons were not an option.
While the initial rollout goal was 350,000 users, the end goal is 2 million fully engaged
mobile customers.
“We needed to make sure there was a simple authentication method, basically some
sort of user ID and password, with [federated] tokens, so users don’t have to always
sign on to the app,” says Barnes. “For example, if a user just wants to jump on to
find a store location, no sign-on is necessary. But if they want to add a credit card or
change information in their profile, there’s a secure yet seamless method for that. As
consumers use all the different features, they are constantly authenticated back within
the application.”
The user has one set of credentials and signs on to the app just once. But on the
back end, the CIAM solution manages multiple credentials, including those from third
parties, like Wawa’s loyalty program provider.
“We have ease of use, single sign-on for the front end of the customer. And it’s very
fast in responding,” says Barnes. “For Wawa, customer SSO is the very foundation of
an engaging mobile experience.”
“We have a very strong customer following. With mobile engagement, we wanted to interact with customers on a more personal level and give them more capabilities, including the ability to check gas prices and find the nearest Wawa.”- ERIC BARNES, Wawa Application Manager
STEP-UP AUTHENTICATION
STEP-UP AUTHENTICATION
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ONE-BOOK 16
STEP-UP AUTHENTICATION BALANCES SECURITY WITH CONVENIENCE Multi-factor authentication (MFA) and federated SSO go hand-in-hand in delivering an
optimal user experience. To provide the simplest experience with the least amount of
friction, many leading digital businesses utilize social login or require a username and
password as a first means of authentication. This is a great entry point for access to low-
risk applications, services and activities.
As the customer moves along their journey, adaptive authentication offers a way to
evaluate the risk associated with additional interactions and step up authentication only
when needed. Adaptive authentication uses data points—like IP addresses, geolocation,
transaction details, risk-based authentication (RBA) and other behavior patterns—to
determine the level of risk. Then, it matches that level of risk to the level of assurance
attained during authentication. A username and password may have a low level of
assurance, while MFA may yield a higher level of assurance.
For example, if a customer signs on to an investment application to simply browse public
stock information, their credentials alone may be enough to get them access. However, if
they attempt to sell or purchase stock, that riskier transaction can trigger a requirement
for MFA to attain a higher level of assurance about the user’s identity. If they then try to
sell another stock a few minutes later and from the same device, MFA likely won’t be
required because that higher level of assurance will still exist. This is just one example, but
it illustrates how adaptive authentication allows you to selectively step-up authentication
using a risk-based approach.
Selecting what MFA method/s to offer is an important decision. For customers, standard
MFA simply won’t work. Customers aren’t willing to download a third-party MFA application.
Furthermore, authenticating via SMS has been deemed insecure by the National
Institute of Standards and Technology (NIST), as SMS messages can easily be
intercepted by hackers.
When providing MFA for customers, it’s most desirable to offer a solution embedded
into your own mobile application. This is not only secure and on brand, but it also adds
value to your mobile app by turning it into a secure additional factor. Going a step
further and using contextual, adaptive authentication with multi-factor authentication
helps to mitigate risk without inconveniencing customers, providing the optimal
balance between security and customer experience.
CIAM SOLUTIONS GO BEYOND SSO
CIAM SOLUTIONS GO BEYOND SSO
Ping Identity envisions a digital world powered by identity. As the identity security company, we simplify how the world’s largest organizations prevent security breaches, increase employee and partner productivity and provide personalized customer experiences. Enterprises choose Ping for our identity expertise, open standards leadership, partnership with companies like Microsoft, Amazon and Google, and collaboration with customers like Boeing, Cisco, Disney, GE, Kraft Foods, Walgreens and over half of the Fortune 100. Visit pingidentity.com.
#3005 | 08.17 | v01
CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ONE-BOOK 18
As crucial as SSO is to your customer experience, it’s only the first step. Your customer expectations for a secure and
seamless experience extend well beyond their initial sign on.
If your customers update a preference or detail on one channel, they expect it to apply or be accessible to any other
channel. You accomplish this through a unified customer profile. Purpose-built customer IAM solutions can work
with your enterprise’s existing infrastructure to help you create a secure, scalable unified profile through bidirectional
synchronizations and migrations of your existing customer data.
Your customer data also needs to be secured from authentication to the data layer. You must provide a convenient and
secure MFA solution for customers that doesn’t require them to download a third-party app, because they usually won’t.
You must also secure access to resources, encrypting customer data end to end and providing other security capabilities
to protect your customer data and prevent breaches.
Aside from allowing you to deliver an exceptional customer experience, CIAM facilitates your ability to meet the
requirements of increasingly diverse privacy regulations. A modern solution will provide attribute-by-attribute data access
governance, enforcing customer consent and giving customers control over and insight into who their data is being
shared with. It will also be flexible to address the scale and performance requirements needed to support thousands or
millions of users, while providing the flexibility to support changing and unpredictable user behaviors.
All of these customer IAM capabilities are critical for today’s customer-facing enterprises and can help ensure your
competitive advantage for years to come. To learn more about CIAM solutions, read our Ultimate Guide to Customer IAM.