customer engagement starts with single sign-on · journey by providing single-sign on (sso). single...

E-BOOK

(BUT IT DOESN’T END THERE)

CUSTOMER ENGAGEMENT STARTS WITH

SINGLE SIGN-ON

TABLE OFCONTENTS

EXCEED EXPECTATIONS WITH CUSTOMER SSO

SSO IS WINNING THE CUSTOMER EXPERIENCE BATTLE

TODAY’S STANDARDS & WHY THEY MATTER

SSO AND YOUR MOBILE CUSTOMERS

STEP-UP AUTHENTICATION

CIAM SOLUTIONS GO BEYOND SSO

05

07

10

12

15

17

ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO

03

ANSWERING HIGH EXPECTATIONS WITH

CUSTOMER SSO

ANSWERING HIGH EXPECTATIONS WITH CUSTOMER SSO

E-BOOK 4

CUSTOMER EXPECTATIONS ARE HIGHER THAN THEY’VE EVER BEEN. This is true not only as it relates to the quality and relevance of products and services, but also

for the quality and relevance of your customers’ experience with your brand. They expect secure,

seamless and consistent interactions, regardless of the channel or application they’re using.

Authentication is an easy place to fall short, since your customers have to sign on and authenticate

every time they interact with your digital properties. If a customer has to create and remember

multiple login credentials to access the various channels, applications or services you offer, they’ll

quickly get frustrated.

Many companies begin their customer identity and access management (customer IAM or CIAM)

journey by providing single-sign on (SSO). Single sign-on is a great first step and critical to making

your customers’ authentication experience as convenient as possible. But SSO is just one small

piece of the puzzle.

Your enterprise will likely outgrow the need to only provide SSO to in-house applications. As you

integrate with more and more internal and third-party apps, you’ll quickly find that managing

access on your own is no longer realistic and hinders your speed to market.

Implementing a federated SSO solution allows you to accelerate new offerings, while also

delivering consistent and secure experiences to your customers. The Ping Identity Platform

does this and more with its standards-based, customer IAM platform.

CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ON

EXCEED EXPECTATIONS WITH

CUSTOMER SSO

FASTER TIME TO MARKET FOLLOWING M&A ACTIVITYMany Ping Identity customers mention the ability to more quickly deploy revenue-

generating applications following mergers and acquisitions. One customer says:

Several customers called out the ability to quickly integrate and then white-

label applications with revenue impact as a notable benefit of the Ping Identity

Platform. For example, an enterprise can align with a business partner to offer

services under a revenue-sharing arrangement, while maintaining its branding

on the product.

SSO DRIVES CUSTOMER EXPERIENCE & REVENUEEliminating the need for repeated user sign-ons is one of the top reasons to implement

a customer IAM platform. SSO increases user satisfaction and enhances security

by eliminating password sprawl. It can also have a direct impact on improving the

customer experience and driving revenue, according to Ping Identity Platform users.

INCREMENTAL REVENUE FROM IMPROVED CUSTOMER ENROLLMENT RATESThe Ping Identity Platform offers federated SSO, as well as many other customer-

specific identity management capabilities. Leading enterprises praise its ability

to enable more seamless enrollment into customer-facing applications. One Ping

customer explains:

Other customers noted that integrating customer enrollment applications enabled them

to decrease their sales cycle.

EXCEED EXPECTATIONS WITH CUSTOMER SSO

E-BOOK 6

“We’re a diversified company and have certain applications

for which it would be unacceptable for the customer to fill out

their information every time they wanted to initiate access to

a specific product or service. We couldn’t make our customers

re-enter that information every time. With Ping, we’ve been

able to quickly integrate applications.”

“If we have an application serviced by an external

third party, we can integrate the application using

Ping, so the customer never knows that there’s a third

party involved, and the interface has the look and feel

consistent with the rest of our website. This would be

extremely challenging to do in-house on our own.”


SSO IS WINNING THE CUSTOMER

EXPERIENCE BATTLE


E-BOOK 8

In this age when customer experience is king, customer IAM is critical. If your customers

can’t easily register, sign on for services or conduct transactions, then it really doesn’t matter

how your website, mobile app, services or support channels are built. And if your customers

aren’t satisfied with their interactions with your brand across channels, they can and will

move on to your competition.

If there’s one thing customers hate it’s managing passwords. The fatigue of trying to

remember dozens of login credentials can lead customers to write passwords down, reuse

passwords across multiple sites and take part in other insecure practices. Aside from this

all-too-common reality, relying on passwords alone can also increase your abandonment

rates, leading to lost revenue. There’s a real possibility your customers may not complete

transactions if they can’t remember their login password. Or they may not register at all if

they don’t want to create yet another password they’ll have to remember.

This is where federated SSO really shines. It plays a critical role in delivering a seamless

authentication experience across all of your digital properties. It can even include features

like social login that allow your customers to leverage their credentials from sites like

Facebook and Google. Providing these capabilities for your customers speaks volumes.

It says you want to make things simple, convenient and secure. That makes for happy

customers.

On the other hand, not investing in customer IAM and federated SSO can jeopardize your

relationship with your customers. Their tolerance for clunky, disjointed experiences is

dwindling as more and more companies—including your competitors—are providing the

seamless experiences customers expect. By not providing federated SSO, you may be

sending the unintended message that the customer experience isn’t important to you and

unwittingly aiding those same competitors.



E-BOOK 9

BASIC SSOCommonly known as password replay, basic SSO is based on two concepts. The first is

password vaulting. This is the storage of the user’s password in a directory or password

vault, that’s usually cloud-based. It’s risky, because if that vault is ever compromised, all

of the passwords become vulnerable, even if they’re encrypted.

The second concept is password replay, where passwords are retrieved from the vault

and replayed to the web application. While convenient, this approach isn’t as secure as

federated SSO. Keeping the passwords synchronized across all of the applications can

be problematic and expensive, particularly when manual password resets are involved.

Plus, the practice of password reuse is still possible, presenting additional security risk.

FEDERATED SSOFederation is the ability for a user to authenticate (or prove they are who they say they are) just

once, and then use that authenticated session to access all of the applications they’re authorized to

use. For federation to work, a trust relationship between an organization and an external third party,

such as an application vendor or partner, must be established through standard protocols.

This method has one critical advantage over password replay. Rather than storing and forwarding

many usernames and passwords, federated SSO replaces passwords with signed assertions or

tokens. Using identity standards, like Security Assertion Markup Language (SAML), OAuth, OpenID

Connect and SCIM, federation allows for the secure transmission of user access and provisioning

information. This safeguards web and mobile applications, as well as the APIs that support them.


TODAY’S STANDARDS AND

WHY THEY MATTER

TODAY’S STANDARDS & WHY THEY MATTER

Identity federation standards are an essential part of implementing scalable and secure

federated identity across an organization. Not only do they reduce the integration efforts

between multiple organizations when sharing applications and data, but they also bring

security to any device, browser or client that’s accessing information from applications. For

this reason, embracing standards is also key to reducing time-to-market for new applications.

Each standard uses a different approach to sharing and managing customer identity data,

scopes, credentials and more. So your CIAM solution should provide support for multiple

standards, including:

SCIMThe System for Cross-domain Identity Management was developed in 2011, using

modern protocols like REST and JSON in order to reduce complexity and provide a more

straightforward approach to user management. The adoption of SCIM allows easier, more

powerful and standardized communication between identity data stores.

E-BOOK 11

SAML

SAML is an open XML standard for exchanging authentication and authorization of

data between an identity provider and a service provider. It enables federation so that

organizations can safely share identity information across domains.

OAUTH 2.0

OAuth 2.0 is the industry-leading standard for enabling access to APIs. Simply put, it’s a

standard framework that allows an application to securely access resources on behalf of the

user without requiring their password. This open authorization also lets the user understand

what kinds of access and information the application is requesting, and then provide consent.

OPENID CONNECT

OpenID Connect adds an identity layer to OAuth 2.0 and simplifies existing federation

specifications. It enables identity federation, as well as delegated authorization, and it

includes other features and mechanisms that enhance dynamic interoperability.



E-BOOK 13

When addressing customer experience, you must consider the

mobile experience, too. Customers expect to do more and more

with their mobile devices—including making purchases and

other revenue-generating activities. They don’t want to fuss with

remembering passwords and won’t tolerate clunky login procedures.

And regardless of how many separate development teams it took

you to develop your mobile app and other digital properties, your

customers expect their authentication experiences to be consistent

across all of them.

To be relevant in a mobile channel requires speed. People

immediately reach for their phones when they want something and

expect immediate gratification. If you provide a fluid, seamless and

secure user experience with SSO, customer engagement is yours

for the taking. But if your mobile authentication experience is poor

or different from that of your other channels, your customers won’t

stick around. It’s that simple.

High-profile retailers, like Wawa, Starbucks and Chick-fil-A, say that

the SSO capability in their customer IAM solutions is critical to

providing a good mobile experience and driving increased customer

engagement. These leaders are paving the way with best practices

for SSO mobility.


WORLDWIDE MOBILE APP REVENUES IN 2015, 2016 AND 2020 (IN BILLION U.S. DOLLARS)

Source: Statista

https://www.statista.com/statistics/269025/worldwide-mobile-app-revenue-forecast/


CUSTOMER ENGAGEMENT STARTS WITH SINGLE SIGN-ONE-BOOK 14

WAWA: A (MOBILE) CUSTOMER SSO SUCCESS

Wawa is a 100-year-old, $9.3 billion convenience store retailer on the East Coast who

decided to meet its customers where they are—on the road in search of gasoline and

snacks. Eric Barnes, Wawa’s applications manager, says that customers had been

asking for a loyalty program and a more convenient way to pay for purchases.

A mobile app was just the ticket, but it had to be easy to use.

Before they launched their mobile app, Wawa had primarily one-sided communication

with its customers. As a top convenience retailer, Wawa worked hard to ensure that

convenience translated to its mobile application; multiple sign-ons were not an option.

While the initial rollout goal was 350,000 users, the end goal is 2 million fully engaged

mobile customers.

“We needed to make sure there was a simple authentication method, basically some

sort of user ID and password, with [federated] tokens, so users don’t have to always

sign on to the app,” says Barnes. “For example, if a user just wants to jump on to

find a store location, no sign-on is necessary. But if they want to add a credit card or

change information in their profile, there’s a secure yet seamless method for that. As

consumers use all the different features, they are constantly authenticated back within

the application.”

The user has one set of credentials and signs on to the app just once. But on the

back end, the CIAM solution manages multiple credentials, including those from third

parties, like Wawa’s loyalty program provider.

“We have ease of use, single sign-on for the front end of the customer. And it’s very

fast in responding,” says Barnes. “For Wawa, customer SSO is the very foundation of

an engaging mobile experience.”

“We have a very strong customer following. With mobile engagement, we wanted to interact with customers on a more personal level and give them more capabilities, including the ability to check gas prices and find the nearest Wawa.”- ERIC BARNES, Wawa Application Manager



STEP-UP AUTHENTICATION BALANCES SECURITY WITH CONVENIENCE Multi-factor authentication (MFA) and federated SSO go hand-in-hand in delivering an

optimal user experience. To provide the simplest experience with the least amount of

friction, many leading digital businesses utilize social login or require a username and

password as a first means of authentication. This is a great entry point for access to low-

risk applications, services and activities.

As the customer moves along their journey, adaptive authentication offers a way to

evaluate the risk associated with additional interactions and step up authentication only

when needed. Adaptive authentication uses data points—like IP addresses, geolocation,

transaction details, risk-based authentication (RBA) and other behavior patterns—to

determine the level of risk. Then, it matches that level of risk to the level of assurance

attained during authentication. A username and password may have a low level of

assurance, while MFA may yield a higher level of assurance.

For example, if a customer signs on to an investment application to simply browse public

stock information, their credentials alone may be enough to get them access. However, if

they attempt to sell or purchase stock, that riskier transaction can trigger a requirement

for MFA to attain a higher level of assurance about the user’s identity. If they then try to

sell another stock a few minutes later and from the same device, MFA likely won’t be

required because that higher level of assurance will still exist. This is just one example, but

it illustrates how adaptive authentication allows you to selectively step-up authentication

using a risk-based approach.

Selecting what MFA method/s to offer is an important decision. For customers, standard

MFA simply won’t work. Customers aren’t willing to download a third-party MFA application.

Furthermore, authenticating via SMS has been deemed insecure by the National

Institute of Standards and Technology (NIST), as SMS messages can easily be

intercepted by hackers.

When providing MFA for customers, it’s most desirable to offer a solution embedded

into your own mobile application. This is not only secure and on brand, but it also adds

value to your mobile app by turning it into a secure additional factor. Going a step

further and using contextual, adaptive authentication with multi-factor authentication

helps to mitigate risk without inconveniencing customers, providing the optimal

balance between security and customer experience.


Ping Identity envisions a digital world powered by identity. As the identity security company, we simplify how the world’s largest organizations prevent security breaches, increase employee and partner productivity and provide personalized customer experiences. Enterprises choose Ping for our identity expertise, open standards leadership, partnership with companies like Microsoft, Amazon and Google, and collaboration with customers like Boeing, Cisco, Disney, GE, Kraft Foods, Walgreens and over half of the Fortune 100. Visit pingidentity.com.

#3005 | 08.17 | v01


As crucial as SSO is to your customer experience, it’s only the first step. Your customer expectations for a secure and

seamless experience extend well beyond their initial sign on.

If your customers update a preference or detail on one channel, they expect it to apply or be accessible to any other

channel. You accomplish this through a unified customer profile. Purpose-built customer IAM solutions can work

with your enterprise’s existing infrastructure to help you create a secure, scalable unified profile through bidirectional

synchronizations and migrations of your existing customer data.

Your customer data also needs to be secured from authentication to the data layer. You must provide a convenient and

secure MFA solution for customers that doesn’t require them to download a third-party app, because they usually won’t.

You must also secure access to resources, encrypting customer data end to end and providing other security capabilities

to protect your customer data and prevent breaches.

Aside from allowing you to deliver an exceptional customer experience, CIAM facilitates your ability to meet the

requirements of increasingly diverse privacy regulations. A modern solution will provide attribute-by-attribute data access

governance, enforcing customer consent and giving customers control over and insight into who their data is being

shared with. It will also be flexible to address the scale and performance requirements needed to support thousands or

millions of users, while providing the flexibility to support changing and unpredictable user behaviors.

All of these customer IAM capabilities are critical for today’s customer-facing enterprises and can help ensure your

competitive advantage for years to come. To learn more about CIAM solutions, read our Ultimate Guide to Customer IAM.

http://pingidentity.com

https://www.pingidentity.com/en/ultimate-guides/customer-iam.html

customer engagement starts with single sign-on · journey by providing single-sign on (sso). single...

Documents