𝐏𝐫𝐨𝐭𝐞𝐜𝐭 𝐲𝐨𝐮𝐫 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐚𝐧𝐝 𝐬𝐞𝐫𝐯𝐢𝐜𝐞𝐬 𝐰𝐢𝐭𝐡 𝐢𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐩𝐫𝐨𝐯𝐢𝐝𝐞𝐫 𝐬𝐞𝐫𝐯𝐢𝐜𝐞 𝐛𝐚𝐬𝐞𝐝 𝐨𝐧 𝐭𝐡𝐞 𝐎𝐩𝐞𝐧𝐈𝐃 𝐂𝐨𝐧𝐧𝐞𝐜𝐭 𝐰𝐢𝐭𝐡 𝐈𝐝𝐞𝐧𝐭𝐢𝐭𝐲 𝐅𝐞𝐝𝐞𝐫𝐚𝐭𝐢𝐨𝐧𝐬 (𝐁2𝐁-𝐩𝐚𝐫𝐭𝐧𝐞𝐫𝐬):
Your solution is a 'family' of services and applications in the B2B model. Your partners have their identity provider—modern services like Entra ID, Octa, Auth0, and AWS Cognito.
Based on OpenID Connect and identity federation with partners, we decided to use JWT, an Access token issued by our identity provider service, to protect our services.
The easiest way to do this is to build flow like in the picture below:
- user is authenticated via the partner identity provider (federation)
- all accounts are protected with the expected security level by the organisation (MFA, Conditional Access, FIDO2, etc.)
- based on the organisation idToken with the Admin API/SDK, we can issue|generate the expected JWT tokens for the user
- applications and services are protected/connected with one central identity provider
Requirements/limitations:
- The described flow is based on the OpenID Connect.
- The Web Browser (Chrome, Firefox, Safari) is needed to authenticate the user.
- The partner identity provider secures accounts,
- No additional MFA is required. If needed, the process should be extended as a multi-step process.
#IdentityManagement #AWS #Cognito #AzureADB2C #Okta #auth0 #b2b #IdentityFederation