Introduction

If you are here then you are likely to be interested in a couple of topics:

1. You are looking for guidance and help in selecting a CIAM Vendor and/or
2. You are looking for specific detail on how you might implement key CIAM use cases

Let’s deal with 1.

Selecting a CIAM vendor

Once you have identified that a CIAM solution is the right place to start when delivering services, products and solutions to consumers and citizens then you will initially need to do some desktop research. Typically this falls into both looking at the requirements and looking at the market. In terms of the former, on top of your own specific needs, we have found that our enterprise customers have benefited from our “Ultimate CIAM Buyers Guide”, which helps identify the typical CIAM requirements and evaluation criteria for buyers.

In terms of looking at the market, the next place to research is via the Analysts. This article deals with the work we have done with Forrester, however other analysts are also available.

Typically, analyst reports begin in a similar fashion: the team conducts primary research on a given technology area to develop a list of vendors to consider for evaluation. From that initial list, the vendors are narrowed down based on various inclusion criteria until the final list is determined. While different firms take different approaches to reach their conclusions, this is the point at which Forrester will gather details on the product and strategy of each vendor through a detailed questionnaire, along with use-case demos, briefings, and customer reference interviews. Forrester takes those inputs, along with each of its analyst’s experience and expertise in the marketplace, to score vendors using a rating system that compares each vendor against others in the evaluation.

The approach taken by Forrester in their Wave for CIAM report is extensive, much like a full vendor selection, evaluation and proof process we would see from an Enterprise customer and in some cases more so.

This year, 15 vendors were asked to provide a thorough RFI response detailing their strategy and market presence. As the head of the Sales Engineering organization at ForgeRock, I’ve been involved in our response to numerous requests for proposal from prospective customers, including some of the world’s largest enterprises, and I’ve rarely seen any request as exhaustive as the one submitted by Forrester for this report. Their evaluation included 22 criteria, including detailed descriptions of our product vision, roadmap, market approach, partner ecosystems, delivery models, revenue, and number of live installations, including such details as the largest number of customer authentication attempts per hour at a single client organization. We were also asked to supply a list of customers so that Forrester could conduct reference interviews. Which they did.

Each vendor also had to document how it delivers a set of key use cases. The use cases for the latest Forrester Wave™ for CIAM included:

• Data orchestration: configure intelligent workflow scenarios (aka low-code approaches to deployments). What kinds of visual workflows are available?
• Users and roles: manage role-based access control (RBAC), including adding users to roles and roles to users, editing fine-grained permissions, and using role inheritance and/or embedded roles.
• Customer IDV and registration: configure identity verification of a new user. What out-of-the-box integrations are available?
• Consent management: configure privacy-by-design (data residency) for customer PII that the CIAM solution stores. Show configurations for multiple customer countries, geographical segmentation of users, etc.
• Authentication methods: configure protection against credential stuffing, account takeover, and password spraying, and how to enable single sign-on (SSO), passwordless, biometrics, and tokens for multi-factor authentication.
• Risk-based authentication: configure risk-based customer authentications and rule-based risk scores, and configure which authentication methods will be invoked based on the risk score.
• Customer self-service: configure policies for customers to recover a forgotten user ID, manage their devices, update their profile, and more.
• Business systems integration: configure the CIAM solution to integrate with CRM (e.g., Salesforce), MDM, web analytics, eCommerce portal, and others. What features are available beyond SCIM?
• IDV and fraud management: configure the CIAM solution to integrate with third-party IDV solutions, such as Equifax, Experian, LexisNexis, TransUnion, etc., and with an Enterprise or Retail Fraud Management solution, among others.
• Reporting, dashboarding, and scalability: set up, define, and run an ad-hoc report. Show filtering, changing the order of columns, hiding/showing columns in the output. And show how to set up customized dashboards for CIAM administrators.

And this is where it is a little different, for Forrester, written explanations were inadequate: they required vendors to demonstrate each use-case scenario in real time to the analyst, which typically took three hours. Under each of the use cases listed above were five or more specific use cases. Vendors had to document and demonstrate their effectiveness in all of them, for a total of 50 use case demos. Beyond just responding to and demonstrating the use cases documented, the analyst can “go off-script,” asking the team to demonstrate other capabilities or prove something out a little further — this is a real examination both of the platform and the team presenting.

In many ways, this part of the process is like a detailed PoC that we would run with a large enterprise but where we might typically prove out up to 20 use cases, here we had to demonstrate 50 and be ready to go off script and show others at a moment’s notice.

The use cases Forrester examined for its analysis represent a comprehensive set of requirements for any modern CIAM solution. We believe that any organization considering buying and implementing identity for their customer- or citizen-facing services should be looking at these capabilities and understanding why certain vendors outperformed others.

The team at Forrester has many years of experience in the IAM and CIAM segment and rigorously tests vendors. But we believe this rigor is exactly why ForgeRock obtained the highest score possible in many areas, including data orchestration, users and roles, customer IDV and registration, consent management, authentication methods, risk-based authentication, and customer self-service. And ForgeRock earned the highest overall score amongst all vendors for product offering and strategy.

When investing in an essential technology, like CIAM, it’s important to examine the capabilities that matter most to your organization’s success. Reading the Forrester Wave™: Customer Identity and Access Management, Q4 2022 is a great place to start.

Further reading

Identity Cloud use cases:

• Use case: Connect ForgeRock Identity Cloud with an LDAP user store

• Use case: Map attributes from an external user store to ForgeRock Identity Cloud

• Use case: Configure low-code intelligent workflow scenarios

• Use case: Extend the default REST API with custom endpoints

• Use case: Use version control for elements of ForgeRock Identity Cloud

• Use case: Bulk import identities into ForgeRock Identity Cloud

• Use case: Migrate users from a previous solution into ForgeRock Identity Cloud

• Use case: Manage a role-based access control (RBAC) framework

• Use case: Map existing AD groups to roles in ForgeRock Identity Cloud

• Use case: Configure organizations

• Use case: Configure identity verification of new users

• Use case: Configure registration email invites

• Use case: Configure social identity verification

• Use case: Create dynamically branded journeys

• Use case: Configure simple consent management

• Use case: Configure terms and conditions (T&Cs) for an organization

• Use case: Configure registration journeys based on geographic location

• Use case: Configure progressive profiling

• Use case: Configure support for early stage accounts (unauthenticated, unregistered users)

• Use case: Configure protection against credential stuffing and brute force attacks

• Use case: Configure passwordless login

• Use case: Configure OATH-based token two-factor authentication

• Use case: Configure biometric authentication

• Use case: Configure risk-based authentication

• Use case: Manage risk scoring models (AI and ML)

• Use case: Configure which authentication methods are invoked based on a risk score

• Use case: Configure lost second-factor token replacement

• Use case: Allow end users to recover a forgotten user ID

• Use case: Allow end users to manage trusted devices

• Use case: Allow end users to update their profile attributes

• Use case: Allow end users to update their business profile (marketing email list subscriptions, loyalty programs information, etc.)

• Use case: Integrate a CRM solution (for example, Salesforce) with ForgeRock Identity Cloud

• Use case: Configure ForgeRock Identity Cloud to integrate with Web Analytics solutions

• Use case: Integrate with an Enterprise Marketing Software solution (for example, Salesforce)

• Use case: Integrate with an eCommerce portal solution (for example, Shopify)

• Use case: Configure a programmatic call out to a third-party service

• Use case: Manage authentication journeys through API requests

• Use case: Set up and customize dashboards

• Use case: Configure reports for supporting alternative (A/B) testing

• Use case: View the riskiest users and locations based on past activity