Customer identity and access management (CIAM) doesn’t always get the spotlight. Internal employee identity management has historically been given more forethought and investment. According to Brossard, CTO of Axiomatics, CIAM is generally run by marketing, not IT or security teams, and doesn’t always involve authorization.

However, expectations around CIAM are quickly shifting, with more user-driven authorization and access, such as shared account management for digital banking services. “These are CIAM-based, authorization-driven use cases,” says Brossard. “But most of today’s authorization products are just doing policy-based access control — it’s not enough.”

I recently caught up with Brossard, who previously led the design and development of Salesforce’s enterprise and consumer identity offerings. Below, we’ll explore the history of Salesforce’s consumer identity and access management — looking through their journey developing a homegrown CIAM solution, the benefits they reaped, and some lessons learned along the way.

Beginning the CIAM Journey: Understanding the Requirements

Salesforce is a large enterprise with a vast product portfolio. When Brossard was employed, Salesforce’s CRM, Sales Cloud, allowed engineers to automate aspects of their customer relationship management (CRM). Experience Cloud, part of Salesforce’s Customer 360, also allows customer websites to expose CRM data to partners or employees. “That’s where the identity kicks in,” says Brossard.

To enable these products, Salesforce needed a standard way to authenticate external parties. In order to package it as a consumer identity feature, the platform needed to allow single sign-up with an identity partner and authentication for end-users. They wanted to support their own Salesforce native authentication feature with the ability to federate identity. The platform also required support for single sign-on, logins with Google, basic SAML flows, and OAuth flows.

On top of technical requirements, the consumer identity experience had to be customizable, too. Salesforce marketing wanted to craft “pixel-perfect experiences,” says Brossard — they required a high degree of customization over the look and feel, as well as latency, redirects, and control over the exact wording on user-facing sites, such as those created for password setups.

Building a Homegrown CIAM: The Benefits and Challenges

To build an identity platform, Salesforce leveraged the knowledge and components that had been built for internal employee identity. This was possible largely thanks to its platform-first culture. “Because Salesforce was built as a platform, the very same features that had been built for enterprise identity and user management were reused and repacked to deliver highly efficient customer identity,” says Brossard.

Eventually, Salesforce successfully achieved an IAM system that it could operate and repackage for customers. But maintaining a homegrown identity management platform isn’t 100% easy. According to Brossard, keeping up to date with libraries and test flows was a constant challenge since new OAuth profiles and recommendations come out all the time.

Evolving a homegrown customer identity solution can be tricky for Salesforce, which might not evolve as quickly as a small company and must support the needs of a wide customer base. You may want to deprecate an unsupported OAuth flow, says Brossard, but you can’t turn it off due to its reliance, requiring lengthy deprecation plans.

Seeing the Benefits

Nevertheless, Salesforce managed to reach success in deploying its custom identity engine. And one of the top benefits? Federation. “Federation is fundamental — from one single IDP, you can control access to all SaaS offerings,” says Brossard. This has enabled software-as-a-service companies built on Salesforce to package this capability and federate identity.

Doing so has enabled customers to avoid password bloat and provisioning issues. It’s also helped enact universal authentication policies, such as mandating global multi-factor authentication (MFA) requirements. They’ve also noticed usability improvements since one-click federated logins are much swifter for the end users and are more secure to boot. “You want the fastest path to also be the safest path,” he says.

The big end result has been unifying customer data. Salesforce’s CIAM capabilities now enable customers to build customer-facing presences that integrate with CRM data. This was big, as it finally tied customer management into lead generation sites, supporting sales representatives. The alternative options were to build your own sites using a CMS like WordPress or Wix and use their native account management options, or to loop in an identity provider, creating a data silo away from the CRM.

Lastly, a big result has been programmability. Salesforce’s entire CIAM platform is API-driven. Similar to the Bezos mandate, Salesforce requires that every capability has an API published along with it. As such, Salesforce has invested heavily in developer experience around its CIAM platform, which significantly opens up the ability for customization and innovation.

Outcomes and Lessons Learned

One of the top lessons learned is how the separation of concerns design principle truly benefits development and operations around identity. “It’s important to decouple business purpose from non-functional requirements like authentication,” says Brossard. Doing so helped Salesforce customers achieve a sleek, non-intrusive solution for these non-functional requirements. “You don’t pay Salesforce money because you want to log in to Salesforce. You want a kick-ass CRM.”

Salesforce also benefited from establishing a center of excellence on identity-related topics. A CRM has many internal requirements and will be consumed by various teams. Since identity, in this context, serves many needs, an independent identity team was helpful in building functionality and assisting various stakeholders.

Another lesson is smartly defining what sort of attributes make up user identity. User attributes could encompass countless points, such as age, email, location, address, and shoe size, as well as user type and permissions. But where Brossard stops short is regarding entitlements or things users have access to. Instead, policies themselves should be decoupled from the information in the user identity profile. “The profile could be extremely rich,” says Brossard. “If it’s too rich, you run the risk of token bloat.”

Securing the Identity Fabric

As Ian Glazer, a well-known figure in the identity space, acknowledges, significant changes are underway in the IAM market, now describing identity as a “fabric” interwoven into most digital touchpoints a user interacts with. This identity fabric requires policies for rule-setting, orchestration to extend IAM, execution capabilities, and a data layer, the latter of which has historically been an afterthought. “An identity fabric cannot be successful without a consistent and robust data layer,” he says.

Regardless, modern access control faces surmounting obstacles in the face of rising API attacks. And where CIAM comes into the picture, “you can’t just do it on your own,” says Brossard. “You need some folks that are specialists for the rest of the platform.” Because, at the end of the day, let’s face it — not everyone has the resources of Salesforce. As an alternative to building your own CIAM, going with an established identity solution provider means you get peace of mind with more out-of-the-box features and a support team that understands best security practices.