Pragmatic Approach, Practical Designs, Secure Implementations

A leading Canadian telecommunications provider has implemented IAM solution for internal and external applications providing security services such as, authentication and authorization, to a number of Internet facing portals. The Clarionics team was hired to provide guidance on the integration of these security services with the social media platforms, like Facebook and Twitter, for the purpose of SSO and profile data access.

It was important for this customer to Integrate with social network platforms to improve the rate of adoption of their additional services by customers while gathering valuable market data.

Integrating any Internet facing portal with social network services for authentication is not difficult and can be achieved using published OAUTH based API's, however, just using social network logins without any connection to existing customer identities limits the ability for the application to provide current user profile information. A better solution would be to associate social network identity with internal system identity.

In order to achieve these goals following design goals, the following design principles were identified, and successfully achieved with the Clarionics team:

 

  1. Application containing non-public information must have its own user identities, i.e. social network userID and password alone cannot be used to provide access to non-public information.
  2. Integration with social network authentication and authorization services can be used for access to non-public information only after successful account association where user provides
    a knowledge of password of application account.
  3. Social networks can be used for initial user registration.
  4. Applications can store social network UserID and security tokens, but not passwords.
  5. Applications must provide user functionality to remove association with social network platforms.
  6. Only single user account from each social network platform can be used for account association with application.
  7. Client based security credentials including session tokens must be validated with token issuing authority before being accepted by an application.
  8. Multiple applications with unique set of permissions for each social network platform should be supported.