Skip to main content

Hitachi ID certification

Product Sites

Standard IAM Business Processes: B2C / Extranet Portal

This document introduces best practices for managing users, identity attributes and entitlements in a typical consumer-facing Extranet web portal:

  1. The focus is on organizations who wish to manage a portal that will be accessed by large numbers of "customers."
  2. The term customers is used in a generic sense. They could be literally customers in the sense of e-commerce, or new patients in a healthcare context, students or applicants in the context of an educational institution, citizens in the context of e-government, etc.
  3. There are really two deployment patterns in this context:
    1. One where there is a pre-existing relationship between the organization and consumers. For example, in a typical banking deployment, customers must have a bank account and probably had to visit a bank branch to open one, before web portal access makes sense.
    2. One where there is no pre-existing relationship between the organization and consumers. For example, college applicants or new store customers likely have no prior relationship with the organization hosting the portal.
  4. The relationship between the organization and its users is often weak. A customer may never return to the eCommerce web site. A patient may not get ill and visit the hospital again. An applicant may abandon a college application.
  5. The number of users may be quite large -- reaching into the millions.
  6. The amount of data about each user is often limited, both because users do not wish to volunteer much information and because there are regulatory reasons to avoid capturing much information.
  7. The variety and complexity of security entitlements assigned to users is very limited. Few if any roles, probably just a single user object in a single directory, one user cannot access another's profile, etc. There are almost certainly no e-mail folders, home directories, etc.
  8. The variety of complexity of change processes is likely very limited -- on-boarding, deactivation, password changes, password resets, perhaps profile attribute updates, perhaps out-of-band validation of attributes such as e-mail address or mobile phone number.

The objective of this document is to present best-practices for what information to capture about users in a typical Extranet web portal and business practices for managing this information.

Organizations that are able to adopt best practices processes will benefit both from optimized change management and from reduced total cost associated with automating their processes on an identity and access management (IAM) platform.

Please note that this document is designed to help organizations design the system by which users are added to, managed in and removed from their Extranet (B2C) portal. The scope of this document does not extend to runtime authentication or authorization of users into applications -- that falls under access control rather than identity and access management.

Table of contents:

2Directories, IAM systems, applications and firewalls
3Identity attributes
4Unique identifiers
5Profile deactivation
5.1User initiated
5.2Automatic cleanup
5.3Deletion mechanism
6Authenticating users
7Selecting and encoding security questions
7.1Search Space, Degree of Randomness
7.2Social Engineering
7.3Standardized vs. User-Selected Questions
7.5Privacy Protection
7.6How many Q-A pairs to enroll and how many to authenticate
7.7Encryption vs. hashing
8Selecting and encoding passwords
8.1Password length and character set
8.2Character sets and device interoperability
8.3Complexity requirements
8.4Hashing and salts
9Enrolling new users
10Managing passwords
11Making changes to user profiles
12Enrolling additional security questions
13Reports and alerts
14Global deployments
14.1Language support
14.2Jurisdiction and data storage
14.3Global coverage of application support
15Technical product capabilities

Please register

Access to this document requires registration. Please fill in the form below. The full document will be e-mailed to you automatically.

Your company/organization name:
Your name:
Your title:
Your work telephone number:
Your work e-mail address:
Total number of staff in your company:
Please check the information you entered above before continuing.
Click to continue:
page top page top