Facing an extranet challenge? Identity and access management as a solution

16 June 2014

Kimmo Parkkinen

This has resulted in a fragmented extranet with various challenges:

• users need to sign in to each service separately
• look and feel varies from service to service
• user experience is inconsistent and inconceivable.

Your extranet clearly needs renewing, but rebuilding it from scratch seems an overwhelming task. Where to start the renewal?

Picture a typical extranet site that has been built throughout the years piece by piece. Each one of its services may be very good at what they were designed for, but still the extranet resembles more a patchwork quilt than a modern extranet entity. A coherent user experience does not necessarily mean that you need to rebuild everything from top to bottom into one new and massive extranet system. If the business processes behind the services are mainly in order, sometimes it is just enough to renew the front layers, and leave the existing back end services to do what they are good at.

Let’s consider some of the pros and cons of such approach.

Where to start from?

Before doing anything, make sure that you create an unambiguous roadmap to be clear on what the moving elements in the puzzle are, what is needed and when. You can refine the roadmap later, but you need to have an initial vision of

• what you are trying to achieve
• with what kind of steps
• how the steps should be prioritized
• what technologies you currently have
• what you may need to acquire
• what kind of resources you need and
• what your budget is

You also need a well-planned overall concept plan before you start the actual implementation. You need to know the roles and target audiences for each service, the general look and feel of each service, what the color schemes will be, where the user interface elements such as navigations and logos will be, how they should work etc.

Don’t forget to consult your implementation partners on which changes are easy to do and which ones are harder. Avoid complexity, instead try to create a concept that can be applied to all existing services as easily as possible – including those that are still on the future development list.

When you have the roadmap and concept ready, you can still reconsider your approach one more time. This is the time to decide whether it might be better to start with a clean slate or make the best out of the existing services.

Single-Sign-On (SSO)

The most common source of negative feedback on fragmented extranet services is that the users are forced to sign in more than once. Single-Sign-On (SSO) is already quite well-known as a term and it is often mentioned as a magical solution to almost everything.

But what does SSO mean in practice? You can’t just throw it on top of everything as a last step in your extranet renewal project. Rather, SSO is more a foundation on top of which you build your entire extranet service. It requires either a centralized user directory (for example, Active Directory or LDAP), which all extranet services know how to utilize, or a separate identity management (IdM) solution.

Identity management (IdM)

A separate IdM solution works as a middle layer allowing users to sign in to different services with different user accounts and devices. It also maps the user’s access rights for each service. It usually does a lot more, too, but the nice thing is that the services do not have to share the same user directory or technology. The user has to sign in only once, or in the best-case scenario, the authentication can be totally invisible to the end users. Quite often IdM solutions run on a dedicated network server or in the cloud.

At first, adding a dedicated IdM solution to an existing extranet service may sound like a daunting exercise, but that is not necessarily the case. Of course, it should not be taken too lightly, either. Perttu opens up a few things about that in our intranet blog (in Finnish). Adding an IdM solution requires careful planning and considering the options. And most likely, you will need a partner for the actual implementation. The price range of the project, licences and setup may vary from 30 to 300 k€, depending on the number of services and complexity of the concept.

If, however, the processes behind the services are complex, this approach can prove easier than recreating those processes in a new extranet service from scratch. Just make sure that the IdM solution you choose is compatible with the services you are or will be using.

Eating an elephant takes one bite at a time

When you have the identity and access management in place, you can start making changes to the existing services according to your concept plan. The good news is that you can take one service at a time, make the necessary changes and move on to the next one.

If some of the services need to be totally replaced, the IdM solution can give you some extra time to build the new services in the background. In some cases the old and new services can even live side by side; some of the users access the old services while others already use the new one.

What about the future?

The decision whether to go with this approach or not should always be taken case by case. There is of course no point in wrapping the IdM solution around an old and dying legacy system. But if the services are at least fairly modern, they still fulfill your business needs well and have technical support from the suppliers, it is definitely worth considering. You can select the products and suppliers that are the best fit for each specific need.

An IdM solution can also enable totally new possibilities for internal use. Wouldn’t it be nice troead,1620142ccess your CRM and product catalog from an external network using your tablet? How about putting that to the roadmap, too?

• Architecture and technology consulting
• Choose the right technologies
• Concept and service design for digital channels
• Customer service channels