Creating a Scalable CIAM Solution using Drupal: The 4 Most Important Things to Know

Nate Szytel
January 19, 2024

I was lucky enough to work both at Janrain when the social login and consumer identity terms were being pioneered, and at Acquia when content management strategies had matured into creating great personalized experiences for users. However, the days of needing to pick between a great identity or great content strategy are over - now you need both. But IT departments, who are often tasked with solving specific challenges in this regard, don’t have a lot of guidance as to how to implement a Customer Identity and Access Management (CIAM) solution that still meets CMS flexibility needs. This guide is an overview of what to consider when creating secure and frictionless yet scalable identity authentication and authorization solutions using Drupal. I’ll also let you in on a little secret, most of these tactics can be used across the board in other platforms like Wordpress, Joomla, Magento, etc. 

A term that I’ll use below:

OpenID Connect (OIDC) - open source protocol for authentication where a user is redirected to a centralized login/registration experience


I’ll keep this part short - here is a video I created that outlines the differences - CIAM vs IAM - 5 key differences and some important things to know. It's a good place to start to get some preliminary knowledge on what will work best for you. 

Considerations for Flexibility

Depending on your specific scenario, just plugging in an Identity Provider (IDP) solution isn’t going to cut it. You are using Drupal because it offers the greatest flexibility in terms of design, content strategy, branding, multi-brand, translations, etc. So you need to ensure that the solution you are implementing can offer those same principles. Adding ‘login and registration’ is such an easy plugin these days, that it is easy to overlook what is lying just under the service. Here are some considerations with your CIAM solution:

  • Branding - do you have different branding/styling requirements across sites/apps
  • Primary Identifier - what use-cases do you need to support and do they include email as the primary ID, mobile number, or both
  • Consent management - does each site or brand need to share the same ‘legal acceptance’ versions or do they need to vary
  • Configuration - do you have multiple brands or sites that each need to hold high-level company principles, but need to be configured separately 
  • Environments - does each property require various environments to work through changes and promotion to adhere to a change management process
  • Localization - do you need to support multiple languages
  • Hooks - actions, events, workflows - they have many names, but the bottom line is what kind of external processes do you need to support
  • Analytics - side note, some solutions have metrics built in and others will require you to use their hooks to export that data to another solution. 

Headless vs Hosted

Just like with Drupal, there are two concepts for CIAM when it comes to user experience: API or Hosted. The industry best practice is to use OIDC which has a LOT of benefits:

  • Ensure the screens meet security and accessibility requirements
  • Never allow the app/site to handle user credentials directly
  • Open source so there are dozens of free libraries to implement it, including a Drupal module
  • Easy for individual teams to implement thus speeding up time to market
  • Features can be shared across brands/sites/apps 
  • Many others

There is a bit of a misunderstanding when it comes to the flexibility of OIDC. Often people think that if the user is being redirected to a centralized location for login, then that will not only cause a bad user experience, but the app doesn’t have control over the configuration plus look and feel of the centralized location. Plus mobile app redirects are not great. Both of these assumptions are not correct so long as you have the right CIAM solution.

OIDC is ideal for Drupal since it allows the consumer complexity to site external to the Drupal site and database. You can manage authN and authZ elsewhere, while still give that site the information it needs about that user when it needs it. This seems to be an up to date and flexible free module:

Next Identity makes the flexibility of the hosted screen limitless in terms of flows, configs, translation, branding, and much more. Mobile apps who implement Next Identity will not even feel like a user redirect giving them a great and secure experience.

So based on your scenario, using OIDC is a great and secure option. However, there may be a need to build screens or portions of screens directly within the app. In that case, you would be looking for a full set of APIs in order to build a more headless version of your identity solution. Most identity solutions have some kind of API set. Most these days have steered away from what is called the ‘Password Grant’ flow, which is essentially a /login and /register endpoint for direct integration. For good reason - but worth noting that Next Identity API supports the Password Grant flow :) 

Identity Orchestration not Identity Management

Do you need to manage identity or orchestrate them? Well, it's pretty easy to plug in a login and registration solution - Drupal even has that out of the box. However, some sites/apps may already have an existing provider and you don’t want to migrate the full solution. OR, and even more common, different sites/apps need to maintain a different set of users. In other words, users can’t be shared across properties since they are considered completely different. However, you still want to have a high-level view of each user in order to provide better services. This is where Identity Orchestration comes in. A good CIAM platform will not only offer you great login and registration capabilities, but will support other providers so that you can orchestrate a user who is authenticating in one place and remove friction for them to federate into other sites (as an example). 

The last example I’ll give (and mentioned above) is the ability to hook into the user flows and perform external processes. This might be keeping a CRM in sync, performing some kind of user lookup, alerting a downstream system of an event, etc. Being able to orchestrate is key. 


There are many considerations when you are choosing to implement a CIAM solution on your Drupal site. The best and easiest advice I can give is to educate yourself a little on the power of consumer identity, document the use-cases you need to support, then figure out how to make an OIDC flow work for your scenarios. But of course these things are rarely straightforward. 

Don’t hesitate to reach out if you need someone to bounce ideas off of - I’d be happy to have an exploratory conversation to see how I can help. Of course, Next Reason also offers a full set of CIAM services along with our Next Identity platform. So if you want us to come to assess your situation and provide some reports, we’d be happy to. 

Thanks for reading!

Blog Post Category:

Related articles

back to all articlesArrow to the right

Get in touch today

To request a quote, schedule a 30-minute demo or submit an RFP, kindly complete the form, or reach out to us directly.

Thanks for contacting us!

We will get back to you as soon as possible.
Meanwhile, follow us on social media or visit our blog!
Oops! Something went wrong while submitting the form.