The 4 most important customer identity management tips for Drupal agencies

Nate Szytel
March 28, 2023

If you are an agency managing many customer sites and those customers have many brands, then you are aware of how important a scalable content strategy is in order to drive engagement and personalization. In the past, there was quite a difference between a company’s content strategy and their identity strategy, not everyone needed login and registration as it was tied more closely to subscriptions and social media. Signing up for an account used to be more difficult plus you could expect to be subscribed to marketing channels that were impossible to get out of. However, now identity management is at the center of the picture since authentication is easy and compliance laws like GDPR protect our data (although we still have a ways to go). So in general there is more consumer trust around authentication and therefore brands can grow more meaningfully connections to their audience.

Drupal is great at bridging the content and identity strategies. Drupal in particular has amazing tools for creating multi-sites that allow agencies to scale how to deliver digital experiences to their customers. This includes things like CDP (customer data platform for personalization), Acquia Site Factory (or a multi-site architecture), and headless implementations to go beyond the browser and across devices.

On the identity side, we have seen the emergence of consumer identity platforms such as Auth0, Forgerock, Sailpoint — which all have a suite of developer friendly tools to build a seamless experience for user authentication. However, companies with disjointed consumer identity solutions across their various brands and markets can experience security vulnerabilities, compliance issues, inconvenient user experiences, and low adoption rates. There is a gap in how to plugin a unified identity management solution into the above-mentioned multi-site, multi-device architecture. Agencies need a way to manage brands who have dozens or even hundreds of apps across their landscape. For example, within these companies there are apps that need to onboard or offboard, apps that need help with integration, and even apps that want to start adopting new features like passwordless authentication or migrate consumers from a legacy system to a new one. Here are the 4 most important tips to securely scale your identity solution across your customers.

Tip 1: Understand OpenId Connect (OIDC)

Every major identity solution and every major CMS platform support OpenId Connect as an authentication protocol. If you have ever downloaded a mobile app or been to a website where you need to create an account OR you are given an option to sign in with your Google account, you might have found that the second option is a much easier method. When you click the Google button you get redirected to their sign in screen, you authenticate, then you are redirected back to the application you came from and are now in a logged in state.

That redirect model is the open source protocol called OpenId Connect (OIDC). The power of these kind of solution is that it keeps the identity solution external to the application so that it can be managed separately. This way it is a simple step to plug in any OIDC provider your multi-site architect, or an app built in any language. The freedom of having a fully baked authentication system external to the website or app is it takes the responsibility away from the development team who can now focus on other functionality. It also ensures that everyone across your customers and brands are meeting WCAG accessibility requirements and are mobile responsive. You can, of course, open a set of direct APIs to more technical teams if they truly want to build direct experiences, but that is no longer the identity industry recommendation as it requires the relying party (the app) to collect and send the user’s credentials.

Simply put, learn and adopt OIDC.

Tip 2: Manage application asset inventory

The company site/apps that you manage have many apps or campaigns running. Most brands need to utilize the shared pool of consumer data and some apps may be temporary for a holiday season. In all of these cases, you need to know which apps are currently onboarding, which apps are in the pipeline to onboard in the near future, and which ones are no longer active and need to be offboarded. Every app is a an attack surface so keeping a high-level view of the landscape is critical to ensuring:

  • There are no unused credentials floating around
  • Credentials that are provisioned are scoped to only what that app needs
  • Apps are complying with security standards around user journey MFA policies
  • All consumers using any of the apps have accepted that market’s terms and conditions and/or privacy policy

An asset inventory of applications is a way to see all apps using the service and which features they have enabled. Some apps may only be asking for email and password for registration while others have more requirements for entrance. A common case within the enterprise is to not allow self-registration and instead require consumers to be invited. Your inventory allows you to generate reports to ensure the entire landscape is compliance and secure.

Tip 3: Create a branded authentication thread

Brands that exist within a parent company often want to differentiate themselves. They have their own marketing teams that come up with requirements that may not align with the global strategy, leading them to assume they require a custom solution. For instance, a brand may want to apply its own branding to the login and registration screens. Most identity providers allow this, but it often confuses end-users. They create an account in one place and then download an app that they’re unaware is connected to the first. As a result, they don’t necessarily know they can use that same account to sign in on the new app.

To allow the brands flexibility around this, while still making it easy for the consumer, you can create a brand for authentication alone. This would be something along the lines of ‘Powered by…’ or ‘Authentication by…’. Make that individual brand memorable, so that anytime a user visits a completely new brand and sees that logo, they know they can use the same account to sign in.

See my article on multi-brand strategies within the enterprise to read more about this.

Tip 4: Get rid of passwords and adopt biometric and passkeys

Passwords confuse people and are inherently less secure than emerging technologies for passwordless authentication. Passwords may not completely go away in the short term; however, the more you can push that revolution, the less time your agency will spend managing credential stuffing attacks, bot management, help desk support for resetting passwords, and other security vulnerabilities in general.

Next Identity Enterprise — the agency identity solution to manage your customers

This is where Next Identity Enterprise comes in. Next Identity is the only CIAM platform that offers a suite of tools to help businesses onboard, orchestrate, secure, and govern applications across a complex landscape. You can easily configure user journeys, track application onboarding, manage assets, and gain deep, actionable insights.

Watch the Next Identity | Features Overview video to see the key features of the platform:

Next Identity integrates with Drupal including Acquia Site Factory and any open source OpenID Connect library (there are dozens across all CMS solutions).

Send me a message or get in touch with us if you would like a demo or to have a 30-minute chat about how we have helped agencies enable their customers to realize their digital transformation journey through identity in order to drive engagement and stay secure and compliant. Our identity platform offers these tools out of the box, but Next Reason also has a comprehensive set of productized services if you want a team to come in and help with integration or do an assessment of your landscape.

Blog Post Category:

Related articles

back to all articlesArrow to the right

Get in touch today

To request a quote, schedule a 30-minute demo or submit an RFP, kindly complete the form, or reach out to us directly.

Thanks for contacting us!

We will get back to you as soon as possible.
Meanwhile, follow us on social media or visit our blog!
Oops! Something went wrong while submitting the form.