Customer Identity and Access Management (CIAM) Solutions – Implementation of SAP Customer Data Cloud (CDC)

Introduction

Customer Identity and Access Management (CIAM) is a specialized branch of identity management focused on external users such as customers, partners, and guests. Unlike traditional IAM (which is often employee-centric), CIAM prioritizes user experience, data privacy, consent, and scalability. The functionality of CIAM can be divided into two parts - Identity Management and Segregation of Identities.

Identity Management ensures that the right people (or systems) have the right access to the right resources at the right time. It is a framework of policies, technologies, and processes used to manage who has access to systems (users, apps, devices), what they can access (permissions/roles) and how they are authenticated and authorized. Key Features of Identity Management include:

• User Registration

• User Authentication and Authorization

• Lifecycle management (creation to deletion of identities)

• Role-Based Access Control (RBAC)

• Multi-Factor Authentication (MFA)

• Single Sign-On (SSO)

  
  

Segregation of Identities means organizing and separating different types of users, applications and systems to apply distinct rules, policies and access levels to each of them. Identities need to be segregated because not all users or entities should be treated the same. Segregation helps

• Apply specific security policies per actor

• Prevent over-privileged access

• Improve compliance (GDPR, HIPAA, etc.)

• Enable clear audit trails and logging

Some popular Identity Management tools used to manage external users like customers, partners, and vendors (Customer Identity & Access Management) are as follows:

• SAP Customer Data Cloud (SAP-CDC / Gigya)

• Auth0 (by Okta)

• Okta Customer Identity

• ForgeRock

• AWS Cognito

• Microsoft Entra External ID

• Ping Identity (PingOne for Customers)

  
  

Key Principles for Identity Management

The key principles that ensure secure, scalable and manageable access to digital resources are as follows:

1. Unique Identity per Actor - Every user, device, or service must have a distinct, traceable identity (UID).

2. Authentication - Validate identity, using credentials (password, OTP, biometric, tokens).

3. Authorization - Grant access only to what is necessary (principle of least privilege).

4. Role-Based Access Control (RBAC) - Assign roles (admin, editor, viewer) that define what a user can do.

5. Lifecycle Management - Automate onboarding, updates, and deactivation of identities.

6. MFA (Multi-Factor Authentication) - Use at least two factors (password + OTP, fingerprint, etc.) for added security.

7. Federation & Single Sign-On - Allow identities from other systems (like Okta, Google) to access your system using standards like SAML or OIDC.

8. Consent & Compliance - Respect user consent for data collection (GDPR, CCPA), store audit trails.

9. Auditing & Logging - Keep logs of identity-related events: logins, failures, role changes.

10. Self-Service & Delegation - Let users manage their profiles, passwords, and consents with minimal admin help.

Key Principles of Identity Segregation

Identity Segregation ensures that different types of users or systems are managed independently, with policies tailored to their specific risks and use cases. The key principles include:

1. Separate Identity Domains - Use different identity providers (IdPs) for Customers, Employees, Partners, Services (e.g., SAP CDC for customers, Okta for workforce).

2. Custom Authentication Flows - Each actor type (customer, employee, app) should have its own login, password reset, and MFA flow.

3. Isolated Access Policies - Policies (e.g., password rules, session duration, IP restrictions) must differ per actor type.

4. Scoped Authorization - Use OAuth2 scopes or claims to restrict token usage based on identity type.

5. Issuer Validation - Apps should validate who issued the token (e.g., Okta vs SAP CDC) and behave accordingly.

6. Token Separation - Use different client IDs/Secrets and token types (JWT, opaque) for APIs, users, services.

7. Separate Logging & Auditing - Keep identity logs for each actor type in separate systems or namespaces for clarity and compliance.

8. Least Privilege Enforcement - Avoid reusing high-privileged roles (like Admin) across identity types.

9. Identity Routing Layer - API gateways or middleware should route traffic based on the identity source or token type.

10. Breach Containment - If one identity domain is compromised (e.g., customer), others remain unaffected.

    
    

SAP CDC (Customer Data Cloud)

Formerly known as Gigya, SAP CDC (Customer Data Cloud) is a popular CIAM platform (Customer Identity and Access Management) used for Identity Management and Segregation of Identities. The core components in SAP-CDC include:

• Screen-Sets - Prebuilt and customizable UI for login/registration/consent

• Identity Store - Central place for storing user data and profiles

• Consent Vault - Store consent records (opt-ins, terms accepted, etc.)

• Schemas - Define what data is stored (custom fields, validation rules)

• Social Identity Providers - Connect Facebook, Google, Apple, etc.

• API - Full-featured REST API for managing users, data, sessions

• Webhooks - Notify your backend systems of user events (e.g., login, registration)

  
  

Implementation Steps for SAP-CDC (Customer Data Cloud)

1. Set Up Your SAP-CDC Environment

   • Access SAP-CDC Console

     • Log in to the SAP CDC Console: https://console.identity.sap

     • Create or configure a Site for your domain (e.g., myapp.customer.sap)

   • Set Up API Keys

     • Go to Admin > Sites

     • Generate:

       Site API Key

       Secret Key (for server-side auth)

       
       

2. Define the Data Schema (Identity Model)

   • Go to Schema Editor

     • Create custom fields:

       • firstName, lastName, email, dob, preferences, userType, etc.

     • Group fields into logical sets (e.g., Contact Info, Preferences)

   • Enable System Fields

     • Fields like email, password, UID are provided by default

     • Set email or loginID as unique identifiers

       
       

3. Design Registration and Login Flows (Screen-Sets)

   • Use Built-in Screen-Sets

     • Navigate to Screen-Sets > Accounts

     • Modify templates:

       • Login

       • Register

       • Profile Update

       • Forgot Password

   • Customize UI

     • Add branding, translations, custom input fields

     • Add validations and progressive profiling logic

       
       

4. Configure Authentication Options

   • Email/Password (default)

     • Enable in the Login Screen-Set

   • Social Login (Google, Facebook, etc.)

     • Go to Identity Providers

     • Add and configure:

       • Google → Client ID + Secret

       • Facebook → App ID + Secret

     • Enable in screen-sets

   • SSO / Federation (Optional)

     • SAML / OIDC supported for federated login

     • Configure IDP metadata (e.g., Okta, ADFS)

       
       

5. Consent & Communication Preferences

   • Enable Consent Screen-Set

     • Configure for GDPR, CCPA, etc.

     • Allow opt-ins for:

       • Marketing emails

       • Data processing

       • Third-party sharing

   • Audit Trail

     • SAP-CDC automatically logs user consents with timestamps

       
       

6. Frontend Integration (Web/Mobile)

   • Use Gigya JS SDK (for Web)

     <script type="text/javascript" src="https://cdns.gigya.com/js/gigya.js?apiKey=YOUR_API_KEY"> </script>

   • Embed Screen-Sets

     gigya.accounts.showScreenSet({

     screenSet: "Default-RegistrationLogin",

     containerID: "loginContainer"

     });

   • Use SAP CDC Mobile SDK (iOS/Android) if needed

     
     

7. Backend Integration (Server-side APIs)

   • Use REST API to:

     • Register users

     • Query profiles

     • Update fields

     • Revoke tokens

   • Example: Get user info via UID

     POST https://accounts.eu1.gigya.com/accounts.getAccountInfo

     Headers:

     Content-Type: application/json

     Body:

     {

     "UID": "user123",

     "apiKey": "YOUR_API_KEY",

     "secret": "YOUR_SECRET"

     }

     
     

8. Secure Your Integration

   • Use Secret Key only on the server

   • Secure all API calls with HTTPS

   • Validate tokens via JWT decoding or Gigya’s token validation API

     
     

9. Enable Analytics & Monitoring

   • Use the Audit Logs for login activity, registration trends

   • Monitor traffic patterns, failed logins, and consent changes

   • Export logs for compliance or analysis

     
     

10. Test Across Environments

    • SAP CDC supports Dev, Stage, and Prod

    • Test:

      • Login/registration flows

      • Consent logging

      • Token validation

      • API rate limits

        
        

11. Deploy to Production

    • Switch API keys to production

    • Harden security settings:

      • Enable CAPTCHA

      • Enable brute force protection

      • Set session timeouts

    • Confirm compliance and branding

      
      

Conclusion

At SUJOSU Technology, our team of experienced engineers has successfully implemented SAP Customer Data Cloud (SAP CDC) in complex project environments. With deep hands-on expertise, we are well-positioned to support other organizations in their identity management journeys. Whether it’s architecting a scalable CIAM solution, customizing consent flows, or integrating SAP CDC with existing ecosystems, our team is ready to deliver value and drive successful outcomes.