7 top reasons for embracing SAP CDC as an Enterprise CIAM
Disclaimer : This article is based on my personal experiences with Gigya/ SAP CDC for various enterprise programs I was part of.
SAP acquired Gigya in November 2017 for approx. $350 million and rebranded it as SAP Customer Data Cloud. However, even before that, Gigya earned its reputation to be an enterprise grade Customer Identification and Access Management Solution. In fact, in 2017 Q2 only, Forrester named it as a leader in CIAM space.
Before I jump into listing the reason of embracing SAP CDC as an enterprise CIAM, let me clarify that CIAM is not a traditional IAM solution where the focus is B2E. Because of its very nature, traditional IAM focuses on security of enterprise resources and building efficiency around accessing those resources. There is not much need of personalizing experiences or building progressive profile or even more importantly, any complex consent management for such B2E use cases. Hope this clarifies why CIAM needs to be a separate solution solely focusing on B2C or B2B use cases and it is primarily meant to be a tool to build a favorable customer experience.
Now, it is time to dig into the top feature list
1.Social Login: This is by far the most common reason of SAP CDC’s popularity. It provides almost all possible social IDP integration — starting from Facebook, Twitter, Apple, Google, Yahoo, Linkedin and then continues with Microsoft, Instagram, WeChat, PayPal, Line, amazon and few others! With so many options, it not only helps consumers to connect to your website easily but also, if location is a constraint — this becomes extremely helpful. An example can be, WeChat for China website where most of the other providers are not available.
Apart from this, Gigya supports linking account if the user chose to use multiple social accounts for login into your website as well as linking with your own site login process. This way, various information collected (with consent obtained from customer obviously) from various social providers helps building a more comprehensive customer profile. For the first time login, through Social, a “Get Profile” page can be configured to obtain the missing data from user which may be mandatory for your website for whatever reasons.
Moreover, if the corresponding Social app permission available, it is possible to pull personalized newsfeed or friend list from social platforms like FB or twitter to address use cases where customer may want to see their own news feed right on their profile page of a news media website in a logged in state.
2. Single Sign-On: Imagine you company may have many brand sites with login facilities and you have a customer who wants to navigate through your multiple brand websites without much hustle to login every time on each website. In CDC console, if those brand websites are made part of same Site Group, then it is possible to provide a Single-Sign-On experience to the customer by simply making gigya.js available on the launching page of the new website. Site Group setting ensures for all those different sites, a single unified user database is used and it also provides a centralized place for settings configuration for all the sites under it. While it is a great feature, there are few things to remember —
- if you have a dedicated page for registration for one of your site, and user directly launches on it for some reason (like saved bookmark), the single sign on will not work as the session will gets terminate by default. This is by design. However, while it is understood that user will come to Registration page to only register and not for other purposes, still it does not resonate why it is a must to terminate the session. There is not even an OOTB option to enable to inform user that this may potentially log her off. Hope this need gets addressed soon by CDC.
- this also essentially means, for some reason if you would like to keep the user base separate then you cannot avail this feature. However, to be fair, if the user base is not same, then there should not be any need of SSO at its first place. But a more common challenge could be, a requirement of different settings for different websites which means overriding settings for each sites will be required.
3. Risk Based Authentication: This is a must have feature for any enterprise grade CIAM solution. This includes various security options like lock a user account on three or five times unsuccessful login attempts, or challenge with a captcha when there is a detection of an unusual user action or even introduced a two-factor authentication when user tries to login from a unknown or new device or browser or from a different location instead. Two factor authentication can include Email, SMS or any authenticator mobile app like Google authenticator, as of now.
Some of the rules can detect Denial-Of-Service attack by finding login attempt from same IP within a stipulated timeframe and block it.
These rules can be configured easily on CDC console with either OOTB rule setting options or through a custom JSON with defined attributes. If the JSON defines anything which is not understandable by the configurator, then it will show error while saving. These rules can be setup at a Global level i.e. applicable to all site group member sites or it can be at a site level.
Another interesting option is using Push Notification if the login process is applied to a mobile app. After a user opts in to TFA, when the user tries to login from another device, the user receives a push notification to their mobile phone, and can complete login only after approving the notification.
4. Progressive Profiling : This is another extremely required feature for a CIAM. Progressive profiling allows you to build a comprehensive user profile over time. At the time of sign up, a user needs to enter only few required mandatory attributes, it will be a disastrous plan to have a huge list to fill up during registration itself as that may discourage user to complete a quick and swift sign up process and eventually leads to abandon your website.
But, once account gets created and customer is already hooked then they could be encouraged to share more personal data over time, in order to complete their profile for a better, more personalized engaging experience. A great way of encouraging user to provide more data is, to show a % profile completion visual with a number on it. Its a human tendency to see something 100% complete which is associated with them.
Now, for each transactions made by user, more and more data can be collected and stored to give it a more holistic profile building. Few examples could be, asking address for shipping and billing while ordering some product, or asking to share interest as a feedback of some content shown on your website.
There are two ways to achieve this in Gigya. One way is a custom code approach where at a commencement of certain event, it is possible to trigger a custom update profile screen through WebSDK configuration (this is when you are using Gigya RaaS WebSDK tool for your implementation) which user can choose to fill and provide information missing on the profile currently.
Other possibility is, using OOTB Gigya Markup Extensions, which can be assigned to a variety of conditions to make the collection of profile information progressive and flexible. For example, one or two items of information can be gathered after each login, and again after the user is logged in lets say after 2 hours of her first visit.
All of these screens can be created in the UI Builder, however, it is must to add additional logic in order to get them to perform progressively. This is possible to achieve using Advanced Customization tab available for the screens under “Screen set” or via custom JavaScript to trigger the necessary screens.
In my opinion, this feature still needs much custom build and the available OOTB options still has not reach the maturity to use them as-is.
5. Consent & Privacy Management, Localization Laws: In the world of GDPR, CCPA, HIPPA and various other privacy protection acts, it is no-brainer that a CIAM solution has to provide an out-of-the-box feature for Consent Management. SAP CDC has built in Consent Management capabilities where various consent types (example: terms and conditions, privacy policy etc.) with multiple versions can be managed. Moreover, it is possible to push the new consent and ask for re-acceptance based on a date or version published.
Since Gigya screens UI elements are directly mapped to consent fields on DB, it is possible to capture these consents for individual users when they select the UI field. Interestingly, if you have multiple consent to be captured from one field, for example, one checkbox catering the need for both privacy policy and terms & conditions consent, then you need a hidden field to capture both at a single selection. It is because the UI element can only be mapped to one consent at a time, and hence the hidden field needs to be mapped to the other one — and obviously selection or de-selection of that checkbox has to fire Javascript to ensure the auto-fill of the hidden element as well as the corresponding DB field.
Localisation laws: Countries like Russia, China have very strict laws which prevent you to manage chinese or russian user data outside of those countries. And it is not possible to suddenly build data center in those countries just for this purpose.
Here comes Gigya to rescue. Gigya maintains a primary Russian data center physically located inside the Russian Federation, to assist customers in complying with Russian data localization laws that took effect on September 1st, 2015. The hardware and infrastructure of this Russian data center are wholly owned and operated by Gigya and are completely independent of any other Gigya data centers, enabling the complete isolation of Russian citizen user data.
Similarly, SAP CDC maintains a primary Chinese data center physically located inside China, to assist customers in complying with Chinese data localization laws. Just like Russian data center, the hardware and infrastructure of this Chinese data center are completely independent of any other centers, enabling the complete isolation of Chinese citizen user data.
6. Omni-channel Experience : This is a feature which help to set you up in a quick fashion as you do not need to spend any time to build screens for known flows like registration, login, get Profile, Update Profile, TFA, Locked account etc. This is an integral part of CDC and it is advisable to not change the Screen names because there are OOTB code which refer them as-is. These screens support to build an omni-channel experiences across your web, mobile or other online channels.
The flexibility to customize these pages is a great advantage which CDC provides and major factor for its success. It is easy to change between a modal view vs page view. Even the sequence of screens, basic validations and many other attributes can be managed directly from the UI screen builder.
Localization, i18n, templatized email options, basic policy settings etc are few other features which help you to embrace Gigya in a much quicker fashion!
As far as the screen sets are concerned, one limitation is, there are certain wizards like TFA, My Profile are available which make them easy to configure and set-up, but does not allow customizations much. Another possible challenge could be conflicting JavaScript between OOTB and custom version introduced by your team. Also, some of the UI Elements (like Calendar widget) are not supported on some of the browser like IE11.
7. Profile, Preference & Subscription Management : Customer Data Cloud RaaS (Registration as a Service) includes a Profile object which has basic personal data, demographic data, education & certification data, publications data, skill data, work data, favorites and everything else possible!!!
CDC also can help to setup user preference entries (in Gigya Schema, this is where Consent data gets stored) as well as subscription entries, which are generated either by putting into a wish list, items marked as favorite as well as subscribed through possible subscription you may have built.
And the best part is, it allows a custom Data object which can hold anything custom — at least 1000 of such attributes. This is so helpful for businesses who have their own kind of data which can made associated with users.
A very interesting feature in Gigya, is the introduction of Enable Dynamic Schema property which allows adding additional schema attributes dynamically through APIs, a programmatic way to add/delete schema which does not need to be persistent or does not need to follow the strict persistent schema.
Profile Management feature along with preference and consent, is by far the most important feature of CDC as it helps to build an unified customer profile and hence provide a 360 degree view of the consumer’s profile and behavior on all your brand sites.
A corresponding feature called Customer Insights enable you to analyze your first party data as well as users’ social data, and offers too. The supported data categories includes demographics, user interests, influence levels & social behavior and revenue & purchase activities. There are customizable filters available to segment users to display the information relevant to your business. It is also possible to download a user segment to a file or import it to the Identity Query tool.
Apart from these seven top features, there are some other features like Reporting, Audit Log, Identity Exchange (partner integration), Server side API etc makes this solution a strong contender in CIAM space.
However, in Oct 2020 Forrester wave shows a new leader — ForgeRock which put SAP CDC in a good fight and even exhibited better strategy. Few other notable competitors are IBM CIAM, WSO2, Salesforce, Janrain (now acquired by Akamai), Ping Identity, Okta, Microsoft Azure B2C etc. Most of these have similar features with differences in implementation flexibilities, level of a customizations, performance, scale, global support, exhibit strategic vision which make few of them true leaders in this space.
References:
