Getting Started

CIAM - Getting Started

MO CIAM Developers foundations.

Welcome to the Customer Identity and Access Management (CIAM) Developers Portal. CIAM is a cloud-based platform that empowers you to onboard applications and build a secure Identity and Access Management solution. CIAM offers readily available APIs with Authentications and Authorizations. These APIs help configure applications, Identity Providers, Users, User Groups, and User Roles and manage user access to organization resources such as Sub-Organizations, Sites, User Groups, and Assets. The Customer Identity and Access Management Portal provides features critical to maintaining a secure Identity and Access Management system. It enables Admin users to manage user access, assets, and resources effectively.

Here is the description of each feature available in CIAM:

1. Organization Management

Organization Management in CIAM is a critical feature that enables administrators to manage and onboard organizations, their resources, and users within the Customer Identity and Access Management (CIAM) system. This module provides a centralized platform for administrators to create, manage, and govern organizations, sites, assets, users, and user groups, ensuring seamless access and authorization across the CIAM system.

1.1 Types of Organizations in CIAM

ABB-Managed Organizations: These organizations have a unique Global Unique Identifier (GUID) associated with them. They can have sub-organizations, sites, and assets managed by ABB administrators.

Self-Managed Organizations: These organizations do not have a GUID and are managed by their administrators. They can have sites and assets but no sub-organizations.

1.2 Key Features of Organization Management

• Onboarding Organizations: Admin Users can onboard new ABB-managed organizations using a valid GUID and add sub-organizations and sites.

• Adding Sites and Users: Admin users can add new sites to Abb-managed or Self-Managed Organizations and assign users and user groups to these sites.

• Access to Assets: Users and user groups assigned to a site have access to assets from that site.

• Sub-Organization Management: Admin Users can onboard new sub-organizations under ABB-managed organizations using a valid GUID and add users and user groups to these sub-organizations.

• Site Merge: Admin Users can merge the sites of ABB-managed organizations, sub-organizations, and Self-Managed Organizations, moving assets, users, and user groups from the source site to the target site.

• Consent Management: Admin Users can add new consents from ABB-Managed Organizations to Self-Managed Organizations, allowing users from Self-Managed Organizations to be added to ABB-Managed Organization resources. Similarly, they can add consents from Self-Managed Organizations to Self-Managed Organizations, allowing users from other Organizations to be added to their resources.

• Consent Modification: Admin Users can modify consents given by ABB-Managed or Self-Managed Organizations by adding specific resources such as asset groups, sub-organizations, or sites.

• Consent Management: Administrators can manage consents from ABB-Managed or Self-Managed organizations by enabling or disabling them.

• Organization Merge: Administrators can merge Self-Managed Organizations with other ABB-Managed organizations or their sub-organizations and other Self-Managed Organizations, moving users, user groups, sites, assets, and asset groups from the organization to different organizations.

• Identity Provider Management: Administrators can manage identity providers available for each organization, providing authorization to access organizations in CIAM.

2. User Management

User Management is a critical feature in the Customer Identity and Access Management (CIAM) system. It enables admin users to efficiently manage users, user groups, and roles within ABB-Managed Organizations or their sub-organizations and Self-Managed Organizations. This feature empowers administrators to onboard new users, assign roles, and manage access to various aspects of the organization, ensuring a secure and controlled environment for all users.

2.1 Key Features of User Management

The User Management feature in CIAM provides a centralized platform for administrators to manage user lifecycle activities, including onboarding, role assignment, and access control. The following key activities can be performed by users with admin roles:

• Onboarding New Users: Administrators can onboard new users to ABB-Managed Organizations or Self-Managed Organizations, assigning them to specific user roles, user groups, and sites within the organization.

• Assigning User Roles: Onboarded users are assigned a new role, which authorizes them to perform activities in CIAM based on the entitlements associated with the user role.

• Assigning User Groups: Users can be assigned to user groups within their respective organizations, inheriting the user roles already assigned to the group. This enables administrators to manage user roles at a group level, simplifying access control and role management.

• Assigning Sites: Users can be assigned to specific sites within an ABB-Managed Organization or a Self-Managed Organization, granting them access to all assets associated with the site.

3. Role Management

The Role Management feature in CIAM (Customer Identity and Access Management) is critical in CIAM that enables administrators to manage user roles, entitlements, and role assignments to users and user groups. This feature provides a centralized platform for administrators to create, configure, and manage roles, ensuring users have the necessary permissions to access and manage organization resources.

3.1 Role Types

ABB Business Roles: These Roles are added to users who belong to ABB-managed organizations. They include roles such as ABB Super Admin, ABB Admin, ABB Country Admin, ABB Country Admin Read, and ABB Service Admin.

Organization User Roles: These roles can be assigned to any user belonging to Self-Managed Organizations. They include Principal Users and End Users.

3.2 Key Features of Role Management

• Role Creation: Admin users can create new ABB Business Roles or Organization Business Roles that can be assigned to users and user groups associated with organizations onboarded to CIAM.

• Entitlement Configuration: Admin users can configure entitlements to the ABB Business Roles or Organization Business Roles, which authorize users to perform specific actions in the portal.

• Entitlement Management: Admin users can edit or remove entitlements assigned to the ABB or Organization Business Roles.

• Role Assignment: Admin users can assign the ABB Business Roles or Organization Business Roles to users and user groups, providing new capabilities to users to perform activities in the portal based on authorization levels.

• Role Removal: Admin users can remove ABB Business Roles assigned to users and user groups.

4. Asset Management

Asset Management is a critical feature within the Customer Identity and Access Management (CIAM) system. It enables Admin Users to efficiently manage the applications available in CIAM and the assets or asset groups assigned to ABB-managed or self-managed organizations. This feature provides a centralized platform for administrators to register, manage, and monitor assets, ensuring seamless access and authorization for users and user groups.

4.1 Types of Assets and Asset Groups

Owned Assets: These are assets registered to ABB-managed or self-managed organizations, which can be further assigned to users or user groups from the respective organizations.

Consented Assets: These are assets assigned to the respective ABB-managed or self-managed organizations through consent from other organizations. Owned Asset Groups: These are individual assets from ABB-managed organizations, or self-managed organizations grouped into an asset group, with users and user groups from these organizations that can be added to the asset group.

Consented Asset Groups: These are asset groups assigned to the respective ABB-managed or self-managed organizations through consent from other organizations.

4.2 Key Features in Asset Management

• Register New Asset: Register new assets with an ABB-managed organization and its sub-organizations or self-managed organizations and assign users and user groups to the assets.

• Remove Users Assigned to Asset: Revoke user access authorizations by removing individual users assigned to the asset.

• Remove User Groups Assigned to the Asset: Revoke user access authorizations for all users from the user group by removing the user group assigned to the asset.

• Create Asset Groups: Create new asset groups and add them to the respective organizations' user groups.

• Assign Users to Asset Group: Add users from ABB-managed organizations and their sub-organizations or self-managed organizations to asset groups, providing user access authorization to all assets within the asset group.

• Assign User Groups to the Asset Group: Add user groups to asset groups from ABB-managed organizations and their sub-organizations or self-managed organizations, providing users from the user group access to all assets within the asset group.

• Remove Asset Groups: Revoke asset groups assigned to ABB-managed organizations and their asset groups.

• Enable Remote Monitoring: Enable remote monitoring for assets with a status of Not Connected, providing the capability for the asset to connect to the internet.

• Disable Remote Monitoring: Disable remote monitoring for assets with a status of Connected, revoking the capability to connect to the internet.

5. Subscription Management

Subscription Management is a crucial feature in Customer Identity and Access Management (CIAM) that enables administrators to effectively manage and govern various subscription categories, including MODP and MOSE subscriptions. This feature is designed to streamline the subscription activation, management, and deactivation process, ensuring that subscriptions are accurately tracked and updated in real time.

5.1 Types of Subscription in Subscription Management

The Subscription Management feature supports two primary categories of subscriptions:

MOSE Subscriptions: This category includes the subscriptions generated from Powertrain and 3 in 1 in-SIM subscriptions. MOSE subscriptions are further classified into sub-categories based on their states, such as:

• Dormant: Subscriptions that are not activated.

• Active: Subscriptions that have been activated by associating Assets. • Expired: Subscriptions that are automatically deactivated when the subscription has expired.

• Renewed: Subscriptions that automatically renew after the subscription expires.

MODP Subscriptions: This category includes the subscriptions generated from Powertrain and Mobile Connect Subscriptions, Bundled Subscriptions, and Drive Composer Pro Subscriptions. MODP subscriptions are further classified into sub-categories based on their states, such as:

• Dormant: Subscriptions that are not activated.

• Active: Subscriptions activated by associating Assets or Users.

• Deactivated: Subscriptions that have been manually deactivated.

5.2 Key Features of Subscription Management

Admin users with the necessary permissions can perform the following actions on MOSE and MODP subscriptions:

• Activate Powertrain Subscriptions and 3 IN SIM Subscriptions: Assign an asset from an organization or its sites to activate these subscriptions.

• Activate Powertrain Subscriptions: Assign an asset from an organization or its sites to activate these subscriptions.

• Activate Mobile Connect Subscriptions: Assign an organization's users to activate these subscriptions.

• Modify Mobile Connect Subscriptions: Reassign a Mobile Connect Subscription to a different user within the same organization.

6. Firmware Management

Firmware Management is a critical feature within the Customer Identity and Access Management (CIAM) system, designed to streamline the process of managing firmware versions associated with devices. This feature empowers Admin Users to efficiently manage access to firmware versions, organizations, and their users, ensuring seamless integration and control over firmware distribution.

6.1 Key Features of Firmware Management

• View Firmware Versions: Users can view all firmware versions associated with a device, enabling them to track and manage firmware updates.

• Publish Firmware: Firmware versions with an unpublished status can be published, making them visible to the public or specific organizations and their users based on availability.

• Unpublish Firmware: Published firmware versions can be unpublished, preventing end-users from accessing them.

• Discontinue Firmware: Firmware versions with published or unpublished status can be discontinued, rendering them invisible.

• Configure Downloadability: The download option can be enabled for firmware versions with published or unpublished status, allowing users to download the firmware.

• Remove Downloadability: The download option can be removed for firmware versions with published or unpublished status, restricting users from downloading the firmware.

• Configure Availability: Firmware availability can be configured to control user access by updating the availability status to Limited or Public.

7. Authentications and Authorizations

9.1 Application Types Supported by CIAM

The Customer Identity and Access Management (CIAM) portal is designed to provide secure and seamless access to various types of applications. The CIAM portal supports the following application types:

• Web Applications: The CIAM portal supports web applications built using various technologies, such as HTML, CSS, JavaScript, and server-side languages like Java, .NET, or Python. These applications can be accessed through a web browser and provide a user-friendly interface for customers to interact with them.

• Native Mobile Applications: The CIAM portal supports native mobile applications for Android and iOS devices. These applications can leverage the device's capabilities, such as GPS, camera, and contacts, to provide a rich and engaging user experience.

• Single-page applications (SPAs): SPAs are web applications that load a single HTML page and dynamically update the content as the user interacts. The CIAM portal supports SPAs built using frameworks like Angular, React, or Vue.js. • Non-Interactive APIs: The CIAM portal also supports non-interactive APIs, which expose data or functionality to other applications or services. These APIs can be accessed programmatically and do not require a user interface.

By supporting these application types, the CIAM provides a flexible and scalable solution for customer identity and access management, and access to various applications and services.

8. Protocols Supported by CIAM

Customer Identity and Access Management (CIAM) application uses authorization protocols such as OpenID Connect (OIDC) and Security Assertion Markup Language (SAML). These protocols are crucial in ensuring the security and integrity of customer identities and access management.

8.1 Open ID Connect Protocol

OpenID Connect is an authentication protocol that allows CIAM to authenticate with multiple applications using a single identity provider securely.

8.2 Advantages of using Open ID Protocol

• Single Sign-On (SSO): Open ID Connect Protocol enables users to access multiple applications with a single set of credentials.

• Decoupling Authentication and Authorization: Open ID Connect Protocol separates authentication and authorization, allowing for more flexibility and scalability.

• Scalability: Open ID Connect Protocol is designed to handle large volumes of users and authentication requests.

• Security: OIDC uses industry-standard encryption and authentication mechanisms to ensure the security of user identities.

8.3 Grant Types in Open ID Connect Protocol

8.3.1 Authorization Code Flow

Authorization code flow is a server-side flow that involves the client redirecting the user to the authorization server to authenticate and authorize. The authorization server then redirects the user to the client with an authorization code, which the client can exchange for an access token.

Authorization Workflow:

The client initiates the flow by redirecting the user to the authorization server's endpoint.

The authorization server redirects the user to the client with an authorization code and a redirect URL.

The client exchanges the authorization code and URL with the authorization server.

• The authorization server issues an access token and returns it to the client.

8.3.2 Implicit Flow

The Implicit Flow is a client-side flow that involves the client redirecting the user to the authorization server to authenticate and authorize. The authorization server then redirects the user to the client with an access token embedded in the redirect URL.

Authorization Workflow

The client initiates the flow by redirecting the user to the authorization server's endpoint.

The user authenticates and authorizes the client.

The authorization server redirects the user to the client with an access token and a redirect URI.

The client receives the access token and can access protected resources.

8.3.3 Authorization Code Flow (PKCE)

The Authorization Code flow (PKCE) is an extension of the Authorization Code flow with a Proof Key for Code Exchange. It adds an additional layer of security by requiring validation of the authorization code encrypted at the authorization endpoint and token endpoint.

__Authorization Workflow __

The client initiates the flow by redirecting the user to the authorization server's endpoint.

The user authenticates and authorizes the client.

The authorization server redirects the user to the client with an authorization code and a redirect URI.

The client generates a proof key and sends it to the authorization server's token endpoint and the authorization code.

The authorization server verifies the proof key and issues an access token.

8.3.4 Refresh Token Flow

The Refresh Token Flow obtains a new access token when the existing access token expires. The client can use the refresh token to exchange for a new access token without requiring the user to re-authenticate.

__Authorization Workflow __

The client receives an access token and a refresh token.

When the access token expires, the client can use the refresh token to exchange for a new access token.

The client sends a POST request to the authorization server's token endpoint with the refresh token.

The authorization server issues a new access token and returns it to the client

8.4 Security Assertion Markup Language (SAML) Protocol

SAML is an XML-based protocol used by CIAM to exchange authentication and authorization data between systems. It allows users to authenticate with one identity provider and access multiple applications within the CIAM portal without needing multiple logins.

8.5 Advantages of using Security Assertion Markup Language (SAML) Protocol

• Secure Identity Exchange: SAML enables secure exchange of identity information between systems.

• Centralized Identity Management: SAML allows for centralized identity management, making it easier to manage user identities across multiple applications integrated with CIAM.

• Support for Multiple Identity Providers: SAML supports multiple identity providers, making integrating CIAM with various other systems easier.

9. User Login Authentications with Identity Providers and Custom Identity Providers

Customer Identity and Access Management (CIAM) leverages Identity Providers to authenticate and authorize users who have logged into the portal, granting them access to the applications, services, and resources within CIAM based on the successful authentication process.

CIAM uses two types of Identity Providers.

9.1 Pre-Built Identity Providers

Pre-built IDPs are off-the-shelf solutions that provide readily available authentication and authorization services. Google is an example of a pre-built IDP used by CAIM. These providers offer standardized authentication protocols, such as OpenID Connect (OIDC) or Security Assertion Markup Language (SAML), to facilitate seamless user authentication across different applications.

9.1.1 User Authentication Workflow with Pre-Built Identity Providers

• User Initiation: A user attempts to log in to a protected CIAM using their credentials (e.g., username and password).

• Redirect to Identity Provider: The application redirects the user to the Identity Provider's authentication page.

• Authentication with Identity Provider: The user authenticates with the Identity Provider using their credentials (e.g., username and password).

• Authorization with Identity Provider: The Identity Provider verifies the user's credentials and grants or denies access based on the user's permissions and access controls.

• Redirect to Application: If the user is authenticated and authorized, the Identity Provider redirects the user back to the original application with an authorization token or code.

• Application Authentication: The application verifies the authorization token or code with the Identity Provider to ensure the user's identity and permissions.

• Access Granted: If the authentication is successful, the application grants the user access to the protected resources.