01.12.2021 | Thomas Kessler

The Dark Side of Collaboration Platforms


Anyone who works with several partner companies on different collaboration platforms will be familiar with them: platform-specific logins, increasingly with 2-factor authentication that is also platform-specific.

Anyone who is responsible for a company’s Identity and Access Management (IAM) fears them: collaboration accounts that persist after the collaboration has been completed, all too often even after a project participant has left the company.both problems seem like remnants from the IT landscape of the 1990s, when every internal organizational specialist application had its own user administration and its own login. With the introduction of internal IAM systems, we were able to get this under control. Is a solution now also emerging for collaboration accounts? What could such a solution look like?

An IAM model for B2B collaboration

The IAM model for B2B collaboration, which is outlined below, consists of two components that complement each other:

On the user side, an identity provider (IdP) is required for employees to issue assertions to the external collaboration platforms (and other cloud services). This IdP is connected to the organization’s internal IAM system and ensures, among other things, that employees no longer receive assertions after leaving the company. The IdP also implements two-factor authentication for employees, for example using a smartcard or an authenticator app.

The collaboration platform requires a registration service for collaboration accounts that offers the following functionalities:

  • Federation option: For partner companies or domains that have an IdP, the registration service can be configured as a relying party (OIDC RP or SAML SP) to this IdP. This means that during the invitation process for a new collaboration account from this domain, an identity reliably registered by the IdP can be accessed, thus enabling a process that is both efficient and secure.
  • Lifecycle management for collaboration accounts: The registration service ensures that a responsible administrator is nominated for each collaboration account at all times and that an expiration date is set. The registration service also detects if a collaboration account has not been used for a long time or no longer has access rights. Depending on the situation, the registration service then triggers an appropriate recertification or clean-up process.

The IAM model for B2B collaboration presented here also provides for the collaboration platform to support a federated login and for the invitation process of the collaboration platform to be managed via the registration service for collaboration accounts described above.

Once this has been achieved, users can enjoy a secure single sign-on and IAM managers can look forward to appropriate governance of all user accounts!

Fallback solution for partner companies without their own IdP

Of course, the collaboration platform must also be able to be used by external persons whose organization does not have its own IdP with 2-factor authentication.

In this case, the registration service for collaboration accounts must implement its own process for the secure identification of the other party as part of the invitation process, for example based on a separately sent one-time voucher password. In addition, the collaboration platform must provide 2-factor authentication that can be used by such collaboration accounts.

Identity Federation Identity and Access Management (IAM)

About the author
Thomas Kessler
About the author
Thomas Kessler, Partner, Managing Security Consultant