In B2B SaaS, providing services to enterprises in a multi-tenant model, access control is at the core of the service. How to manage the organizational structure of the customer company using B2B SaaS, the roles and positions of employees, and the information of external parties (partners, suppliers, outsourcing agencies for specific tasks, etc.) dealing with the customer company, and how to implement access control to data and functionality, affects not only the security of the service, but also its usability. In addition, when implementing an “API ecosystem” that expands the usage scenarios of the service by making the API publicly available, an “API authorization infrastructure” is required, including permission management for third-party companies that develop and deploy API clients.
So how do we build an API authorization infrastructure that maximizes the strengths of our own services? One way is to build the infrastructure internally as an extension of access control. If you succeed, you can build an API authorization infrastructure that is optimized for your own service and can flexibly handle future extensions and updates. However, implementing and operating OAuth 2.0 and OpenID Connect (OIDC), the industry-standard API authorization specifications, requires a high level of expertise, and full in-house operation is not straightforward.
Another option is to implement IDaaS or IAM software with OAuth/OIDC capabilities. By outsourcing the implementation and operation, you can expect some reduction in development time and compliance with updated standards. However, most of these solutions have access control mechanisms focused on consumers (B2C) or internal employees (B2E). Migrating B2B SaaS access control to IDaaS / IAM software will require significant effort, such as enforcing the B2C/B2E model.
There’s another thing to consider about IDaaS and IAM software. They bundle functions other than API authentication, such as user authentication and API client management. This might seem useful. However, in practice, things like login screens and authentication flows may be completely different from the overall usability of the service, or the concept of third-party management may be different, which could make it difficult to harmonize with the SaaS.
Authlete offers a combination of “SaaS-specific access control” and “outsourced OAuth/OIDC implementation and operation”. Authlete provides the core functionality to implement OAuth/OIDC as APIs. B2B SaaS providers can build an OAuth/OIDC server by combining the APIs with existing access control and user authentication capabilities.
In addition, the Authlete API is environment agnostic. This allows B2B SaaS providers to build an OAuth/OIDC server using the same language, framework, and execution runtime as their other services, reducing time to development and deployment time and increasing efficiency when adding and changing functionality.
Authlete's compliance with the latest OAuth/OIDC specifications enables B2B SaaS providers to build an API authorization infrastructure that complies with industry-standard specifications without having to implement and operate it themselves.
Authlete works completely in the background, giving B2B SaaS providers complete control over the UI/UX for user authentication and consent.
The Authlete API is environment agnostic, allowing B2B SaaS providers to implement the OAuth/OIDC server using their preferred language and framework.
Authlete offers a shared cloud, dedicated cloud, and on-premises package, allowing B2B SaaS providers to choose the usage model that best suits their growth stage and service capabilities.