In B2B SaaS, providing services to enterprises in a multi-tenant model, access control is at the core of the service. How to manage the organizational structure of the customer company using B2B SaaS, the roles and positions of employees, and the information of external parties (partners, suppliers, outsourcing agencies for specific tasks, etc.) dealing with the customer company, and how to implement access control to data and functionality, affects not only the security of the service, but also its usability. In addition, when implementing an “API ecosystem” that expands the usage scenarios of the service by making the API publicly available, an “API authorization infrastructure” is required, including permission management for third-party companies that develop and deploy API clients.
So how do we build an API authorization infrastructure that maximizes the strengths of our own services? One way is to build the infrastructure internally as an extension of access control. If you succeed, you can build an API authorization infrastructure that is optimized for your own service and can flexibly handle future extensions and updates. However, implementing and operating OAuth 2.0 and OpenID Connect (OIDC), the industry-standard API authorization specifications, requires a high level of expertise, and full in-house operation is not straightforward.
Another option is to implement IDaaS or IAM software with OAuth/OIDC capabilities. By outsourcing the implementation and operation, you can expect some reduction in development time and compliance with updated standards. However, most of these solutions have access control mechanisms focused on consumers (B2C) or internal employees (B2E). Migrating B2B SaaS access control to IDaaS / IAM software will require significant effort, such as enforcing the B2C/B2E model.
There’s another thing to consider about IDaaS and IAM software. They bundle functions other than API authentication, such as user authentication and API client management. This might seem useful. However, in practice, things like login screens and authentication flows may be completely different from the overall usability of the service, or the concept of third-party management may be different, which could make it difficult to harmonize with the SaaS.
Authlete offers a combination of “SaaS-specific access control” and “outsourced OAuth/OIDC implementation and operation”. Authlete provides the core functionality to implement OAuth/OIDC as APIs. B2B SaaS providers can build an OAuth/OIDC server by combining the APIs with existing access control and user authentication capabilities.
In addition, the Authlete API is environment agnostic. This allows B2B SaaS providers to build an OAuth/OIDC server using the same language, framework, and execution runtime as their other services, reducing time to development and deployment time and increasing efficiency when adding and changing functionality.
SmartHR, one of our customers in SaaS space, have implemented OAuth in their HRtech offerings. They value Authlete especially in terms of a rich set of Web APIs, high maintenance ability, and continuous adoption of the latest standards.
Money Forward Cloud ERP is a cloud-based ERP that allows companies to select its products in accordance with their stage of growth. Money Forward adopted Authlete to implement the OAuth 2.0 authorization, the key to API security for Money Forward Cloud ERP.
Authlete empowers Yappli to implement OAuth 2.0 functionality for their 'simple and easy-to-use customer management system', ensuring smooth external integration and a consistent service experience.
Yayoi is a software service company founded in 1978, and provides the “Yayoi Series” and the “Business and Operational Support Services.” Yayoi has adopted Authlete to upgrade its OAuth 2.0 infrastructure for “Yayoi ID,” which is the identity service for all Yayoi services.