Skip to content

CIAM: End-User Management


CIAM integration is responsible for providing information to Accedo One on how to register and/or authenticate end-users.

Accedo One does not enforce a specific set of fields or validation rules that user must be presented with. Instead, for each type of action, Accedo One will query CIAM integration for input fields, their type and display information that are applicable for the service in question.


When a user is attempting to authenticate, the following happens:

  • Accedo One finds configured integration for this feature and requests IdentityService.GetAuthenticationFields
  • Integration responds with a list of InteractiveElements (input fields & associated display information, validation rules, etc).
  • Accedo One requests client application to display said elements to the user in a platform-specific way
  • End-User inputs information on their device, client application validates it against any applicable validation rules (returned by the integration) and submits this information to Accedo One
  • Accedo One passes this information to the integration, wraps response credentials (OAuth2 tokens, session token, etc) into standardized, encrypted Accedo One tokens and provides these to client application.
  • At this point application treats user as logged in, and uses Accedo One tokens in further communication with Accedo One


Registration flow is very similar to Authentication flow with the only difference that the initial RPC call is issues to IdentityService.GetRegistrationFields

Development with IDK

To start IDK in CIAM mode, simply run idk up customer-identity

$ idk up customer-identity

grpc-mock Done!  
ui Done!  
customer-identity-api Done!  
router Done!  
Creating network "default-one-idk" with the default driver
Creating default_customer-identity-api_1 ... 
Creating default_router_1                ... 
Creating default_ui_1                    ... 
Creating default_grpc-mock_1             ... 
Creating default_grpc-mock_1             ... done
Creating default_ui_1                    ... done
Creating default_router_1                ... done
Creating default_customer-identity-api_1 ... done

### IDK environment URLs ###

    - IDK - Admin UI: http://localhost:49186/


Following APIs must be fulfilled by the integration:

  • IdentityService - as defined in account/identity.proto