Grean extends Auth0 with B2B onboarding and authorization

Niels Flensted-Jensen, Dec 4, 2015

Grean is an onboarding and authorization management service for business-to-business applications - web, mobile, or APIs. Grean is designed and built to work with Auth0, and together they form a complete authentication and authorization solution for business-to-business collaboration.

Let’s say you work at an insurance company and you manage a web application serving brokerage firms. Maybe your company works with 50 brokerage firms, maybe 1,000. But almost certainly not 10 million.

“Auth0 determines who you are, while Grean manages which organization you belong to and what you will be allowed to do.”

And most of the brokerage firms have several users in different capacities: A few work in finance; most work as actual brokers; one is a manager having access to all accounts; and others work with only a subset of customers.

And here are just a few of your challenges:

  • You need a way of getting each brokerage firm on board.
  • You need to authenticate their users in a way that’s convenient for them and secure enough for you.
  • You need a way for the firms to manage the permissions of their users within the context of your application.

A full onboarding, authentication, and authorization solution

Grean manages everything related to onboarding of business partners and their employees. Subsequently, Grean provides management of access roles; that is, how each business partner and their employees are allowed to use your web, mobile, and API applications.

Managing business partners

Grean was built to work seamlessly with Auth0 by integrating into the authentication flow, independent of the actual authentication method. Put simply, Auth0 determines who you are, while Grean determines which organization you belong to and what you will be allowed to do in the context of that organization and the application you are using.

Authentication in a B2B relationship

Auth0 takes the pain out of authentication in a serious way. It does so with an unprecedented feature set and maximum flexibility coupled with hard security. With Auth0, your users will always be able to authenticate, and you will manage everything related to authentication outside of your actual applications.

While this is exactly what you need in a business-to-consumer (B2C) environment, a bit more is needed for B2B. First of all, your users must be authenticated as being part of a specific organization. Secondly, whereas authorization is simple in B2C (your users get access to their own data), it’s a bit more complex in B2B.

When you sign in to a B2B application, what your users are authorized to do and to access depends on your organization as well as their role within your organization.

Which is why in B2B applications, role-based access control (RBAC) is such a great vehicle for working with authorizations. With Grean, you get access to a simplified version of this, as illustrated below.

Simplified RBAC

As you can see, your organization - the provider of the applications - gets to define each application and the roles used for access control.

Your business partner - the customer - will manage their own users and assign them to roles made available by the application provider.

B2B onboarding and self-service user management

So, we took a look at what was needed to turn Auth0 into not just a great service, but a full solution in B2B environments. Based on past experience - and the requirements of some of our clear-eyed customers, not least of which is insurance group RSA Scandinavia - we came up with a list of places to augment Auth0:

  1. Onboarding of organizations: Your partners and customers should be easy to onboard - either by your invitation or automatically.
  2. Each business partner should be recognized as a partner: You manage what their organization can do, and then they manage what each of their users will be able to do with your applications.
  3. Augment user information at the time of authentication: When signing in through Auth0, the user’s information must be augmented with information about their organization and their individual authorizations (as assigned through the previous steps).

Grean provides all of these features to extend Auth0 to provide a full business-to-business authentication and authorization solution.

Grean in action

As illustrated in the systems diagram below, Grean works in two contexts:

  1. It provides a web interface for managing business partners and the applications they may access. And it also provides self-service user administration available for business partners. Everything is available through our API as well.
  2. It integrates with Auth0 in order to augment user information at the time of authentication. As the user authentication is processed, Grean is queried for additional information through an Auth0 pipeline rule.

Grean + Auth0

The logical flow of the user identity is from the identity provider - Google, Facebook, etc. - through Auth0, which processes the identity information and extends it with information retrieved from Grean before flowing an updated identity to the application.

In addition to the support for the runtime authentication flow, Grean also provides a web interface for managing your own users, your business partners, and your applications.

You invite other organizations - your business partners - to use your applications, and these organizations in turn manage their own users. Unless they themselves are subscribers of Grean, they will only be able to manage their own users with regard to the applications made available to them.

Integrate Grean with your Auth0 tenants

In order to start getting the benefits of the Grean and Auth0 collaboration, you’ll want to sign up for Auth0 first and then Grean. When signing up for Grean, you will be provided with a small piece of JavaScript code to add as a rule to your Auth0 authentication pipeline.

If you also want to embed (iframe) the Grean user management UI into your web applications for your partners to use, a few additional steps are needed.

And as always, should you run into any problems, both the Auth0 and the Grean teams are ready to assist you.