If you’ve pitched a company store program to a big corporate client in the last few years, you may have found that the process can be a little bit trickier than it used to be. None of this stuff has ever been easy, mind you. But many corporations now throw up all sorts of hurdles to connecting their employees and customers to your store. Sometimes they’ll push you into a procurement system, like Coupa or Ariba, and at that point the company store itself may become secondary. In that case, you may just be filling orders in that procurement system, no company store needed.
This is not yet the norm, thankfully. Company stores still have a good deal to offer in terms of product presentation, customization and other features that are not readily available in a procurement system. As much as corporations want to have tight-fisted control over every dollar their employees spend, they’re usually willing to let you manage the company store purchasing experience – provided you can do it securely.
In order to do that, you often need to talk to the corporation’s network itself. Yes, you can tell them that every one of their users need to create an account on the company store separate from their own corporate account. But it’s a hassle – another password to remember, which means another password to forget.
Thankfully, the dark overlords that design and manage massive corporate networks have gifted us with another solution.
Some background: To a corporate IT manager, the internet used to be like the Wild Wild West; once you left the safe confines of their network, you were on your own in the wilderness. In the last decade, though, more and more corporate users must access resources outside that walled garden of the corporation. There are just too many valuable resources on the web to justify keeping users penned up in your network.
Once those corporate networking overlords opened up a crack in the wall, they (surprisingly) took it one step further. Not only can users now venture outside the network; they can take their identity and privileges along with them when they do. In short, the key that opens a corporate network to a user becomes a sort of master key that can be used elsewhere on the internet at large. Provided all the pieces are in place and talking to each other, when Jane is logged in to her corporate network, she can automatically log in an external service like a company store. No more usernames and passwords to lose.
Not Exactly News
Now, you’ve probably already experienced something like this if you use certain very popular web services. Companies like Google and Facebook want to be not just a service you use but also an Identity provider – in other words, they want to be the people who verify that you are you, not just to their own services but to other services as well.
This is why you’ll so often see “Log in with Facebook” or “Register using Google” on websites these days. The idea is the same as the corporate one: Once you’ve verified who you are, there’s no reason you can’t leverage that verified identity in other places. This is a little bit like a passport, but instead of the government, it’s Facebook saying who you are!
Depending on how you feel about privacy, that might scare you. And to be clear, Facebook and Google (and many similar services) have an ulterior motive: They want to track you wherever you go so they can show ads to you. When you log in to, say, an e-commerce store with Facebook, you’re telling Facebook what you like to shop for (and often quite a bit more).
Regardless, these are good examples of identity management or provision. They’re everywhere on the web, and primary difference between these and what a corporation might do is that these are all services that originate on the web and aren’t tied to all the rules and regulations of a corporate network. Google might know that you work somewhere, but they don’t know who your boss is, who works for you, what buildings you have access to, and so on. That stuff is the domain of corporate networks and “access control”, and it tends to be very closely guarded.
So, the people that manage corporate networks had to come up with their own solutions for passing user information onto third parties on the web. And hoo boy, did they ever come up with solutions; there are enough of them to make your head spin. Some don’t work with others; some are proprietary to specific types of networks; and some cost an arm and a leg to maintain.
About the only thing all these parties could agree upon was a name: Single Sign On, or SSO. SSO means that the identity you log on to a system with can be used in some way to log on to another system that supports it. Technically what Facebook and Google are doing is SSO as well, but for our purposes we’re going to focus on corporate Single Sign On, since this is what you’ll have to work with that RFP comes in the door with the foreboding letters “SSO” stamped on it.
The good news is that you don’t have to learn much about the mechanisms and technology of SSO in order to sell it. Your company store provider will talk with the corporate IT folks to do all the grunt work. But you should have a basic understanding of SSO terms in order to have a productive conversation and get the sales process going. Here are a few important definitions: