Knowledge

Using TrustBuilder Token Exchange & Storage to delight HR Services customers

If you have ever traveled through French-speaking territory, you will have noticed railway signs saying ‘Un train peut en cacher un autre’. Similarly, if you are a frequent user of applications, you may have noticed that one app can also hide another app. To cater to the convenience that consumers request, organizations in different industries are offering third-party services through their app. To the consumer, moving from one app to another, seems completely transparent. In the back end however, all these applications need to be connected, and access to the different applications needs to be orchestrated. TrustBuilder Token Exchange and Storage takes away this complexity and allows organizations to embed third-party services, securely.

Read on to learn:

  • How TrustBuilder Token Exchange and Storage allows you to build out ecosystems
  • How this applies to HR Services
  • How account linking works
  • How TrustBuilder goes beyond Oauth 2

How TrustBuilder Token Exchange & Storage helps

Who has authorized access to what application is governed by client-authored policies. When a user wants to connect to other components that work together with an application, these policies are executed by a token exchange.

TrustBuilder Token Exchange & Storage is a solution:

  • to enable your app to embed third-party services in a secure way
  • to offer consumers a seamless experience by avoiding re-login at the embedded third-party service.

To comply with privacy regulations and give the consumer total control, TrustBuilder Token Exchange obtains confirmation from the consumer that you can link their account with those embedded third-party services.

TrustBuilder Token Exchange & Storage goes beyond the standard OAuth 2 token exchange by working with third-party tokens. TrustBuilder Token Exchange & Storage adds account linking and token caching to achieve both optimal user experience, and security and privacy compliance.

Using TrustBuilder Token Exchange in an HR Services scenario

Let us illustrate the seamless user experience using a (fictional) HR service provider, HR2me. For the sake of the example, let’s assume HR2me is a TrustBuilder customer, using TrustBuilder Token Exchange. We’ll use a story about Hanna, an employee being serviced by HR2me and using third-party services affiliated with HR2me. She uses Monizze for eco vouchers and Olympus Mobility for personal mobility. We will follow Hanna as she uses the HR2me app for different purposes.

Hanna opens the HR2me app on her tablet and performs passwordless authentication.

Hanna opens the HR2me app on her tablet and performs passwordless authentication.

Now that she’s authenticated towards HR2me, she can manage aspects of her career using their services.

She’s already learned that HR2me offers handling of eco vouchers that she received from her employer.

It turns out that HR2me partners with Monizze for this fringe benefit, and HR2me has already linked Hanna’s account. By using the Monizze services through the HR2me app, she is recognized immediately without further need for authentication.

She now wants to collect the ecological products she bought using her Monizze account. To get to the shop, Hanna wants to buy public transport tickets to go to the city. Returning to the HR2me app, she learns that HR2me also offers this, via Olympus Mobility.

Because she hasn’t yet linked her HR2me account with Olympus Mobility, she first has to identify and authenticate herself to Olympus Mobility.

Returning to the HR2me app, she can now link her account at Olympus Mobility with her HR2me account, simply by giving her consent to HR2me.

Booking tickets using the HR2me has now become a pass-through from within the app straight to Olympus Mobility without further requirement to log in.

Hanna is a happy customer of both Olympus Mobility and her HR service provider HR2me thanks to this frictionless integration from within the app. Without leaving the HR2me app, she was able to make a purchase using her eco vouchers and she has obtained a public transport ticket to go and pick up her purchases.

How does account linking work?

HR2me cannot call a Monizze or Olympus Mobility API without proper authorization. It is TrustBuilder Token Exchange & Storage that enables HR2me to obtain the necessary authorization.

In the first example, Hanna’s accounts at HR2me was already linked with her account at Monizze. The process to obtain authorisation for HR2me works as follows:

account linking sequence diagram

TrustBuilder has a vault in which it can safely store access tokens previously obtained from Monizze on behalf of HR2me. TrustBuilder can safely retrieve such a token and pass it on to HR2me. In case it has expired, TrustBuilder will automatically refresh it.

TrustBuilder goes a step further: TrustBuilder provides ready-made integration with third-party service providers. This simplifies the handling by the HR2me app even further:

TrustBuilder account linking sequence diagram

For the Olympus Mobility connection of the example, Hanna’s account at HR2me was not yet linked. This means that TrustBuilder will first obtain authorization from Olympus Mobility in the form of an Olympus-specific access token. This process will involve authentication of Hanna and obtaining consent from her to link the services.

rustBuilder mobility account linking sequence diagram

Note that the login of Hanna at Olympus Mobility happens with the login screens of the latter. In the example, TrustBuilder Mobile Authenticator was used to obtain Hanna’s consent.

With the process described above, TrustBuilder offers HR2me a major accelerator to embed third-party services into their app. TrustBuilder takes care of the secure connections between the different applications and services.

TrustBuilder Token Exchange goes beyond OAuth 2

Token Exchange is a standard. TrustBuilder Token Exchange takes this standard to the next level. Core elements of TrustBuilder’s solution that go beyond OAuth 2 are:

  • TrustBuilder performs token exchange between the first party and the third party, adopting OAuth 2 Security Token Service (STS). This means that HR2me does not need to worry about this cross-domain protocol.
  • TrustBuilder performs account linking between identities in the first and the third-party domains. This means that HR2me does not need to worry about foreign identities and they can stick to their own identities.
  • TrustBuilder safely stores and reuses access tokens. This means that HR2me does not need to worry about caching and refreshing third party tokens. Above all, it means that HR2me’s customers are not bothered with re-authentication so they experience a seamless integration of third-party services into the HR2me app.
  • TrustBuilder has a catalog of third-party services, a Service Catalog, for which the entire integration process is out-of-the-box. Applications in this Service Catalog including Monizze and Olympus Mobility, but we are constantly adding new members to the platform. For these services, HR2me does not even need to worry about calling the API and simply asks TrustBuilder to activate the third-party service for them.

Is this simply Single Sign-On (SSO)? In a sense, it is. But it is SSO across completely different domains with their own identities, without any need for a federated trust model and without the need for either party to worry about IT security and identity policies of the other party. It is Single Sign-On that is controlled by the consumer, with explicit consent for linking identities.

Getting authorization at a third party to call services on behalf of an end customer is truly accelerating the integration of third-party services. Using TrustBuilder Token Exchange & Storage, service providers that want to add extra services from partners to their digital ecosystem can do so, both securely and transparently.

Are you interested in making life easier on your users when you enrich your solution portfolio? Contact us for a demo.