Case Studies Secure Access to Cloud-Based Application—For Both Employees and External Customers

Secure Access to Cloud-Based Application—For Both Employees and External Customers


Our client, a global financial services company, sought a repeatable, elegant solution to a thorny problem: how users of two completely different types—verified by two different identify providers—can both log into the same cloud-based custom application. The project was important not only for security purposes but in enabling a new business focus on making this particular custom application available to external users for a fee.


This was a complex project with many subtle points, all carefully coordinated to ensure security and ease of use for both users (logging in) and administrators (managing the system, including applying its structure to other contexts in the firm).

The gist of the challenge lay in needing to accommodate both our client’s global employees and also its customers, including a constant flow of new users who pay on the spot for access to the cloud-based application. Here are some of the key high-level points:

  • For the employee group, identify verification needed to happen via an existing Azure Active Directory system.
  • For the customer group, we needed to create a new Azure B2C identify system.
  • The cloud-based custom application needed to trust both those identity providers. The big problem? There’s no off-the-shelf solution for this dual-identity-provider needs.

We designed and implanted a custom, repeatable solution that incorporated the following:

  • Front-end portals (both general and administrator versions), using Angular for the identity layer
  • Back-end system, using ASP.NET WebAPI 2
  • Identity database
  • Authorization Middleware: This is the back-end identity logic that establishes user roles before they login, enforces user permissions (what they see and don’t see), requires payment (customers) or not (employees), links existing permissions to a new user account based on the new user’s email address (whether employee, administrator or customer), and more. As permissions and business logic relating to authorizations change, adjustments can be made here with effects then implemented in multiple custom applications.

While the solution was complex, the user experience enabled by the solution was simple and smooth.

Our work enabled our client to launch its business focus on drawing external customers to sign up to use this particular custom application. The project was also relevant to other critical cloud-based applications in our client’s environment.