Delivering Single Sign On @ amaysim
Alittle over two years ago, amaysim began the shift from being purely a Mobile business (providing Mobile services to over a million customers) to where we are today: supporting four separate business streams — Mobile, Broadband, Energy and our Device E-Commerce store.
One of our key tenets at amaysim has always been to focus ruthlessly on simplification and customer satisfaction. As we began to increase the range of services we offered our customers, understanding how we would make it simple for our customers to use these services in a seamless manner became increasingly important.
All of us here have seen other businesses who have expanded the scope of the services they provide, but have done so in a clumsy or clunky manner. To their customers who have signed up to multiple services, it may actually feel like the only thing each service has in common is a shared logo! Which is fine, until as a customer you have to log in and enter or change identical information in 3 or more different places…
As we began to add more services to the amaysim portfolio we were adamant we didn’t want our customers to experience this. One of the key tools in ensuring this was a new Single Sign On (SSO) identity platform.
In the beginning
With just one line of business, our backend systems were pretty simple, and so was the customer experience. A customer could sign up for a Mobile plan and then would manage their account in the same app. That application received all the data it needed from a single backend Business support system (BSS), which also handled authentication. In this model, single sign-on (SSO) was an out-of-the-box feature — there was only one thing a customer could sign in to! Need another phone service? Just log in and create one, without providing personal details again. Simple!
Then there were two
This all changed when amaysim Broadband came along. One of our key requirements when we launched was that an existing amaysim Mobile customer should be able to sign up to amaysim Broadband with maximum ease. Spoiler alert: we achieved just that! At launch, an amaysim mobile customer could become NBN-connected in just a few clicks. amaysim-ly Simple! :)
As we moved quickly to establish our Broadband vertical, we had to add a new BSS that would manage service provisioning for Broadband services. This worked well in isolation i.e. for Broadband-only customers, but for joint amaysim Mobile and Broadband customers, having to log into separate applications to manage different amaysim services is hardly a hassle free experience. This was something we wanted to explicitly avoid.
Instead, as the architecture shown above demonstrates, a new REST API, acts as an anti-corruption layer between the broadband BSS and the rest of amaysim, allowing it to be accessed from the same application that customers already used for managing their Mobile account. These, and additional services, all needed to seamlessly authenticate a user with the requirement that the user only has to log in once. This was to be the job of our Identity Provider (IDP).
IDP
We started with an initial set of basic requirements:
- A customer should only have to sign in once to access any amaysim service
- Our SSO solution needed to scale well as services were added
- Our solution needed to be easy for other teams to integrate with — so be based on a widely used standard, i.e. OAuth 2.0.
At the outset, we looked at what we could get off the shelf to do the core authentication tasks and then spend our time on the integration side. But at the customer scale we have at amaysim a lot of the go to services were too expensive and some options (primarily AWS Cognito) were not available in Sydney at the time, which ruled it out.
The team had worked on systems like this before and we were confident in building a robust Rails application to rapidly deliver a performant and secure SSO platform. This runs inside of the amaysim AWS containerised environment.
This simple and robust pairing has performed exceedingly well as our customer base has grown and also so has the demands placed on the service — both from customer authentication and our back-of-house customer service team. Additionally, the infrastructure underneath IDP allows us to do seamless blue/green deployments at any time during the day with zero interruption to customers, something essential for this piece of the overall amaysim stack.
Working with IDP
As someone in another team inside amaysim, how do you work with IDP, and what does it give you?
As above, standards based interoperability was an obvious key need. Our implementation therefore supports all standard OAuth 2.0 flows, although not all are enabled as they’re not required.
Once authenticated, IDP can tell any system connected with it that a person is who they say they are, and tell it about who they are, what amaysim services they have, etc.
IDP also brokers most of the account creation processes now, allowing new customer funnels to POST to a single registrations endpoint and IDP will take care of downstream system user creation and then keeping them in sync. That part of the stack will be covered in future posts.
IDPs value
There’s a saying I like that I think sits at the heart of how IDP helps remove hassle from the customer experience:
A computer should never ask a question it should know the answer to.
For example, when a person with an amaysim mobile service wants to buy Broadband, they shouldn’t have to fill out a form full of details they’ve already provided. A lot of companies might not bother to spend time on this functionality as a one off, but as these events accumulate, the impact of repeated form fills can lead to a really poor customer experience.
The jump from one line of business to two is a huge one, and building IDP at this point laid the groundwork for subsequent work.
And then there were four
As amaysim has grown, the early investment in IDP has really proven its value. When subsequently adding the amaysim Energy and amaysim Device Store business lines, each with its own existing BSS and the need to integrate additional new services into amaysim’s growing architecture, it was literally a two minute job to allow each new application to tie into IDP. As a result, each business line was able to securely authenticate an amaysim customer and enable them to buy or manage their new products and services.
Though there was additional work necessary within each application or service to integrate with IDP, the use of standard OAuth 2.0 made this a relatively straightforward task that’s widely understood. We were also able to leverage solid libraries across almost any language or framework, including a nice integration with Alexa.
One more thing — The roll out
One of the things the team was most proud of was how smoothly the cutover to IDP went. This was one of our biggest takeaways for future efforts, so it’s worth a quick note on it specifically.
Identity is absolutely a “hygiene” feature — no one will thank you for getting it right, because when it’s really done well, it’s invisible; but if it goes wrong, it can be catastrophic.
We dialled down the risk of this critical change by decoupling it from the Broadband product launch it was supporting. Many weeks beforehand, customers started logging into MyAmaysim through IDP, using a page that looked identical to the one they had seen before, except for its URL. We kept the old authentication mechanism in place and could revert to it if a user couldn’t be authenticated by IDP. In fact, this is how we built the IDP user base: from zero to more than a million users, as they logged in, which also allowed for a zero downtime cutover without a ‘Big Bang’ migration.
By the time Broadband went live, we were supremely confident that IDP would work without any problems, making the launch highly uneventful for the IDP team, in a good way!
Has any of the above piqued your interest? Does amaysim sound like the sort of place where you think you could make an impact? Do you thrive in organisations where you are empowered to bring change and constant improvement? Why not take a few minutes to learn more about our open roles and opportunities and if you like what you see then say hi, we’d love to hear from you..
Shout-out to all the lawyers..
The views expressed on this blog post are mine alone and do not necessarily reflect the views of my employer, amaysim Australia Ltd.
