The CIAM Capabilities Taxonomy.
A vendor-neutral map of what a CIAM platform actually does: 37 core capabilities across nine domains, tagged to the four stages of the consumer lifecycle. Use it to scope an RFP, run a capability gap workshop, or compare platforms on the same language.
The four building blocks
Capture
Acquire the consumer: registration, social, progressive data, and consent.
First touch to activated account
Engage
Re-authenticate and authorize known users with low friction.
Login, step-up, transaction
Manage
Self-service profile, preferences, consent, and deletion.
Ongoing relationship
Admin
Onboard apps, set policies, integrate systems.
Operator-facing
Identity Management & Lifecycle
Self-service of the consumer identity from creation to deletion.
- Registration
- Consumer self-creates an account with branded forms, validation, and bot defense. capture
- Social / third-party login
- Sign in via Google, Apple, Facebook, and regional or enterprise identity providers. capture · engage
- Self-service profile management
- Consumer edits attributes, preferences, and MFA enrollment, or deletes the account. manage
- Password self-service
- Forgot, change, and secure reset flows with hardened credential storage. engage · manage
- Account recovery
- Regain access after lost credentials, device, or factor. engage
- Account de-registration
- Consumer-initiated delete with data minimization and right-to-be-forgotten. manage
Authentication & Authorization
How users are verified and what they are allowed to do.
- Multi-factor authentication
- A second factor beyond the password: OTP, push, biometrics, or FIDO2. engage
- Single sign-on
- One login across multiple apps, brands, and sub-brands. engage
- Authorization & policy engine
- Centralized rules for who can do what: RBAC, ABAC, and transactional policy. engage
- Session management
- Granular session lifetime, scoping, and revocation. engage
- Open standards support
- OAuth 2.0, OIDC, SAML 2.0, FIDO2, SCIM, and UMA. admin
Consumer Experience & Journey
UX, branding, friction calibration, and journey orchestration.
- Branded / white-label UI
- All consumer-facing screens match the brand's look and feel. capture · engage
Privacy, Consent & Compliance
Capture, store, audit, and honor consent; comply with regulation.
- Consent capture
- Collect explicit consumer consent at the right moments. capture · manage
- Consent granularity
- Fine-grained, per-purpose consent rather than blanket terms. manage
- Consent dashboard & withdrawal
- Consumer reviews and withdraws consent, propagated across systems. manage
- Consent audit trail
- Long-lived, queryable, evidentiary record of every consent event. admin
- Data subject rights (DSAR)
- Support GDPR and CCPA rights to access, delete, and port data. admin
- Regulatory coverage
- Built-in workflows for GDPR, CCPA, HIPAA, and other regimes. admin
- Right to be forgotten
- Delete consumer data on request, including downstream propagation. manage · admin
Data, Analytics & Intelligence
Turn identity events into signal for marketing, fraud, and ops.
- Identity repository
- Central directory store for consumer profile data. admin
- Profile schema flexibility
- Add, remove, or modify attributes without downtime. admin
Integration & Extensibility
How CIAM lives inside the wider ecosystem of systems.
- REST APIs
- Documented APIs for registration, auth, profile, admin, and query. admin
- Mobile SDKs
- Native iOS and Android SDKs for auth, biometrics, and push. engage
Security & Threat Protection
Protect the consumer, the system, and the brand from adversaries.
- High-security data storage
- Encryption at rest, key management, and bring-your-own-key. admin
- Encryption in transit
- TLS everywhere with modern ciphers. admin
- Account takeover protection
- Detect and block credential stuffing, stolen credentials, and bots. engage
- Bot & DoS protection
- Withstand denial-of-service and automated abuse. admin
- SIEM integration
- Export normalized identity events to security analytics. admin
- Compliance certifications
- Independently verified SOC 2, ISO 27001, and sector standards. admin
- Password hardening
- Hashing, salting, denylists, and breach checks. engage
Architecture, Scale & Operations
The non-functional foundation: deployment, scale, and availability.
- Deployment model
- SaaS, PaaS, on-premise, or hybrid options. admin
- Dynamic scalability
- Scale with demand without operator intervention. admin
- High availability & DR
- Multi-AZ and multi-region with RPO and RTO SLAs. admin
- Performance SLA
- Latency, throughput, and uptime guarantees. admin
Administration & Governance
Operator-facing control: how the program is run and evolved.
- Admin console
- Operator UI for managing apps, users, and policies. admin
- Audit logging
- Immutable logs of admin and consumer actions. admin
- Support SLA & service model
- Vendor support quality, escalation, and engagement model. admin
Shown here: the core capabilities required in any CIAM program. Strategic and selective capabilities extend this set for specific verticals and use cases.