Many customers inquire about custom account system integration during initial consultations with our pre-sales team. This is a common question, and for good reason.

As companies scale, their employees rely on an increasingly complex suite of tools. This includes internal systems like IT, office automation (OA), and business applications, along with external integrations and account systems specific to various business functions and sub-systems.

Imagine the burden on employees if each system required a separate registration and login. This not only creates a clunky user experience but also significantly increases password management overhead.

Before we delve deeper, let's explore the concept of account system integration.

What is Account System Integration?

Imagine logging into any app โ€“ you might enter your phone number, username, email, employee ID, or even scan a QR code. But why do we go through this process?

Account system integration tackles three fundamental challenges:

  1. Who am I? - This verifies user or system identity. In server-side account systems, each user/system has a unique identifier (username, email, user ID, etc.) to distinguish them. Authentication confirms this identifier is valid and identifies the corresponding user/system.
  2. What permissions do I have? - This determines a user/system's access level. Permissions can range from read-only to full control. Roles or permission groups are often used, where users/systems are assigned to specific groups defining their permissions. Authentication ensures that access is granted according to assigned roles/groups.
  3. To which organization do I belong? - This identifies a user/system's organizational affiliation. Users can belong to companies, teams, departments, etc. Organizations are used to manage resource access, sharing, and determine user roles/permissions within the organization. The account system must handle multiple organizations and user relationships to properly manage access control.

These three questions form the core of identity authentication and authorization within an account system.

How to Align the Account System in the Management Backend?

The core challenge in account system integration is ensuring seamless interaction between user data (accounts, roles, permissions, organizations) in your system and the integrated systems. This integration facilitates identity authentication and authorization across platforms.

The industry offers several established solutions:

  1. Single Sign-On (SSO): A popular approach, SSO allows users to log in to multiple systems with a single set of credentials. Standardized protocols like OAuth, SAML, and OpenID Connect enable secure connections between your account system and integrated systems. With SSO, users only need to log in once to access all connected systems.
  2. API Integration: Define APIs to manage user information (accounts, roles, permissions, organizations). These APIs can be used to create/update/delete accounts, assign roles/permissions, and manage organizational structures. Other systems can integrate with your account system by calling these APIs.
  3. Data Synchronization Mapping: In specific scenarios, some integrated systems might require data fields not readily available in your system. Here, data synchronization with field mapping bridges the gap. By regularly synchronizing user, role, permission, and organization data across systems, consistency is maintained. Defining field mapping rules ensures accurate data matching between different systems.
  4. Centralized Personnel Management: Consider establishing a central identity management system for unified control over user, role, and permission data. Other systems can integrate with this centralized system for streamlined identity management. This approach minimizes data inconsistency and simplifies maintenance efforts.

Security Considerations:

Regardless of the chosen integration method, robust code and business audit mechanisms are crucial. This ensures the ability to:

  • Comply with potential audits: Having a clear audit trail allows investigation in case of anomalies or unauthorized access.
  • Maintain data retention capabilities: Retain logs for a designated period to facilitate compliance and security investigations.

By prioritizing these security features alongside integration, you can ensure a secure and reliable account system integration process.

FinClip's Account System Alignment Methods in the Management Center

As mentioned earlier, we offer two primary methods for account system alignment with private customers: data synchronization and real-time verification. The optimal choice depends on your specific business needs and IT system architecture.

Plan One: Data Synchronization

This approach leverages FinClip's OpenAPI and related services to synchronize relevant account information from your system. Users then authenticate and log in through a unified account system within FinClip.

Advantages:

  • Performance and Speed: Pre-synced data offers faster retrieval times, improving overall efficiency.
  • Offline Support: Even during system outages in your account docking system, users can still complete operations and access requests within FinClip.
  • Reduced Integrator Burden: Periodic data synchronization eliminates the need for real-time request handling on your end.

Risks to Consider:

  • Data Synchronization Delays: Synchronization might not be instantaneous, potentially leading to discrepancies with the latest account information.
  • Regular Data Updates: Consistent data synchronization is crucial to maintain accuracy, which can introduce potential synchronization issues.
  • Security Risks: Data confidentiality and integrity are paramount during synchronization.

Plan Two: Real-time Verification

This method relies on FinClip to verify user accounts through your provided account interface. Upon successful verification and retrieval of account information, the user logs in.

Advantages:

  • High Real-time Accuracy: FinClip retrieves the latest account information at any time, ensuring real-time validity.
  • Precise Control: You can request specific account information relevant to the business scenario, instead of synchronizing the entire data set.
  • Reduced Data Redundancy: FinClip avoids storing account-related data, minimizing redundancy and consistency concerns.

Risks to Consider:

  • Performance and Response Times: Real-time verification might experience delays, especially under high loads or slow response times from your integrated system.
  • Integrator Dependence: Your service's stability and performance significantly impact FinClip's functionalities. Any faults or delays on your end can affect FinClip's services.
  • Frequent Calls: Frequent access to account information might result in a high volume of requests, potentially burdening your integrated system.

Choosing the Right Method:

The ideal approach hinges on your business and IT system's specific requirements. If real-time updates are crucial, real-time verification is preferable. However, if performance, availability, or handling large data volumes are priorities, data synchronization may be more suitable.

Standard vs. Non-Standard Protocol Docking:

While standard protocols (OAuth/SAML/OIDC) are commonly used, some customers choose non-standard account protocols tailored to their specific needs. Regardless of the chosen protocol, the core docking principles remain similar:

  • Standard Protocol Docking:
    • Obtain the unique account identifier (accountID).
    • User Login: Verification based on the standard protocol's user identity verification.
    • User Role: Pre-configured user roles, with potential for self-modification or account integration system role management capabilities.
  • Non-Standard Protocol Docking:
    • Interface creation through token/account password/customer API.
    • User Login: Verification based on corresponding parameters after user identity verification.
    • User Role: Pre-configured user roles, with potential for self-modification or account integration system role management capabilities.

Conclusion:

In real-world scenarios, you can consider a combination of both methods or choose different approaches for various use cases. The key focus should always be on maintaining data consistency, security, and availability.

FinClip's Mini Program Account Alignment Method

Now that we've explored account alignment methods in the management backend, let's delve into common user account alignment challenges within mini programs.

Since mini programs typically function as modules within a host app (or device), their login method usually leverages the host app's (or device's) account information. Users won't encounter a separate login page within the mini program itself.

For instance, in familiar WeChat mini programs, the mini program calls wx.login to obtain a user code, followed by server-side verification.

FinClip offers various flexible user authorization methods catering to different developer needs. Regardless of the developer type, all can achieve flexible mini program account alignment using FinClip.

Plan One: Server-Side Modification

This approach is ideal when "customers build their own mini program ecosystem based on FinClip but lack control over the mini program code."

Here's what customers need to handle:

  1. Inject wx.login Method: A custom API injects the wx.login method into the app, returning the code in the WeChat mini program format.
  2. Mini Program Unmodified: The mini program remains unchanged, sending the code to the developer's server as implemented in WeChat.
  3. Server-Side Adaptation: The developer's server recognizes logins originating from the FinClip platform based on the code. It parses the UserID from the code to return information from their own account system.

Plan Two: Server-Side Modification + WeChat Authorization

This scenario integrates server-side modification with WeChat authorization and applies to "customers who split original app functionalities into FinClip mini programs. All mini programs are modified and integrated by their own R&D team."

Here's the customer investment breakdown:

  1. Integrate WeChat SDK: Integrate the WeChat development platform SDK into their SDK.
  2. Custom API and WeChat Authorization: Use a custom API to inject wx.login and call WeChat authorization to obtain the returned code (which might require concatenating a unique identifier).
  3. Mini Program Unmodified: Similar to Plan One, the mini program remains unchanged, sending the code to the developer's server.
  4. Server-Side Calls: Based on the code's unique identifier, the server calls different authorization interfaces to obtain the OpenID and query the login status.

Important Note: Due to WeChat restrictions, different OpenIDs are inconsistent across different entities and open platforms. In such cases, the mini program needs to be associated with the same entity or open platform (at this point, the unique identifier is UnionID).

Plan Three: Mini Program Modification

This approach applies when customers already have production-ready mini programs but need to modify their content. They can add environmental variables (like wx.login or similar custom APIs like wx.loginFinClip) for judgement (of course, this requires mini program code editing capabilities).

The primary requirement here is to inject wx.login through a custom API in their app to obtain the current user's login status.

Considering Unified Account Docking for Your Enterprise?

If your organization is exploring or planning to invest in "unified account docking" solutions, FinClip and our partners can be valuable resources. We offer extensive experience and successful case studies to help you navigate account docking challenges.

Here's what we can offer:

  • Shared Expertise: Leverage our experience from past projects and service implementations to gain valuable insights into account docking best practices.
  • Real-World Solutions: Learn from successful case studies that showcase how we've helped other organizations overcome account docking hurdles.
  • Collaborative Approach: Partner with FinClip and our network to develop a tailored solution that meets your specific needs.

By working together, we can ensure a smooth and efficient account docking process for your enterprise.