Skip to content
On-demand recording | SAP IdM End of Life: Migration Without Disruption | With Deloitte · 60 min Watch recording
STANDARD

CIBA — Primer

CIBA enables decoupled, back‑channel user authentication where the client polls (or is notified) to complete login without a browser redirect.

Visual representation of CIBA standard
← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

  • Gateway: pre‑execution gating (plan/schema pins, params/egress)
  • Shield: inline budgets/stream caps/content checks
  • PDP: decisions with constraints/obligations/TTL
  • IdP: passports, token exchange, consent/DPoP

How it works (high level)

CIBA enables backchannel authentication. Modes: poll, ping, push. The AS returns auth_req_id and interval; the client polls /token until success or timeout.

sequenceDiagram autonumber participant Client participant AS Client->>AS: backchannel auth (login_hint) AS-->>Client: {auth_req_id, interval} loop poll Client->>AS: POST /token (auth_req_id) AS-->>Client: authorization_pending end AS-->>Client: {access_token, id_token}

References

← SCIM
All standards
Model Context Protocol (MCP) →