A global manufacturing firm headquartered in the EU wanted to replace their current IAM solution as part of an overall modernization effort.
The company had a hybrid environment which consisted of a significant number of systems being delivered by SaaS providers while other systems were on-premise in their corporate datacenter. Some of these systems included Workday for HR, Oracle EBS for ERP, FreshService, GitHub Enterprise, a PLM, Tableau for Business Intelligence, Azure AD with Office365, on-premise Active Directory and others. The user community consisted of employees, contractors, customers and vendors. All of these users needed access to the systems. The company required a unified IAM platform which could achieve the following:
- Support employees, customers and vendors from the same platform
- Automated user life-cycle management for employees by integrating with Workday
- Self-registration with validation for vendors and customers
- Single Sign-On (SSO) to business applications
- MFA (Multi-Factor Authentication) for improved security
- Self-service password reset for all users
- Workflow-based request approval functionality for employees
After an extensive PoC and RFP process, OpenIAM was selected over current market leaders that offer either IDaaS or on-premise products. A unified platform consisting of Identity Governance, Web Access Management, Customer IAM and MFA had been delivered to the company as an Identity-as-a-Service (IDaaS) solution. This provided the company with a single solution for each of their user communities while the infrastructure is fully managed by OpenIAM.
Automated user life-cycle management has been enabled using the OpenIAM Workday Connector in conjunction with implemented business specific rules for life-cycle management. This supports the use cases of users joining the firm (joiners), terminations (leavers), position changes (movers), and people taking leaves of absence. As part of the solution, end-users are provided with a central login interface and a self-service portal. The login UI, which is part of the OpenIAM Identity Provider (IdP) functionality, supports MFA. Since some users at the customer do not have a mobile device the MFA solution was configured to e-mail and SMS. The OpenIAM Authenticator, which is a mobile app that supports OTP and Push Notification, has also been provided. To further improve security, the Adaptive Authentication functionality in OpenIAM has been leveraged to create Authentication workflows which combine MFA, Certificate-based authentication and business requirements for security. This was done through a browser-based graphical authentication-workflow designer.
The self-service portal has been configured so that all types of users can carry out their business-related tasks from a central location. Upon logging into the self-service portal, end-users can SSO to all of the applications that they are entitled to. They can also create requests for additional access by using the workflow driven service catalog and shopping cart. Similarly, approvers can view and process all incoming requests for access. If requests are accepted, then the system will automatically provision the new privileges using the connectors. The self-service portal also provides end-users with functionality for self-service password reset with password synchronization, further reducing load on the help desk. External users, customers and vendors, were able to use the self-service portal and gain access to the systems by signing up using the self-registration functionality. Like internal users, external users are assigned roles which control the applications that they can access and what they can do within those applications. The overall solution provides the company with a central platform which simplifies how end-users, internal or external, interact with business-critical applications. The sign-up effort is significantly reduced along with the effort to manage the user lifecycle. While the OpenIAM platform has significantly reduced operational overhead and improved end-user productivity, security and compliance with GDPR mandates has also been improved.