didmos – the IAM Software Suite

didmos is the powerful software for Identity & Access Management from DAASI International. It consists of six expandable open source modules which can be individually adapted to your infrastructure.

Basic Concept Modules Roadmap Source Code Community Documentation Demo Services

Basic Concept

Everytime an organisation decides to establish an Identity & Access Management system, similar questions arise:

How should data exchange operate among the different systems (data models, interfaces, access information etc.)?
How can internal permissions be represented in the best way?
How can specific organisational procedures (administration processes, self-service functions for users etc.) be modelled optimally?

Although these questions are similar in each organisation, their answers are always different and depend on the specific requirements and structures of the respective organisation. That is why proprietary standard software is often an unsatisfactory solution.

Modules for more flexibility

In contrast to a constrained standard solution, didmos is highly flexible, as it consists of six adjustable modules.

All modules are well coordinated with each other; together they form a flexible, broad and comprehensive Identity & Access Management system, that can be adapted to individual requirements and desires. Additionally, didmos provides ideal conditions to be integrated into your existing IT landscape through high standards compliance and and a strong focus on expandability.

In summary, didmos is not a proprietary standard software, but an individual and lasting all-in-one solution that adapts to all conditions and requirements with the help of its module structure.

Modules

LUI

The LDAP user interface, or LUI in short, forms the core of didmos and consists of three elements: a front-end component for administering users or for their self-administration, a backend for business logic and workflow engine, and a metadirectory as persistence layer. The workflow engine can, for instance, illustrate approval processes.

The LUI back-end allows for an endless range of possibilities to add different modules. As it is compliant with the international standard SCIM-v2 for the distribution of identities within a cloud, LUI is universally applicable. As this module is completely customisable, even your corporate design can be included.

Authenticator

Within the didmos framework, the authenticator is a universally applicable authentication tool. It can even work for all kinds of other applications. The modular structure, which makes the Authenticator highly flexible, allows for the it to be deployed in any SSO environment. The implementation of the SAML and OpenID Connect protocols enables users to login with either internal or external accounts, using i.e. social login via Facebook, X, etc. This way users only need one account instead of setting up one account for each service they wish to use. The possibility to include the open source software PrivacyIDEA, ensures maximum data security with multi-factor authentication.

Federation Services

didmos Federation Services is a toolkit designed to help with the unique challenges of federated IAM environments. The toolkit is going to be continuously amended and expanded with the help of the community as well as by observing technological developments in the field. Each tool is designed in a way to allow them to seamlessly work with didmos modules, such as didmos Authenticator but can also be used as a stand-alone solution.

Pwd Synchroniser

Pwd Synchroniser allows the event-based synchronisation of passwords from an Active Directory domain controller to other directories, such as OpenLDAP. The simple installation as a Windows service, the encrypted caching on the domain controller as well as the recording of the synchronisation processes make Pwd Synchroniser an effective module for the integration of Active Directory.

ETL Flow

ETL Flow stands for extract, transform, load, workflow; accordingly it extracts data from different sources, such as ERP-, SAP-, XML-, or SQL databases to synchronize them in a central metadirectory. The crucial processes are identifying data based on weighted attributes (duplicate detection), merging data into one coherent data set based on automatically generated attributes (data harmonisation) as well as automated group formation.

Provisioner

Provisioner can transfer identity information into connected target systems in real time. Relevant changes are written as a JSON document into the queuing system RabbitMQ, from there a dedicated worker picks them up to install the changes in the target system. In order to do this, the worker relies on an ICF connector framework which allows the use of different interfaces, i.e. SOAP, REST, LDAP or SQL; or even individual connectors to integrate proprietary systems.

Core

didmos Core is at heart of the didmos suite. It contains several functions for the administration of access control and objects (i.e. users and groups). All of the functions use REST webservices to operate, these include creating, deleting, and changing objects. Didmos Core was written in Python. It deploys the pertinent standard SCIM-v2 and can even define individual endpoints if a certain function is not set up by default in SCIM.

Didmos Core was developed based on flexibility and extensibility. It is highly adaptable to meet any possible requirement. In case of particularly specific requirements, it is possible to implement completely new generic functions. This way, developers are always able to accommodate individual needs. Developers can rely on fully tested components to minimise the risk of errors. Lastly, didmos Core also allows for the integration of customised applications with their own respective webservice interfaces to realise various specialised functions.

Roadmap

didmos is based on the latest open source technology and meets all the requirements for building a high-performance IAM system. In order to guarantee this quality in the future and to meet the individual requirements of innovative organisations, DAASI International is constantly developing didmos further.

If you would like to find out more about the features we are currently developing or which additional features are planned, you can access the actual roadmap in our public Wiki.

Source Code

The source code of the individual modules of our current didmos version can be found in our GitLab at:

gitlab.daasi.de/didmos2

Become part of our developer community!

didmos Community

Behind every good open source solution, there is an active community. With the „didmos Users“ mailing list members have the opportunity to ask questions about didmos, and make suggestions for new features. Additionally, there will be regular updates on new features and updates for the software.

Apart from the open list, there is also a closed list „didmos Developer“. It caters to developers and allows them to discuss the code and the (further) development of the software. Membership is only granted upon request.

Stock photo: Two hands holding a paper garland made of stick figure cut-outs

Registration

Everyone interested is welcome to join the user list. The registration page also includes the mailing list archive.

https://lists.daasi.de/postorius/lists/didmos-users.lists.daasi.de/

If you are interested in joining the developer list, or have questions about this list, please contact us.

List Policy

In all didmos lists general communication rules apply.
When posting to the list please observe the netiquette as defined in RFC 1855 and the following general principles:

Stock photo: multiple envelopes artfully arranged and spread out

The language of the mailing list is English. Nonetheless, German inquiries will of course also be answered, especially on the didmos Users list.
Do some research before asking questions, please especially consult the FAQs and documentation first.
Please always provide sufficient context: The list is not intended to provide time savings to some while using time resources of others. So please be precise and provide all background information so that likewise precise answers can be given.
Contribute: If you know the answer to a question posted, please go ahead and help out with an answer. Answers do not need to be perfect and might nonetheless be helpful.
Be polite, don’t SHOUT, don’t be rude and always bear in mind that there are different levels of technical expertise involved. No question is stupid and may be asked, please just make sure the question is not yet answered in the FAQs.

About the Lists

didmos Users

This list is for exchange of people and organisations on all didmos subjects. It is the primary community communication channel, where didmos users can exchange their experiences with the product, discuss features, and ask questions on configuration. The list will be monitored by DAASI International staff but there are no SLAs as to response times etc. If customers are interested in professional support with guaranteed response times and professional advice, we advise you to pursue a support contract, e.g. for help desk hours with a guaranteed first reaction within four business hours.

Anyone interested in didmos can subscribe to this list.

didmos Developers

This is a list for those, that contribute to the code and / or the documentation of the project. Technical details on best practices, feature design, standard protocols used in didmos (e.g. SCIM, OIDC, etc.) and any other development related topics.

This is a closed list, mainly intended for exchange among the developers, which mostly are DAASI International staff and DAASI International freelancers. Anyone committed to providing code and / or documentation is nevertheless welcome to apply for membership.

Documentation

Over the past years, didmos has grown tremendously. New modules and features have transformed the framework into a multifunctioncal and complex IAM suite.

The public DAASI International Wiki provides in their documentation a comprehensive guide and assistance for your IAM project.

didmos – Try Now!

Our demo version has not yet reached the maximum of possible functionality. However, we are continuously working on its expansion and regularly add new features for you.

Superadmin Credentials
User Name: superadmin
Password: secret

In addition to the online demo, you can also use the didmos demo deploy to test didmos locally in your own environment.

Enjoy the testing experience!

Current Components

OpenLDAP-Server – The persistence layer of identity management in didmos
didmos Core – Implementation of essential processes
didmos Core, espacially SCIM-v2, is operable via a REST-Interface and directs the right management (of build-in RBAC-compatible Policy Decision Point) and also the storage of LDAP-servers.
didmos Authenticator – Authentication and access management
didmos LUI – A self-service interface, which, with the appropriate role membership, can be used as an admin tool
didmos Provisioner – Provisioning of data in favor of arbitrary target systems
An Active Directory as an example of a provisioned system

Configurated Features so Far

Selfservice / Authenticator

Multi-lingual: the portal is available in multiple languages
LDAP Login: login with LDAP password and optional multi-factor authentication.
Social Login: login with social account (i.e. Facebook)
Self-registration: creating a new account, including acceptance of terms and conditions or else, email verification, and password strength review. It is configurable whether self-registration leads to an account application or directly to a user account.
Manage own data: displaying and changing separate files
For example, name and surname as boxes with just one value, telephone number with any values and unchangeable username and email address. It is possible to configure any arbitrary attribute. Additionally, all group and role memberships are displayed
Password Policies: It is possible to configure different password policies for different user roles.
MFA: Various methods of 2-factor authentication are offered. In the demo, TOTP (can be used e.g. with the Google Autheticator App or privacyIDEA Authenticator App) and e-mail are currently configured as 2nd factor. However, Didmos also supports other 2nd factors such as hardware tokens or SMS tans.
Groups: Groups where appropriate authorisations are configured can be joined directly or a membership request can be made, which can then be accepted or rejected by an administrative user.
Request Admin Access: requesting the role “admin”. A request will be issued in the admin-portal, which can be accepted or declined by an officiate admin
History report: logs and displays all changes of user attributes within your account including information about who they were implemented by
Delete Account: Delete your own account. Depending on the system configuration, the account is deleted directly, moved to the recycle bin or a deletion request is generated.
Themes: Individual designs can be easily implemented (the demo contains 3 themes as examples, which can be selected via the header menu).
Logout: log out of the account
Forgotten password workflow
Change your own password

Administration

Multi-Tenancy (can be activated or deactivated): different organisations can work with different sets of data at the same time
Userlist : list of all saved users with the options to create new user, select users to change their information, deactivate or delete an account. Users can also be added to existing groups here, MFA tokens can be managed for them and their change history can be viewed.
Account applications: Account applications can be accepted, rejected and assigned to tenants
Groups: List of all groups with the option of creating new groups and editing existing groups (e.g. adding new members or setting group administrators and group policies), deleting existing ones.
Roles: Add users to or remove them from roles
Manage other requests: Edit group contribution requests and role requests. Customised request objects can also be configured.
Recycle bin: Deleted users are moved to the recycle bin instead of being permanently deleted. This feature is configurable.
CSV import: Import new users into the system via a CSV file

Continuous Extension

This infrastructure will be gradually expanded by:

additional functionalities within the interface
additional source as well as target systems

didmos is like modular system designed for flexible functionalities. This demo is a specific configuration of many different possible versions. Due to the set-up of didmos, nearly everything, especially in terms of design, can be realised entirely customised to meet your requirements.

What Services Does DAASI International Offer for didmos?

DAASI International of course offers the full range of services for their own software suite:

Consulting: DAASI International is happy to consult you on the different possibilities of integrating didmos into you IT infrastructure. Of course, we can also support with any subsequent project with didmos.
Configuration and Integration: DAASI International will gladly help implementing didmos within your IT landscape, and will configure didmos according to you instructions and requirements, all within the means of an introductory project.
Development of Extensions: If one of your requirements cannot be met by didmos, DAASI International can develop the necessary solution directly in didmos for you. It is possible to encapsulate this particular piece of code in a way that it does not become part of the out-of-the-box solution, and thus is not automatically delivered to other customers. Nonetheless, we always prefer open source licencing, provided that the extension code does not contain confidential information.
Software Maintenance: DAASI International offers software maintenance contracts for the core software as well as customer-specific extensions, with a maintenance contract we can guarantee updates, bug fixing, and the maintenance of the in the project originally delivered functionality. This is an equivalent to 3rd level support in addition to the operation of a customer-specific test system, with which every new release can be tested.
Managed Services Productive Operation: Moreover, DAASI International can take care of the productive operation by taking over monitoring, maintenance, reporting, and updates for the implementation. This can be provided for installations on servers (on-premise) or as SaaS solution, in the latter case DAASI International will host didmos in a German data centre.
Helpdesk: The customer is responsible for the productive operation here. However, DAASI International will answer questions, and helps with errors with an SLA of four hours. Moreover, changes to the configuration can be ordered via the help desk contingent.
Trainings: The experts of DAASI International will train your employees in regards to the set-up, utilisation, and maintenance of didmos.

You are interested in a flexible IAM solution?

We would love to help you!

Contact form