Customised IT Security with Modularity and Open Source

Stockphoto: orange puzzle pieces

In our digital world, data is amongst the most valuable as well as the most vulnerable goods we have; this is especially true for personal data. Thus, for all organisations processing or managing personal data a customised IT security concept is imperative. More often than not, the necessary individual requirements cannot be satisfied with just one standard solution. Hence, an individually customised identity and access management system should be an integral part of a comprehensive IT security concept.

An IAM system allows you to populate a central user directory automatised. Users are able to access all systems of your organisation, which their role designated by the system indicates them to be eligible for. Due to single sign-on it suffices to login once at the beginning of the work day. With the same system other accounts for additional personnel, or accounts of systems and applications which require authentication, can be maintained.

DAASI International has been dedicated to digital identity management since it was founded, and develops technologies and concepts for enhanced data security as well as more efficiency in data management. Inspired by many years of experience, DAASI International eventually developed the open source solution didmos, a flexible IAM framework that is constantly being further evolved in line with the needs of a steadily growing number of customers.

didmos was designed as a toolkit in order to be able to even satisfy highly specialised requirements. The toolkit consists of six modules, which combined form a highly scalable as well as a powerful IAM complete solution. Additionally, the single modules can easily be combined with other open source products. In the following we will introduce you to our most common combination possibilities of different open source products:

didmos Authenticator and Corteza for Single Sign-On

Corteza is a digital work platform which combines all essential business applications, such as CRM, customer servicedesk, instant messenger for internal communication, and more. didmos Authenticator is an authentication component based on the open source product SATOSA. Corteza can be combined with the didmos Authenticator to facilitate access to resources across an entire organisation. This way, resources of big enterprises are digitally linked, even with a global network of several different subsidiaries. Consequently, all employees only need to authenticate once in order to gain access to the entire company network. As didmos Authenticator supports both standards, SAML and OIDC, it can be combined with any standards-compliant application.

didmos ETL Flow and midPoint for Clean Data Migration

If an outdated or historically grown IT solution lacks certain functions, often the only way to add the desired function is to add a second system. Hence, a modular solution is much more efficient as only distinct parts of a system are added to enable the desired new functions. In this context, we already deployed the combination of the IdM complete solution midPoint and didmos ETL Flow. The latter extends midPoint by important functions in the areas of extraction of source data, data transformation and harmonisation. In cases where an outdated system is to be replaced, didmos ETL Flow facilitates an uninterrupted and orderly data migration. It further enables you to comfortably configure the system how to discover the same identities in different source systems, and which attribute can be obtained from which source.

didmos and Gluu for Better Performance

Due to the high performance levels of both products, the combination of web portals implemented with didmos LUI, didmos Provisioner, and the access management solution Gluu is the right choice, if there are especially high performance requirements. In a large-scaled project for the European Space Agency (ESA) the combination allowed for the successful implementation of a powerful IAM solution.

In this project, Gluu served as central identity provider of the federation. This made it possible to connect a help-desk portal with Jira, as well as an analysis platform, while still managing user data centrally.

SCIM and midPoint for an Easy Integration of Gluu

In cooperation with the publishing group Cornelsen, DAASI International developed a SCIM connector to connect Gluu and midPoint. This means that Gluu can now be provisioned directly from midPoint with identity data for access control. As SCIM (System for Cross-Domain Identity Management) is increasingly used as a standard in the field of IAM, this development not only means easier integration in midPoint of Gluu, but also of all other SCIM-enabled applications. The connector combines Gluu and midPoint into a well-integrated solution for IdM and AM.

Shibboleth und privacyIDEA for Single Sign-On with Multifactor-Authentication

The Shibboleth software, which is based on SAML, is mostly used to facilitate authentication and authorisation across organisations, nonetheless, it also enables single sign-on.
The most notable components are Shibboleth Identity Provider (IdP) and the Shibboleth Service Provider (SP). The Shibboleth IdP processes incoming authentication requests from users. Nowadays, it is common practice to query more than one factor (i.e. a password and a token which can be generated using a hardware device or is sent to a mobile phone). In this case the combination with privacyIDEA makes the most sense. The open source product privacyIDEA uses an API to enable a wide variety of second factors, while supporting most of the common tokens. Thus, in order to query multiple factors with a Shibboleth IdP to achieve a higher level of security it is possible to connect it to privacyIDEA.

Moreover, DAASI International also offers in this context the combination of didmos and privacyIDEA, using didmos Authenticator as identity provider, or the combination of Gluu and privacyIDEA.

Mix & Match with Open Source

Not being able to address all requirements with one solution becomes especially problematic for organisations with a limited budget. Modular extensions to open source complete solutions are in comparison significantly cheaper; as infrastructures also become lower maintenance this way, extensions also help to reduce costs long term.

However, in especially big organisations or associations, the combination of two or more systems allows for very stable, indefinitely scalable systems. In order to combine different solutions, software must be able to communicate. Usually, this is possible due to standardised protocols or specifically developed connectors and/or overlays. Proprietary solutions are often rather rigid and can only be minimally adjusted due to the closed code. Some developers deliberately do not implement standards accurately so that customers have to resort to software from the same developer for software combinations. In contrast, open source software usually is based on international standards, and can easily be adjusted, which makes it much more versatile in its use and combination possibilities.

With this strategy, DAASI International follows the path of the “Identity Ecosystem” project, which was initiated by Evolveum, the company behind midPoint, some time ago with the goal of creating a network of individual IAM-related solutions.

Menu
WordPress Cookie Plugin by Real Cookie Banner