Centralized Access Management Solution for a German Metropolis

The municipal utility company of a large German city needed to consolidate its decentralized access management solutions used by employees and customers. Employees relied on a custom solution based on the Central Authentication Service (CAS) and Azure AD for authentication, while customers navigated a complex mix of legacy systems for various services, from energy supply to parking management. In 2019, the utility issued a Germany-wide RFP to find a partner capable of unifying this landscape. iC Consult was awarded the contract and, within just a few months, implemented a robust platform managing over one million accounts, streamlining both employee and customer access.

At a glance

Industry: Utilities

Region: Germany

About the customer

The customer is one of the largest municipal utilities in Europe. It employs almost 10,000 people and supplies over one million customers with electricity, water, gas, and district heating. In addition, it operates public facilities and offers telecommunications services.

Challenge

Development of a central access management system

Products & Services

PingAM, PingDS

Results

  • Unified, centralized access management platform for employees and customers
  • Risk-appropriate authentication
  • Application-specific, configurable authentication and authorization for web applications and SaaS services
  • Single sign-on for SaaS and on-premises web applications, via Security Token Service (STS) for employees

Development of a Central Access Management System

Previously, the municipal utility operated multiple access management systems for its employees and customers. For employees, this was a custom solution based on the open-source Central Authentication Service (CAS) package. Additionally, Azure AD was used for authentication via SAML 2. This was, however, only intended as a temporary solution. Personnel fluctuations also meant that support for CAS could no longer be provided by the company’s own specialists.

In terms of customer connectivity, a self-implemented solution incorporated several legacy systems for the various logins. These included accounts for a wide range of services – from the supply of electricity, water, or gas, to parking management and ticket sales for public transport. To standardize this very heterogeneous landscape, simplify operation and maintenance, and create a solid basis for future growth, the municipal utility issued a Germany-wide RFP in 2019. iC Consult won the decision-makers over and started planning and implementation in December of the same year.

Tailored Solutions for Seamless Employee and Customer Access

Originally, the client wanted a single access management solution for all employees and customers. iC Consult developed a technical concept and recommended a solution based on Ping Identity products. However, as the project progressed, it became clear that the implementation (and the subsequent maintenance) would be too expensive in this form. For this reason, the architecture was changed to two separate solutions, still based on PingAM. PingDS were used on the customer side; an existing directory service remained in place for the employees.

On the employee side, the goal was to authenticate people via single sign-on, but also to provide authorization control so that users can be categorized by groups. Applications can then obtain these group assignments and use them for authorization decisions via various integration paths (SAML, OIDC).

To boost security, the municipal utility requested 2-factor authentication (2FA) for employees. This involved considering an existing hardware token solution, but also various 2FA smartphone app procedures and SMS-TAN as an interim solution. iC Consult prepared and tested the options together with the customer. In the end, an SMS-TAN solution, the Ping Identity push app, and FIDO2 with YubiKey hardware tokens were implemented – primarily for cost reasons (licensing fees).

On the customer side, the focus was on integrating a login portal for customers to access numerous services: from electricity metering and ticket purchasing via smartphone, to third-party solutions such as mobile parking. In total, around 100 applications were successively connected to the new platform. Currently, 2FA plays only a minor role here. To be prepared in the medium term, and to offer interested customers additional security, SMS-TAN was implemented. In addition, the Ping Identity solution was technically adapted in great detail, to meet customer-specific requirements in the best possible way.

Services are connected to the central customer portal via OpenID Connect or OAuth 2.0. On the employee side, a broader protocol spectrum was originally planned. There, the goal was not only a centralized system, but a single sign-on hub between Windows, Azure Cloud, and various web applications of the previous CAS system. Currently, OpenID Connect, OAuth 2.0, and SAML 2.0 are used.

Seamless Integration and Future-Ready Solutions

The project was realized from January to August 2020. During the project, a follow-up order was placed to implement additional customer requests that arose.

At the start, a proof of concept was created to enable the most efficient prioritization of individual subtasks. During this process, some changes to the original contract proved necessary. In particular, 2FA methods and risk-appropriate authentication were given significantly more emphasis. What’s more, the very different requirements for employees and customers demanded a technical separation. This way, additional adaptations needed in the customer area could be implemented without unnecessary extra expense.

Originally, all work was to be carried out directly at the customer’s site. However, the COVID19 pandemic threw a spanner in the works. Thanks to a remote access solution provided by the customer at short notice, the project could still be carried out. After a brief adjustment phase, the decentralized cooperation with the utility’s very agile project managers proved to be extremely efficient. The entire project was completed to everyone’s satisfaction – on time and within budget. In addition to the successful implementation, this project demonstrates the advantages of a reliable and secure cooperation between partners, suppliers, and service providers.

As part of the 3-year contract with an optional extension for two additional years, 3rd-level support is provided by iC Consult. Furthermore, iC Consult supports the municipal utility company in developing and integrating additional functionalities.