Centralized Access Management Solution
for a German Metropolis
At a Glance
A German metropolis
Development of a central access management system
Products and Services:
ForgeRock Directory Services
- Unified, centralized access management platform for employees and customers
- Risk-appropriate authentication
- Application-specific, configurable authentication and authorization for web applications and SaaS services
- Single sign-on for SaaS and
on-premises web applications,
via Security Token Service (STS)
The municipal utility company of a large German city sought to consolidate their decentralized access solutions for employees and customers. In a Germany-wide RFP, iC Consult was awarded the contract – and implemented the required platform for more than one million accounts within just a few months.
The customer is one of the largest municipal utilities in Europe. It employs almost 10,000 people and supplies over one million customers with electricity, water, gas, and district heating. In addition, it operates public facilities and offers telecommunications services.
Previously, the municipal utility operated multiple access management systems for its employees and customers.
For employees, this was a custom solution based on the open-source Central Authentication Service (CAS) package. Additionally, Azure AD was used for authentication via SAML 2. This was, however, only intended as a temporary solution. Personnel fluctuations also meant that support for CAS could no longer be provided by the company’s own specialists.
In terms of customer connectivity, a self-implemented solution incorporated several legacy systems for the various logins. These included accounts for a wide range of services – from the supply of electricity, water, or gas, to parking management and ticket sales for public transport.
To standardize this very heterogeneous landscape, simplify operation and maintenance, and create a solid basis for future growth, the municipal utility issued a Germany-wide RFP in 2019. iC Consult won the decision-makers over, and started planning and implementation in December of the same year.
Originally, the client wanted a single access management solution for all employees and customers. iC Consult developed a technical concept and recommended a solution based on ForgeRock products. However, as the project progressed, it became clear that the implementation (and the subsequent maintenance) would be too expensive in this form. For this reason, the architecture was changed to two separate solutions, still based on ForgeRock AM. ForgeRock Directory Services were used on the customer side; an existing directory service remained in place for the employees.
On the employee side, the goal was to authenticate people via single sign-on, but also to provide authorization control so that users can be categorized by groups. Applications can then obtain these group assignments and use them for authorization decisions via various integration paths (SAML, OIDC).
To boost security, the municipal utility requested 2-factor authentication (2FA) for employees. This involved considering an existing hardware token solution, but also various 2FA smartphone app procedures and SMS-TAN as an interim solution. iC Consult prepared and tested the options together with the customer. In the end, an SMS-TAN solution, the ForgeRock push app, and FIDO2 with YubiKey hardware tokens were implemented – primarily for cost reasons (licensing fees).
On the customer side, the focus was on integrating a login portal for customers to access numerous services: from electricity metering and ticket purchasing via smartphone, to third-party solutions such as mobile parking. In total, around 100 applications were successively connected to the new platform. Currently, 2FA plays only a minor role here. To be prepared in the medium term, and to offer interested customers additional security, SMS-TAN was implemented. In addition, the ForgeRock solution was technically adapted in great detail, to meet customer-specific requirements in the best possible way.
Services are connected to the central customer portal via OpenID Connect or OAuth 2.0. On the employee side, a broader protocol spectrum was originally planned. There, the goal was not only a centralized system, but a single sign-on hub between Windows, Azure Cloud, and various web applications of the previous CAS system. Currently, OpenID Connect, OAuth 2.0, and SAML 2.0 are used.