Centralized Access Management Solution
for a German Metropolis

At a Glance


A German metropolis


Development of a central access management system

Products and Services:
ForgeRock AM,
ForgeRock Directory Services


  • Unified, centralized access management platform for employees and customers
  • Risk-appropriate authentication
  • Application-specific, configurable authentication and authorization for web applications and SaaS services
  • Single sign-on for SaaS and
    on-premises web applications,
    via Security Token Service (STS)
    for employees

The municipal utility company of a large German city sought to consolidate their decentralized access solutions for employees and customers. In a Germany-wide RFP, iC Consult was awarded the contract – and implemented the required platform for more than one million accounts within just a few months.


The customer is one of the largest municipal utilities in Europe. It employs almost 10,000 people and supplies over one million customers with electricity, water, gas, and district heating. In addition, it operates public facilities and offers telecommunications services.


Previously, the municipal utility operated multiple access management systems for its employees and customers.

For employees, this was a custom solution based on the open-source Central Authentication Service (CAS) package. Additionally, Azure AD was used for authentication via SAML 2. This was, however, only intended as a temporary solution. Personnel fluctuations also meant that support for CAS could no longer be provided by the company’s own specialists.

In terms of customer connectivity, a self-implemented solution incorporated several legacy systems for the various logins. These included accounts for a wide range of services – from the supply of electricity, water, or gas, to parking management and ticket sales for public transport.

To standardize this very heterogeneous landscape, simplify operation and maintenance, and create a solid basis for future growth, the municipal utility issued a Germany-wide RFP in 2019. iC Consult won the decision-makers over, and started planning and implementation in December of the same year.


Originally, the client wanted a single access management solution for all employees and customers. iC Consult developed a technical concept and recommended a solution based on ForgeRock products. However, as the project progressed, it became clear that the implementation (and the subsequent maintenance) would be too expensive in this form. For this reason, the architecture was changed to two separate solutions, still based on ForgeRock AM. ForgeRock Directory Services were used on the customer side; an existing directory service remained in place for the employees.

On the employee side, the goal was to authenticate people via single sign-on, but also to provide authorization control so that users can be categorized by groups. Applications can then obtain these group assignments and use them for authorization decisions via various integration paths (SAML, OIDC).

To boost security, the municipal utility requested 2-factor authentication (2FA) for employees. This involved considering an existing hardware token solution, but also various 2FA smartphone app procedures and SMS-TAN as an interim solution. iC Consult prepared and tested the options together with the customer. In the end, an SMS-TAN solution, the ForgeRock push app, and FIDO2 with YubiKey hardware tokens were implemented – primarily for cost reasons (licensing fees).

On the customer side, the focus was on integrating a login portal for customers to access numerous services: from electricity metering and ticket purchasing via smartphone, to third-party solutions such as mobile parking. In total, around 100 applications were successively connected to the new platform. Currently, 2FA plays only a minor role here. To be prepared in the medium term, and to offer interested customers additional security, SMS-TAN was implemented. In addition, the ForgeRock solution was technically adapted in great detail, to meet customer-specific requirements in the best possible way.

Services are connected to the central customer portal via OpenID Connect or OAuth 2.0. On the employee side, a broader protocol spectrum was originally planned. There, the goal was not only a centralized system, but a single sign-on hub between Windows, Azure Cloud, and various web applications of the previous CAS system. Currently, OpenID Connect, OAuth 2.0, and SAML 2.0 are used.

As part of the 3-year contract with an optional extension for two additional years, 3rd-level support is provided by IAM Worx, which is part of iC Consult.
Furthermore, iC Consult supports the municipal utility company in developing and integrating additional functionalities.


The project was realized from January to August 2020. During the project, a follow-up order was placed to implement additional customer requests that arose.

At the start, a proof of concept was created to enable the most efficient prioritization of individual subtasks. During this process, some changes to the original contract proved necessary. In particular, 2FA methods and risk-appropriate authentication were given significantly more emphasis. What’s more, the very different requirements for employees and customers demanded a technical separation. This way, additional adaptations needed in the customer area could be implemented without unnecessary extra expense.

Originally, all work was to be carried out directly at the customer’s site. However, the COVID19 pandemic threw a spanner in the works. Thanks to a remote access solution provided by the customer at short notice, the project could still be carried out. After a brief adjustment phase, the decentralized cooperation with the utility’s very agile project managers proved to be extremely efficient. The entire project was completed to everyone’s satisfaction – on time and within budget. In addition to the successful implementation, this project demonstrates the advantages of a reliable and secure cooperation between partners, suppliers, and service providers.


Looking for a new job?

Join iC Consult!

Find Job



IAM for the Cloud Era


Webinar: IAM Managed Services

Watch Now

Centralized IAM for over 300,000 Identities | DB Schenker

Read Reference