As the central service company of the Friedhelm Loh Group, Loh Services GmbH, founded in 2000, supports, advises, and assists the 95 subsidiaries of the group in a range of key interface functions. The service portfolio includes classic administrative tasks such as controlling, accounting, and HR, as well as the management of IT infrastructures. A key aspect is managing identities and access rights for all 12,100 employees, which was recently established on a robust and future-proof foundation as part of an ambitious Greenfield project, implemented with the support of iC Consult.
Challenge
“Just a few years ago, we managed workforce identities and access rights entirely manually. However, as our employee numbers grew steadily and more business processes became digitalized, the time required increased rapidly,” explains Martin Jonek, Head of Collaboration & Identity Services at Loh Services. “Ultimately, two key factors led us to begin searching for a modern, largely automated IAM solution in mid-2021. Strategically, an upcoming audit for a new certification drove the project, while operationally, managing Joiner, Mover, and Leaver (JML) processes was consuming more and more resources in our daily operations.”
Centralized IGA Solution Instead of Manual Management
The project aimed to consolidate employee identities across the entire corporate group into a centralized solution. Gradually, the entire application landscape was to be integrated into the IAM system. In the initial phase, top priority was given to migrating business-critical SAP and Microsoft 365 environments, as well as integrating Citrix and VPN environments to ensure secure remote access for employees. The audit also outlined additional requirements: specifically, restructuring the management of admin, service, and test accounts, migrating existing external accounts into the OneIM environment and incorporating them into the JML processes.
”With our internal team deeply engaged in various other projects, we decided early on to bring in an external integration partner,” explains Martin Jonek. ”Considering the scope and complexity of the project, this was absolutely the right choice. We selected iC Consult, who supported us from the initial design phase through to the handover of operations and led the implementation. The collaboration proved to be a true stroke of luck—our teams complemented each other perfectly from day one, and we gained many valuable insights for further developing our architecture.”
Analysis of the Identity Lifecycle Within the Organization
As is often the case, the early phase of the project focused entirely on data collection and analysis. Experts from iC Consult examined and documented the organization’s lifecycle processes, gathering detailed requirements from the internal team for the new identity management system. Based on these findings, the Joiner, Mover, and Leaver processes for the entire corporate group were redefined through an iterative process lasting several months. Mario Zschaler, Project Lead at iC Consult, explains: ”In a Greenfield project of this scale, defining robust processes from the outset is just as crucial as selecting the right technology. Efficient, automated workflows not only ease the burden on the internal team but also greatly enhance the user experience, making them vital to the project’s success. Moreover, security and compliance are closely tied to these processes—such as ensuring robust policies prevent accidental privilege escalation during departmental transitions.”
Cloud-Native Platform by One Identity
As the technological foundation of the new IAM environment, iC Consult implemented One Identity Manager—a modern, Microsoft Azure Cloud-based platform that unifies Identity Governance and Administration, Access Management, Privileged Access Management, and Active Directory Management into a single solution. “The holistic platform approach of One Identity was a key factor for us, as it eliminated the need for separate siloed solutions,” says Martin Jonek. ”Being a cloud-native solution, the platform can also be flexibly adapted to meet our needs—especially with the expert support of iC Consult, who guided us in developing and customizing the necessary integrations.”
Terraform-Based Deployment of the Environment
To ensure a smooth rollout, iC Consult first integrated One Identity Manager in an isolated test environment designed using Terraform. This setup included a dedicated network, server, database, and load-balancing resources, allowing developers, quality managers, and project leads to refine and test the environment continuously without impacting daily operations.
Integration and Migration
The initial focus was on providing the necessary interfaces for integration into the application landscape, including connectors for AD domains, hybrid Exchange servers, Azure AD, and SAP. These connectors were either newly developed or adapted from existing templates. In the second phase, applications were integrated, and existing identity data was migrated into the One Identity Manager—all within the development environment. This was accompanied by extensive testing to ensure smooth operations and a high-quality user experience for the broader rollout.
Web front-end development with Angular
During this phase, the team also addressed an important sub-project: iC Consult developed a new web front end within the OneIM Angular Portal to simplify and accelerate the creation of new external employees. Through seamless single sign-on, employees automatically gain access to the new IAM portal. New colleagues are automatically assigned basic authorizations—such as access to Microsoft 365 and SAP—and can request additional services at any time via the web interface.
“With the migration of data and the deployment of the front end, we had set the course for a successful launch of the One Identity solution by the end of 2023,” says Martin Jonek. “By then, all IT team identities and roles had been migrated to the new platform, which gave us plenty of opportunity to test its functionalities and usability.” However, one task remained before the launch: ensuring that administrators, hotline staff, and users could work comfortably with the solution from day one. To achieve this, the project team organized several training sessions to familiarize employees with the platform. The plan proved successful: One Identity Manager was quickly embraced across all regions and throughout the corporate group as a convenient and efficient alternative to manual rights management.
Outlook: Managed Services bring relief
The go-live was not the end of the successful collaboration between Loh Services and iC Consult. The two companies continue to enhance the identity solution together, focusing on projects like the ongoing consolidation of AD directories and the integration of additional applications into the IGA solution. More importantly, Loh Services has decided to entrust the operation and maintenance of the One Identity platform to iC Consult going forward. Martin Jonek explains: “Given the increasingly complex tech stacks and dynamic threat landscapes, managing our IT infrastructure already consumes significant resources, so any relief in day-to-day operations is more than welcome. We have, therefore, decided to outsource operations to iC Consult under a managed services model. Their experts know the solution as well as we do – there’s no better partner we could ask for.”
