This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Reference
More than 30 IDM realisations in the Czech Republic and abroad
IDM and KDM development at Czech Post
Česká pošta
Following on from the previous years, in 2022 development work continued on the IdM and KDM (Key Distribution Manager designed to centralize and synchronize authentication resources in a Linux/UNIX environment) solutions for the customer Česká pošta. The main objective of the sub-projects was to extend the IdM and KDM solution with additional end systems and the development of solutions extending the original concept.
Project goal
In 2022, as part of our development activities, we implemented the connection of two end systems and several development requirements.
- Connection of the new SMAX Service Desk
- Extension of IdM connector functionalities to Microsoft 365
- Minor development
- Addition of external user management
- Registration of service accounts
- Edit workflow permissions, user attributes
- User management in MLAN
- Managing mailboxes in Microsoft 365
- Operational optimization
- Server reconciliation report in KDM
- MidPoint-to-midPoint connector
- KDM performance optimization
Solution description
IdM development – connection of the new SMAX Service Desk
CP has replaced the HP SM service desk with SMAX. For this reason, it was necessary to modify the logic in IdM so that all the account management and role assignment options for the service desk – SMAX were retained.
All user management and role assignment in the SMAX system was handled through LDAP. IdM performs the creation/modification/deletion of users in LDAP and assigns/removes roles via multivalue attribute values (already implemented functionality). SMAX performs periodic synchronization with the LDAP.
IdM development – IdM connector to Microsoft 365 – guest account management
CP started using Microsoft 365 environment, which created needs for user and permission management in this environment.
Regular users and administrators are managed in the Microsoft 365 tenant by integration through AD Connect.
The most pressing issue was unmanaged “guest” accounts for external users, this functionality was addressed first. Externalists have registered identities in IDM, called ext accounts. Managing guest accounts allows freelancers to use sharing in SPO and take advantage of other Microsoft 365 functionality without requiring a license. Furthermore, it is no longer necessary to manage passwords for external users using only these services in Microsoft365.
Minor IdM development
Addition of external user management
External user management is routinely used to manage hundreds of vendors. In operation, major limitations including operational cleanup requirements and user transfers between contracts became apparent, so it was necessary to:
- Change attribute checking for external users to check the attributes entered directly on the input form,
- modify the archiving of users so that they can be returned to the contract by the sponsors,
- add a Company attribute,
- create permissions to display contract attributes,
- archive invalid contracts with outsourcers,
- create new notifications about valid external users in an invalid contract.
Registration of service accounts
Service accounts were not managed by IdM. The change required service accounts to be registered in IdM at a minimum for the purposes of registering guarantors and role requests.
Modifications to workflow permissions, user attributes
IdM operation deepened the maturity of IT processes, which required modifications to permissions and notifications:
- New notification of missing application guarantors and role approvers,
- modification of roles for changing email address so that the change can be made by email administrators,
- grouping and modification of user attributes in the profile view,
- modifying the approval when there is no supervisor so higher supervisor, then up to approver 999999,
- modify notification to work on approver assignments and modify role names.
User management in MLAN
A new MLAN administration network has been created to manage network elements, where users are stored in a separate LDAP. These were not managed using IdM.
We implemented a new connector for MLAN on Open LDAP technology including all standard user management processes.
Role management in Microsoft 365
The connector to Microsoft365 has been added with Microsoft 365 role management. These are administrator roles in the Misrosoft365 tenant.
Operational optimization
The application lifecycle required additional adjustments on the IdM side to respond to the changing state of the surrounding applications, infrastructure and processes:
- Removal of functionality for NAKIT,
- modification of synchronization policies in AD and CAS,
- adding attribute mappings between IdM and AD, including Exchange mailbox status.
Minor development of KDM
Server Reconciliation Report
The subject was to create a server task that will provide a *.csv report listing the reconcilations of the connected UNIX KDM servers.
Connector midPoint-midPoint
The subject was to create and deploy a new connector to connect KDM to IdM using a REST interface.
KDM performance optimization
According to the requirements of the Czech Post, modifications were made to optimize the running of KDM during and at the end of the migration of a large number of UNIX servers so that the solution is operable.
Conclusion
It can be concluded that the development of IdM at the Czech Post is proceeding successfully and in accordance with the requirements of IT management and the requirements of Cyber Security in successive partial steps. This brings with it the advantage and possibility of thorough testing and fine-tuning of each partial modification before its deployment into production, with no IdM downtime and almost no need for downtime.