Main project goals

1. Implementation and support of the system for management and control of access rights or EnviIAM – Access Manager (hereinafter EnviIAM – AM)
2. Implementation and support of the identity management system or EnviIAM – Identity Manager (hereinafter EnviIAM – IdM)

The first objective was further spiced up by the fact that at the same time as the implementation of the EnviIAM – AM system, the systems that were an integral part of the scope of this project were upgraded at the MoE:

1. ISPOP Registry application (created together with the ISPOP – Integrated Reporting Obligations Compliance System), and this registry grew in the course of its use and the implementation of other AIS (e.g. SEPNO, HNVO, ISOH) in the Ministry’s environment to include other sub-registries as well as additional features, functions and data. Therefore, the Ministry upgraded the registry so that its new version became a separate application (AIS) – the Central Register of Environmental Protection (or CRP).
2. The agency IS ISPOP was upgraded to ISPOP v2

The second objective did not deviate from the standards required for IdM systems. Perhaps only the fact that some of the online systems connected to the IdM had to be created “from scratch” (e.g. the connector to the “Telephone Exchange”) could be seen as a specific requirement regarding knowledge of programming languages.

Project description

AMI Praha a.s. was the winner of the tender with Apereo Central Authentication Service (Apereo CAS) for the first project objective and Evolveum’s midPoint Identity Manager for the second project objective.

• Apereo CAS is offered as an open-source tool for web-based Single Sign-On (SSO), managed by the Apereo consortium. It was developed in an academic environment and is widely used by universities around the world. It supports generally accepted authentication and authorization protocols and implements its own CAS authentication protocol.
• MidPoint Identity Manager is offered as opensource, so it can be downloaded from the company’s website for free, and even without any registration. Judging by the high activity on the product forums, MidPoint is widely used and new and new functionalities are being added by the development team. According to feedback from its users, midPoint is a very popular identity management tool and is being implemented in universities as well as commercial and government companies.

Solution description

The timing of the project was already pre-determined in the tender documentation – 12 months for the first project objective and another 12 months for the second project objective.

First objective – Implementation and support of the system for management and control of access rights or EnviIAM – Access Manager (hereinafter EnviIAM – AM)

The first two months were devoted to the “Implementation Project” – this document defines and describes the procedures and methods by which the delivery and deployment of EnviIAM will be achieved, i.e.

• all project processes, including how they are managed,
• a comprehensive framework of project activities (including identification of inputs and outputs of activities) grouped into stages,
• activities that logically lead to the project objectives,
• significant milestones (including billing milestones),
• interactions between the parties and organizational issues for the Work,
• other facts relevant to the implementation of the Project.

The next two months were marked by analytical meetings and the creation of an analytical document called “Work Specification”, i.e. a technical document that describes the target state of the solution and contains the sections listed below:

• analysis of requirements for the Application (user functional / non-functional, technical),
• legislative analysis,
• UML description of the use cases of the Application,
• UML models of classes, components, data objects, sequence and state diagrams,
• description of integration to external Identity Providers,
• description of how to integrate to internal authentication resource,
• description of how to integrate to a communication interface for sending multi-factor authentication codes,
• logical design of the solution – UML component diagram,
• technical design of the solution – design of the physical placement of individual components in the infrastructure,
• description of the integration of individual AIS/IS to the Application,
• description of integration to the SIEM (Security Information and Event Management) solution,
• technological description of the Application,
• security description (monitoring, logging, auditing).

The following activities took place in the following months:

• Deployment and configuration (TEST and PROD)
  • The Application was deployed on the environments and contains all defined functionality except integration to external IdP and integration with external AIS/IS systems.
• Integration and migration
  • This activity included the integration of EnviIAM to external IdP, implementation of the interface for sending multi-factor authentication codes, deployment of the Customer’s SIEM solution, integration of the CRP authentication source
  • 6 agency information systems were integrated
    • Integrated Reporting Compliance System (IRCS);
    • System for the registration of hazardous waste shipments (SEPNO);
    • Hazardous Waste Properties Assessment (HWPA);
    • Waste Management Information System (ISOH);
    • Information Portal for Competent Persons (IPO);
    • EnviHELP Environmental Knowledge Portal (EnviHELP);
  • Training of users / administrators
  • Testing – testing was conducted in three waves
    • The first wave of testing was primarily devoted to testing the basic functionality required, i.e. user login and logout, as well as administrative access to the system (38 test scenarios)
    • The second wave of tests was primarily dedicated to testing the deployed EnviIAM – AM solution as a whole, including integration (27 test scenarios)
• The documentation is a separate chapter of this project, the following documentation has been created and submitted for acceptance (some of the required documentation has been included as chapters in other documentation listed here)
  • System testing documentation
  • ISVS documentation (according to the requirements of Act No. 365/2000 Coll.)
  • Application documentation
  • Operational documentation
  • Security documentation
  • Acceptance – for the actual acceptance it was also necessary to deal with the catalogue of requirements
    • For the first project objective, 60 functional and non-functional requirements were settled

Second objective – Implementation and support of the identity management system EnviIAM – Identity Manager (hereinafter EnviIAM – IdM)

This time, we only devoted one month to the “Implementation Project”, as a substantial part of the document was not changed for the second objective, e.g.

• all project processes, including how they are managed,
• the activities that logically lead to the project objectives,
• significant milestones (including billing),

The next three months were again marked by analytical meetings and the creation of an analytical document called “Work Specification”, i.e. a technical document describing the target state of the solution

The following activities were repeated in the following months:

• Deployment and configuration (TEST and PROD)
• Integration and migration
• User/administrator training
• Testing – we have taken a slightly different approach to testing than the previous objective, we have used the JIRA software tool and have ported the test scenarios and their execution here. This allowed us to continuously monitor and evaluate the speed and success of testing, using workflow we knew exactly what state a given step or the whole test scenario was in.
• Again, documentation was a very large component of the project, just as it was for the first objective.
• Acceptance – for the actual acceptance it was also necessary to deal with the requirements catalogue
  • For the second project objective 319 functional and non-functional requirements were settled

The implementation of both identity management and access rights management tools met management’s expectations and can be considered a success. The IT management of the Ministry of Environment in cooperation with AMI Praha is already continuing the development of these tools through a service contract.

The MoE also appreciates the smooth cooperation of AMI Praha directly with the developers of midPoint and APEREO CAS and their great willingness to solve problems. MidPoint and APEREO CAS can therefore be highly recommended as an alternative to commercial solutions.