Seamless Transition to New
IdM Platform With Improved
GUI and Functionality
Client:
Orange Slovensko, a.s.
Scope:
Identity management
Overview
Orange Slovensko needed to improve the GUI
and transition from its legacy IdM to midPoint
while keeping their systems running and meeting the deadline and budget
Challenge
Orange Slovensko was seeking an IdM platform to replace its legacy solution. There had been a major focus on seamless transition for the employees and improvement of IdM administrators’ workflows.
Process
During the midPoint integration, it needed to run concurrently with the legacy IdM solution. Source and target systems had been switching to midPoint one by one, while all the data needed to be synchronized between two IdMs throughout the project, since the access request module was migrated at the very end.
Outcome
midPoint replaced legacy solutions entirely and gave employees a better experience in the access request process. The transition took place without any significant impact on employees or connected systems.
objective
The IdM environment in Orange Slovensko was built around the commercial product that was over its lifespan and no longer supported.
There were multiple identity sources like SAP and several LDAPs. However, there was a need to migrate several online resources and two offline ticketing resources; one of them ARS Remedy covering over 250 offline systems.
Since that time, there has been a significant emphasis on all systems’ continuous operation and the minimum impact on employees, who should also benefit from a new, fresher, innovative interface to request roles and permissions.
challenge
Due to the scale of the system, the transition had to be continuous and finish with the decommissioning of the legacy IDM.
The access request interface was part of the legacy solution, and it could be migrated into midPoint only after all resources and target systems are provisioned by midPoint. During the project, data had to be synchronized both ways, as each IdM was a source of partial data for the other IdM.
MidPoint version 4.6 was released a month before the end of the project, and Orange Slovensko strongly inclined to provide employees with the latest access request experience delivered in this version. All three parties, Evolveum, Inalogy, and Orange Slovensko, were challenged to integrate the initial version shortly after the release.
process
The project was divided into two phases.
Phase 1
The project was divided into two phases. The scope of the first phase was to migrate the main HR source and main target source, Active Directory, and establish synchronization between the legacy IdM system and midPoint. Active Directory, as a most complex resource, was also the most critical one, as it stores data about almost 5000 entitlements. To ensure the midPoint configuration is identical to the legacy system, we built a pre-prod AD identical to the production one. We provisioned it by midPoint for over two months. We monitored and compared both Active directories and fine-tuned midPoint until there were no discrepancies between both ADs, as this was a crucial precondition for the next year of parallel operation of both IdMs.
A key part of the first phase was a transition of password management to midPoint. Employees have several options to change or reset passwords, such as self-service in midPoint, helpdesk, SMS, and the most used Active Directory. For this reason, we needed to develop a reliable AD Password agent to provision passwords from AD to midPoint. Orange Slovensko published this agent to the community as a contribution.
Phase 2
Since phase one was more like a big bang deployment, phase two was more incremental. There were 16 target and another two source systems to migrate. To accomplish this, we needed to migrate one to two resources per month, and several of the resources needed a connector to be developed. The final step was to switch the user interface for requests and access approvals. Delivery and migration of individual resources went according to plan. Still, things became interesting when we, together with Orange Slovensko, decided to go with version 4.6, which was not released then, to provide employees with the latest UI experience of requesting an access flow.
As Orange Slovensko had active product support, we contacted Evolveum with the plan to go live with version 4.6 just a month after the official release. We did immersive testing on a 4.6 release candidate, and Evolveum incorporated all our findings and improvement proposals. Our joint effort resulted in an almost bug-free release 4.6 successfully deployed into production within the project plan.
outcome
The project of Identity management swap in Orange Slovensko has been a major success for all parties involved.
The management appreciates that it was
delivered within the agreed time and budget. IdM administrators thus received a modern Identity management tool.
Employees can now benefit from
the latest UI experience provided by midPoint, and Inalogy has gained valuable experience as well as a solid
reference.
Finally, the community gained a verified and capable version of midPoint 4.6, together with the new AD password agent.
Want to know more about our solutions?
