The electricity and gas supplier, E.ON, uses several central applications with separate account and access management for its operations. Account management in these applications was done manually or by running customized scripts that handled basic requests (user creation, attribute changes). This situation was gradually becoming unsustainable as it was not possible to respond effectively to the gradual changes in the company’s IT environment. Furthermore, it was not possible to easily obtain up-to-date and clear information about users in individual applications and it was not possible to automate some other processes. IT management therefore, decided to implement Identity Manager to address the above issues. The main requirements were license independence for the number of identities, roles and connected systems, open source, the ability to develop custom connectors, operating system independence, support for common databases for the object repository, support for authentication against LDAP (eDirectory), product support, continuous development from the vendor and addition of new features, modern design and use of modern technologies. WSO2 is used as the SSO solution at E.ON.

The winner of the tender was Evolveum’s product – midPoint Identity Manager offered by the implementer AMI Praha a.s. The product offered all required functionalities or could be implemented in a documented and officially supported way. MidPoint is offered as open source, so it can be downloaded from the company’s website free of charge and even without any registration. Judging by the high activity on the product forums, midPoint is widely used, and the development team is constantly adding new feature. According to feedback from its users, midPoint is a very popular identity management tool and is being implemented in universities as well as commercial and government companies.

E.ON uses a variety of applications, including GDS LDAP as the main directory, SAP HR as a source of data on employees and organizational structure, and several applications with their user database. Data on employees and organisational structure are available from SAP HR only in XML format. The records of external employees not administered centrally at all.

From a technical point of view, the following steps had to be taken:

• Deploy a central IdM solution
• Process the employee information from SAP HR into IdM (the so-called primary accounts).
• Process information on employee working relationships and organizational structure from SAP HR into IdM
• Establish a central register of external employees, generate unique IDs for them (SIDs) and link them to IdM
• Design and create a structure of application and business roles and workflows linked to them in IdM
• Create an LDAP SARA Directory to which users, roles and user role assignments will be exported from IdM
• Link a WSO2 application to the SARA Directory to retrieve user role assignment data
• Connect other target systems for data consumption

Thanks to the implementation of IdM, some important processes could be unified in E.ON, such as the creation of users and the assignment of roles. Furthermore, some other supporting processes were introduced, such as the creation of application roles or the creation of external users.

Thanks to IdM, it is now possible for E.ON employees to request a role assignment. When such a request is created, an approval workflow is started, where the responsible persons have to approve the request.

With the role request process and approval workflow set up correctly in IdM, it was also possible to fully automate the management of assigning SARA Directory users to application groups. This data is then used by WSO2 to set up authorizations in downstream applications.

The implementation of the identity management tool at E.ON met management expectations and can be considered a success. The IT management at E.ON in cooperation with AMI Praha is preparing further requirements for the development of the implementation of this tool and plans to connect other applications. We can highlight especially the simplicity of connecting midPoint to individual applications and the Czech user environment.

E.ON also appreciates the smooth cooperation of AMI Praha directly with the midPoint developers and their great willingness to solve problems. MidPoint, as an alternative to commercial solutions, can therefore be highly recommended.