Reference

More than 30 IDM realisations in Czech Republic and abroad

AMI Praha Reference Deployment of IdM midPoint in Czech Television

Deployment of IdM midPoint in Czech Television

Česká televize

Czech Television uses several central applications with separate account and access control. Account management in these applications was performed manually or by running tailor-made scripts that handled basic requests (user creation, attribute changes). This situation was gradually becoming unsustainable as it was not possible to respond effectively to the gradual changes in CT’s IT environment. Furthermore, it was not possible to easily obtain up-to-date and clear information about users in individual applications and it was not possible to automate some other processes. IT management therefore decided to implement Identity Manager to address the above problems.

Project goal

When deciding which system to use for IdM, the Evolveum product – midPoint Identity Manager – was chosen. MidPoint is offered as opensource, so it can be downloaded from the company’s website for free and even without any registration. According to the high activity on the product forums, midPoint is widely used and new functionality is being added by the development team. According to feedback from its users, midPoint is a very popular identity management tool and is implemented in both commercial companies and universities. The product offered all the required functionalities or could be implemented in a documented and officially supported way.  The winner of the tender was the implementer AMI Praha a.s.

Project description

Czech Television uses a variety of applications, which include Active Directory as the main directory, SAP HR as a source of data on employees, temporary staff and organisational structure, CEE Central Register of Externals (hereinafter referred to as externals), IS AFM, Telephone Exchange and Helios. From a technological point of view, it was therefore necessary to connect the following systems:

  • The organisational structure in SAP HR (via the TDI application interface).
  • Users registered in SAP HR (via the TDI interface)
  • Users registered in the CEE externals register (via the TDI interface)
  • Users and groups in Active Directory
  • Table of users and roles in the MSSQL database for AFM
  • Table of users and roles in the MSSQL database for Helios
  • Table of users and phone numbers in the MSSQL database for PBX

The SAP HR and CEE application is not connected to IdM directly, but through the TDI application interface, which is used by the Helpdesk staff to complete information about employees and to filter out duplicates. IdM then draws information from the TDI application.

IdM midPoint deployment

The hardware and software requirements of midPoint are not exceptional and do not differ from those of similar products. The recommended operating system is any common Linux distribution. In addition, Apache Tomcat version 7 and higher, Java Development Kit version 7 and higher, and MySQL, MSSQL, Oracle or PostgreSQL databases for storing identity data are required.

In the Czech TV, the choice fell on the CentOS operating system, Apache Tomcat version 7, Java Development Kit version 7 and MSSQL database version 2012. The server was created in a virtual environment and was allocated 6 GB of RAM and 50 GB of disk space.

The installation of IdM midPoint itself was also not difficult and consisted of a few steps: downloading the midPoint WAR file from Evolveum’s website and copying it to the webapps directory in the Apache Tomcat installation. Tomcat’s auto-install service then installed and made the midPoint web interface available.

This completed the basic installation and allowed the applications to be connected and the required functionality to be implemented.

Requirements

Discussions with IT and Helpdesk representatives gathered dozens of requirements and suggestions for incorporating functionalities into the new IdM midPoint. This list was based on the experience with the operation of previous tailor-made scripts, and was further supplemented with new requirements arising from gradual changes in the company’s processes.

Other requirements were:

  • Automatic creation of user accounts in Active Directory at creation in SAP HR or CEE.
  • Automatic generation of logins according to a defined pattern
  • Synchronization of the organizational structure from TDI to IdM
  • Notification for the Helpdesk when a Display Name of a user in AD is duplicated
  • Notification for Helpdesk when user name, surname or login changes
  • Synchronization of groups and users from AD to IdM, including synchronization of their members
  • Synchronization of roles and users from AFM to IdM
  • Synchronisation of roles and users from Helios
  • Basis for terminating accounts in all applications after an employee leaves
  • Overview reports on the status of users in applications (unpaired accounts, problems, reconciliation errors, etc.)
  • User portal in Czech language
  • Controlled access to the portal for Helpdesk staff

Active Directory Connection

Active Directory connectivity is implemented by using the Connector Server, which runs as a service on the AD side and provides communication and request processing between the IdM midPoint connector and AD itself.

The users themselves are created in the usual way in the HR Import container and its subcontainers (according to the user’s affiliation to the Prague/Brno/Ostrava location). User accounts are created in the Disabled state. The HD operator then performs the Enable account, moving it to the selected container and passing the login data to the user.

The bigger nut to crack was setting up the correct group/role synchronization between Active Directory and IdM midPoint. Since there was no guidance on implementing this particular functionality in the available documentation, AMI Praha contacted the midPoint developers directly with a request for cooperation. They responded immediately and prepared a comprehensive document with a procedure on how to address such functionality. Thanks to their willingness, the synchronization of groups between Active Directory and IdM midPoint was implemented without major problems.

Connecting TDI, AFM, Helios and PBX

These applications use database tables as data storage, so a DB connector was used to connect them. The connectors for the database tables are based on ForgeRock’s ICF connectors. Their implementation and connection to the necessary database tables again did not bring any significant problems. In this case, the ScriptedSQL connector was used, which is highly variable when using complex SQL queries to retrieve data from the above applications. The applications are connected in read-only mode, IdM extracts the data from them, transforms it and then propagates it to Active Directory.

Portal for users

MidPoint includes a web portal for both end users and HD operators and administrators. Although the portal offers many useful features to users, it was decided that only Helpdesk operators would access the portal, especially when there is a name conflict.

This requirement was met by configuring access rights so that Helpdesk operators only see a list of users in their menu and can only change the Display Name, Login and OU attributes to Active Directory.

Language versions

The standard part of the current version of midPoint is the Czech language pack. The language settings are based on the current operating system environment of the specific user.

Conclusion

The implementation of the identity management tool at Czech Television met the expectations of the management and can be considered a success. The IT management at Czech Television in cooperation with AMI Praha is preparing further requirements for the development of the implementation of this tool and is preparing to connect other applications.

We can highlight especially the simplicity of connecting midPoint to individual applications and the Czech user environment.

Czech Television also appreciates the smooth cooperation of AMI Praha directly with the midPoint developers and their great willingness to solve problems, especially when implementing the Active Directory group synchronization functionality.

MidPoint, as an alternative to commercial solutions, can therefore be highly recommended.

Another projects for the client

Are you interested in this reference?