The customer was using an IdM tool that was no longer supported and, in light of the audit findings, a replacement had to be provided. Due to this fact, a very ambitious deadline for re-implementation of the functionalities was already set in the request for a maximum of half a year from the signing of the contract. Taking into account the large number of requirements (almost 300 requirements clearly categorized into: functional, non-functional, security, technical, architectural and testing), we proposed to divide the scope into two stages, where in the first stage the essential functionalities for the IdM operation and for meeting the audit findings will be implemented and in the second stage the “nice-to-have” functionalities will be implemented.

The first project phase started with the analysis and writing of the technical proposal, whose partial deliverables were continuously approved and immediately handed over for implementation. Thanks to this approach, i.e. the parallelization of activities, it was possible to reduce the delivery time and manage the deployment in a critically short time. To continuously validate the larger implemented blocks, the first phase was divided into three separate deliveries, which were tested and accepted by the customer. Before the actual deployment into production, the transition was planned and prepared in detail so that the transition to the new IdM was successful during less than a week of IdM downtime. After the launch in the production environment, increased active monitoring was carried out together with the customer for a period of time, during which data inconsistencies on the part of the end systems and minor deviations from the expected behaviour were addressed.

Once production was stabilised, the second project phase was analysed and a technical proposal written, which was much smaller and did not encounter any technical complications. The development, testing and deployment in the production environment was completely smooth.

The subject of the project was the replacement of the old IdM with a new one, preserving the existing functionalities and connected systems. The aim was to make the most of the existing interfaces of the end systems and processes so that the replacement was as cost-effective as possible and delivered the expected benefits. However, for some systems we very much appreciated that the customer took our recommendation and some unsuitable technical interfaces designed for the old IdM (e.g. for the ticketing tool) were also upgraded.

The main deliverables of the first phase of the project were:

• Replacement and disconnection of the old IdM tool.
• Connection to the source identity systems and organisational structure
• Connection to existing online endpoint systems
• Provision of business functionalities (reconciliation, approval workflow, certification campaigns, SoD, outsourced management, etc.)
• Providing an offline connector to the ticketing tool

The following deliveries were carried out in the second phase of the project:

• Online connectors to other systems
• Role management (role definition lifecycle, approval, authorization, etc.)
• Extension of workflow capabilities
• Password policy

During active use, further requirements for the development of the implemented solution came up and were the subject of follow-up development activities. As part of these, we implemented:

• Upgrading IdM to a newer version
• Technical account management
• Minor extensions

It was necessary to upgrade to a new version of midPoint, into which the functionalities requested by the customer were implemented. The biggest new feature was technical account management, where technical accounts no longer needed to be whitelisted in the connector code, but support was created in the GUI including lifecycle, technical account owner, technical account validity settings etc. Other IdM enhancements implemented included business role certification, restarting certifications for undecided cases only, and improvements to ownership continuity.