Enterprise Customer Web Identities Management with Ping Federate on AWS
By David Banks
28th October 2019
Landgate needed to replace its legacy Access and Authentication system used by external customers when accessing Landgate’s web-based applications, including MyLandgate.
The Scenario
The existing solution was based on CA SiteMinder and WebLogic required custom adapters and was not able to meet the new requirements to separate the services from the on-premise WebLogic solution to Cloud-based solutions. A new Access and Authentication solution would be needed to enable “Single-Sign-On” service across a variety of different systems, both on-premise, and on-cloud.
With a large user base of over 50,000 customers, the solution needed to be robust and user-friendly, removing the reliance on the existing Customer Service Team having to manually create new logins and “day-to-day” tasks like customer password resets. The ability for users to self-manage their access was a major requirement in reducing this workload.
The Solution
Landgate’s digital strategy is to use Cloud-based solutions, as either SaaS or COTS applications where required. The solution needed the ability to expand and cover new cloud applications being planned to replace the on-premise solutions. Flexibility was a major requirement as to not restrict future solutions.
Several managed IAM services were considered, but at the point in time this was initially implemented, none of the services that satisfied Landgate’s functional requirements were storing data exclusively within Australia, violating Landgate’s data sovereignty requirements. Hence the solution that was selected was based upon Commercial Off The Shelf (COTS) solutions that were optimised for running from the AWS Cloud by Akkodis:
- Ping Identity
- Ping Federate: An authentication solution to allow SSO across different applications
- Ping Directory: A high-performance LDAP application required to hold the user store
- SailPoint Identity IQ: User management, Auditing, Access request workflows
The AWS Services used to support the COTS solution:
- CloudFormation, to template the creation of all resources
- AutoScale to create EC2 instances to support the workloads on the applications
- Application Load balancers, Virtual Private Cloud, S3
- Simple Email Service, used to send user activation, password reset and request / approval Emails to customers
- CloudWatch Logs, as all application logs are egressed to CloudWatch for retention
The solution was designed to be automated for the deployment of updates to both the AWS configuration and the COTS services. This was done using an automation service to run jobs for deployment (in this case, Jenkins).
Jenkins was configured to monitor a code repository and upon each commit a new build was created that could then be deployed. The deployment process required that all deployments MUST pass each environment before being migrated to the next.
Repo => DEV => Test => UAT => Production
The Jenkins deployment to each environment uses customised CloudFormation templates to deploy the build into each of the environments. This solution means users do not need to login to the AWS console or the EC2 instances at any stage of the deployment process. This allows for the security to be increased on the EC2 instances as users do not need to SSH to the instances.
The Outcome
Since the new Access and Authentication solution has been implemented Landgate has introduced several new cloud-based applications that rely on the new IAM solution for authentication, user account management and SSO. The solution has allowed for different types of Authentication protocols to be used (including SAML, OpenID/JWT) to all share the same process giving users a single login allowing them to access on-premise and cloud solutions seamlessly.
User management has been greatly improved with self-registration and password reset ability now no longer placing a burden on the Customer Support Teams. The solution was also extended to allow Billing Account Owners the ability to add and remove users to access their billing accounts giving Account Owners more control of their Accounts and reducing turn-around of having users added and removed from 12 days (using the old manual process) to seconds.
Development and Operations of the solution have been significantly improved, whereas previously any changes to the IAM solution resulted in a full outage of all Landgate online applications. The new solutions by using the AWS AutoScale and CloudFormation can roll in the new changes without the need for an outage of the IAM solution.
The use of AWS in conjunction with the COTS application has created a solution that has the flexibility to keep up-to-date and allow for future applications to be integrated into a single-sign-on solution giving the users a simple and clean user experience.
Akkodis continues to maintain this application and update the environment. Stricter encryption protocols and ciphers are actively maintained for in-flight data, and in 2019, the solution was updated to include full IPv6 connectivity from the Internet, further ensuring that the service is highly available for all users.