From Minimalist Beginnings to Expanding IGA in Healthcare

Starting Small, Scaling Big: LNS’s Journey with MidPoint

Challenge: Before adopting midPoint, the Laboratoire national de santé (LNS) dealt with manual identity governance and administration (IGA) processes prone to errors. Key challenges included managing onboarding and offboarding tasks, handling data discrepancies, and integrating various systems with inconsistent data attributes.

Process: The decision to implement midPoint stemmed from a transition to a cloud-based HR system. The need for a robust solution to synchronize data across multiple systems led to the selection of midPoint. Key factors in choosing midPoint included its open source nature, flexibility, and transparency.

Outcome: The implementation was heavily oriented towards automation. The team did not have extensive expertise in IGA but approached it like any other application – by configuring it according to their needs and relying on the IGA system to handle the rest. They set up the system, and then midPoint managed everything as expected, minimizing manual intervention.

The Objective: When the team embarked on deploying the identity management (IdM) system, the initial focus was on starting small and ensuring that the system worked effectively before scaling up by adding new functionality. They began with a minimalist approach – introducing only the essential features – to test the waters and confirm the system’s functionality. Once the initial setup proved successful, they gradually added more features. The goal was to implement basic synchronizations and policies first, without being limited by the software’s capabilities later on. Based on past experience with overly complex and rigid systems, the IdM team valued clarity, control, and transparency in data flows. MidPoint gave them the flexibility to build iteratively, test thoroughly, and apply proper change management – ensuring stability and avoiding unintended side effects during rollout.

The Challenge: The main challenge was ensuring data quality and consistency across systems. Integrating systems required careful data mapping and the introduction of unique identifiers. Performance issues with the HR cloud supplier were addressed with caching mechanisms to improve efficiency. One of the significant challenges was also the complexity of hospital IT environments, which consist of numerous systems that are often difficult or impossible to integrate. However, the team consisting of two people managed to connect and automate those systems that were at least partially compatible, ensuring some level of integration.

The Process: The implementation took about a year, with active development lasting around 40 days. Initial efforts focused on cleaning data and developing custom connectors for integration with the HR system and other platforms. In addition to bespoke connectors, the Odoo connector was developed and published as open source for the benefit of the community. The project adopted an agile approach, starting with a small scope and expanding iteratively.

Daily Reconciliation Process: A particularly interesting aspect of their approach is the reconciliation process. Instead of running a continuous live sync, the system performs a full synchronization and reconciliation will all systems daily. This once-a-day sync helps maintain up-to-date records across integrated systems without the complexity of constant, real-time synchronization. Everything is entirely automated with no manual human-driven process like role request, and therefore having updates only once a day is sufficient. The team admits that this will likely change in the future, but for now they are happy with it thanks to its simplicity.

Resources: MidPoint’s key benefits include its ability to manage identity reconciliation centrally, reducing complexity compared to point-to-point integrations. It provides a flexible framework for integrating new systems and enforcing consistent policies. Although dynamic role management is anticipated to bring additional value in the future, the current focus is on streamlining reconciliation processes.

The Outcome: The midPoint IGA has significantly improved identity management at the LNS by automating and integrating key systems. The deployment is fully containerized and Git-driven, with configuration managed in GitLab and applied through custom Docker images. A stateless model is used: midPoint runs daily in a transient container with a fresh database, performs reconciliation via CLI jobs, and shuts down. This ensures consistency, reduces manual errors, and simplifies automated deployment processes and testing. A complete redesign is expected when human-interaction is allowed, which will require having midPoint online all the time. However, this concept is not currently on the roadmap for the near future.

The Future Plans: Looking ahead, the team has ambitious plans to expand the system’s capabilities. They are considering integrating patient data, a move the LNS team is not hesitant to undertake despite the sensitive nature of such information. The potential to include patient data in the midPoint IGA system is on the horizon, indicating the LNS’s confidence in the security and reliability of the system.