Digital transformation and evolution introduced new processes to businesses, and even the existing processes have become more complex and interconnected throughout companies’ infrastructures. In a regulatory controlled environment, there are additional information security requirements together with legal and compliance policies resulting in even more complex processes and workflows. One of the most important factors for success in this field is the connectivity between involved parties and systems. This is the point where the “party” begins, especially when you have to take into account on-premise legacy systems, modern cloud applications, different protocols, network segments, technology stack, data models, etc.
As always, there are people promising to have a universal language, which will allow all the different systems to understand each other with one well-defined protocol. Most of them failed because they lacked the ability to support complex requirements, and others didn’t receive an appropriate amount of business and community attention. On the other hand, there are architectural styles and concepts that have proven their interoperability by years of successful adoption in different real world use cases rather than just promising it. REST is one of them.
Identity governance is a perfect example of the domain impacting almost every infrastructure, system, and process across companies. The IGA platform must be open and flexible enough to support a wide range of evolving requirements, but stable enough to keep it maintainable over time. And that’s the first and major benefit of midPoint, the open source IGA platform developed and maintained by Evolveum. Secondly, the openness of the midPoint IGA platform is demonstrated by the feature-rich REST interface – almost every midPoint feature can be triggered and utilized through a REST call. This provides midPoint with a strong position in terms of integration with other (existing) systems. Let us prove this fact with a specific customer use case.
The plan was to decommission an old IAM system and replace it with one of the state-of-the-art alternatives. Knowing the customer’s environment, midPoint was our first choice. Because of a lot of available midPoint-compatible connectors, there were no doubts about which provisioning platform should replace the IAM system.
Most of the questions arose around existing integrations with other IGA components, especially since the customer was utilizing a dedicated platform for access requesting, recertifications, and role modelling. In the old IAM solution, the interface for a third party system was realized using a semi-automatic staging database – the other side writes to the database and afterwards the data is picked up by the IAM, and vice versa. It is obvious that the data didn’t synchronize in real time. Additionally, the database and both custom interfaces needed to be maintained.
In the newly implemented solution, the out-of-the-box midPoint REST API has been utilized to load data into midPoint or to get it out. In particular, we used the endpoints to transfer the building stones of the IAM, for example, identities, organizations, roles, accounts, and entitlements outside midPoint. Based on the triggers from a third-party system, the role-/org-assignments and account-/entitlement-projections were imported into midPoint and de-/provisioned on connected target systems.
In order to optimize performance, we used the option to reduce the REST payload size by excluding the number of attributes that are not necessary to be transferred. Filters and pagination helped us to make the interface even faster and more stable.
At the end of the story, the customer could spare the staging database and a lot of headaches by having a direct interface between the IAM and other IGA components. The old custom-developed interface has been replaced by the stable and sustainable midPoint-supported REST API.
Ondrej Balun is the Manager and Business Intelligence Unit Lead at Ventum Consulting.
Ventum Consulting GmbH is an official Evolveum partner. They are a consulting company practicing in Austria and Germany with more than 15 years of identity and access management experience.
The views expressed in this blog represent the views and opinions of the author and not necessarily of Evolveum.
