Cloud-based identity management tool for SAASs

The project GreyTower was developed for a USA-based company specializing in providing integration and security services including consulting and software solutions. Cloud-based identity management tool for SAASs is software solution for integrating user account management between various systems guaranteeing integrity of user accounts across multiple SaaS tools which are very popular nowadays.

One of the key points of the developed solution is that it protects companies from human mistakes. Imagine you create of modify a user in the corporate Active Directory and the identical account is automatically created or updated in all the SaaS systems the company uses to improve efficiency of its work. The solution also provides SSO to the external SaaS systems to improve end users’ efficiency.

Comprehensive internal and external security models based off a good set of permissions help protect the system from abuse or inappropriate use. Both internal and external security options are controlled by security policies which support flexible configuration to match nearly every company needs.

Solution

The proposed solution is cloud-based for deploying to Mule iON environment so it does not require additional hosting. Access to particular SaaS systems (end-points) can be easily configured via password- protected user-friendly interface.

Currently supported end-points include: Active Directory, OpenLDAP, SalesForce, NetSuite, Brightidea, Yammer, Google Docs / Apps, Database engines. Support for end-points is implemented via Mule iON connectors which can be easily added to the core application in the future to support even wider range of SaaS systems.

All users in the system are separated into multiple categories: global users and administrators, company users and administrators, group users with permissions granted by group membership and guests. Registered users can request both external and internal roles and permissions for approval by managers which can be global or individually assigned to the particular users or groups.

For even better user synchronization capabilities Windows-based tool for tracking user details and password changes was implemented as the most expected main source of user data is Active Directory. Obviously such user sensitive data is transferred and stored in a strongly encrypted form to avoid data leaks.

Besides user interface-based control the solution also provides non-visual SCIM API which can be used by 3rd party systems and tools to automatically perform all the tasks the system supports.

Architecture

The entire solution consists of several parts:

  • Password change capturing software is a password filter library (DLL) implemented in C++ which can be registered on ordinary Windows machines as well as on domain controllers: Windows server 2003 and 2008 are supported as domain controllers.
  • Core engine is Java application which handles business logic and actual account management and synchronization.
  • Web interface for users is a web site providing access to user cabinets, allows control for organizations, groups, permissions, roles, setup of available end-points, etc.
  • SCIM API is a set of web services that expose the entire solution functionality to external software systems.
  • Connectors to end-points are Mule iON native connectors providing data exchange between the core engine and the remote end-points.
  • Transport queues are ApacheMQ-based persistent queues which provide safe and secure data exchange between all the components of the solution.

Tools and Technologies

  • Java 2 EE, Eclipse, Mule iON, MySQL, ApacheMQ, web services, JSF, PrimeFaces, Ajax.
  • C++, Microsoft Visual Studio 2010.

Benefits

The implemented system provides seamless, robust, secure and easy to set up and configure integration solution between multiple systems which became very popular recently, but are often used separately from each other. The solution brings identity management to a new level and brings new possibilities which many overlooked previously.