Friday, February 23, 2024
HomeBusiness IntelligenceId Administration (IdM) in Software program Firms: A Complicated Migration Journey

Id Administration (IdM) in Software program Firms: A Complicated Migration Journey

Id administration (IdM) lies on the core of safety structure and processes in most software program firms. It’s accountable for guaranteeing that solely approved actors are allowed entry to precious protected sources, together with our prospects’ information.

For a number of years, our infrastructure relied on FreeIPA because the identification administration system of alternative. It ruled consumer entry to digital machines by means of safe shell (SSH), facilitated third-party software logins, and served different use circumstances. Nevertheless, a number of causes led to its final removing from our stack and alternative by different methods.

This text builds upon a earlier weblog publish, which targeted particularly on the rework of our SSH entry administration. Right here, we doc the broader motivations for our IdM adjustments, in addition to the particular steps and approaches the infrastructure workforce at GoodData took throughout this complicated migration endeavor.

The Outdated Strategy

FreeIPA was launched into GoodData in 2012 in response to the rising dimension of our infrastructure and the following want for single sign-on, i.e., avoiding the necessity for customers to authenticate individually in opposition to each inside service. With FreeIPA, engineers would merely must authenticate as soon as initially of their day, acquiring a Kerberos ticket. All subsequent entry to inside internet purposes would then reuse this ticket and be clear to the consumer.

One of many main use circumstances for FreeIPA in our stack was governing SSH logins to digital machines; we coated this in additional element in the earlier publish. FreeIPA additionally supplied helpful parts masking a number of different use circumstances. Notably, its NTP server supplied a simple approach of time synchronization for the enrolled digital machines, whereas the bundled certificates infrastructure enabled SSL certificates administration for our inside providers.

The Shortcomings

Nevertheless, because the years went on, a number of features of the IdM setup primarily based on FreeIPA proved to be inadequate for efficient operations.

What we lacked essentially the most was integration between FreeIPA and lots of the third-party methods we utilized. Whereas internally deployed internet purposes utilizing httpd as a frontend have been simply prolonged with Kerberos-based authentication by way of FreeIPA, this didn’t maintain true for a lot of exterior providers, which generally solely present the SAML or OIDC strategies of authentication with identification suppliers.

The lacking hyperlink between FreeIPA and lots of different purposes we used meant {that a} unified strategy to consumer administration couldn’t be adopted. This resulted in sophisticated processes associated to consumer entry administration, in addition to onboarding and offboarding. As an example, the workforce accountable for consumer administration needed to manually confirm if a terminated worker had been provisioned in quite a few purposes, and manually take away their consumer account.

Working the FreeIPA service itself additionally prompted complications for our infrastructure workforce on a number of events. We had replication arrange between FreeIPA servers in a number of totally different areas, however it proved fragile in case a community concern was encountered. Moreover, the FreeIPA deployment itself offered a single level of failure; if a regression was launched by our operations, many of the engineers could be rendered unable to log in to the providers they wanted.

Why not attempt our 30-day free trial?

Totally managed, API-first analytics platform. Get instantaneous entry — no set up or bank card required.

Get began

The Substitute

All of the aforementioned ache factors finally led to a company-wide resolution emigrate to Okta because the centralized IdM resolution. This spelled an imminent finish to our utilization of FreeIPA, however on the similar time, created many new challenges for the infrastructure workforce to resolve.

Most significantly, a direct one-to-one alternative of FreeIPA parts by Okta wouldn’t be potential; for instance, Okta doesn’t present governance of SSH logins or SSL certificates administration out of the field. Due to this fact, whereas we might transition to utilizing Okta because the central listing of consumer accounts, we must determine how precisely to make use of varied open-source instruments and undertake totally different approaches for every particular use case we would have liked to switch.

We already coated the alternative for SSH login administration in the earlier publish. Now, let’s delve into how we approached the alternative of the opposite obligatory use circumstances.

Internet Functions

The one facet of our IdM ecosystem that may be thought-about migrated in a “one-to-one” trend was the authentication for internally deployed internet purposes. The place we beforehand authenticated customers by httpd’s LDAP or Kerberos modules, we moved on to utilizing the mod_auth_openidc module as an alternative, with none giant architectural adjustments being required.

Moreover, as implied above, an enormous benefit of migrating to Okta was additionally the assist for single sign-on into a number of third-party purposes. No extra guide administration of consumer accounts in every app!


Changing the infrastructure of SSL certificates utilized by our digital machines, then again, required extra consideration. With FreeIPA, each enrolled server may get hold of an SSL certificates pretty simply utilizing certmonger. Nevertheless, this functionality would not be out there with Okta.

Earlier than beginning to search an equal alternative, we took a step again and thought of the precise use circumstances we had for certificates. We recognized two distinct methods by which we utilized SSL certificates:

  • defending user-facing endpoints of inside internet purposes;
  • machine-to-machine authentication between inside providers.

For the previous case, the answer was to make use of publicly trusted certificates issued by Let’s Encrypt. We solely wanted to determine the lifecycle and distribution of the certificates. Ultimately, we chosen cert-manager operating in our service Kubernetes cluster to deal with acquiring the certificates (together with DNS validation), and a easy CronJob to retailer the certificates in our HashiCorp Vault occasion, the place all of the consuming machines can entry them.

Architecture Diagram
Structure Diagram

The Vault service additionally performed a key position in changing our machine-to-machine authentication mechanism; we opted for making a non-public certificates authority (CA) to cowl this use case. Since all of our digital machines had already been built-in with Vault, it was then comparatively easy for some servers to acquire a shopper SSL certificates and for different servers to confirm it in opposition to Vault’s CA.

Architecture Diagram
Structure Diagram

Time Server

Changing the FreeIPA-provided time server proved to be simple. Since most cloud suppliers present their very own time servers these days (for instance, Amazon has the Time Sync Service), we merely redirected our NTP configuration to make use of these as an alternative of FreeIPA.

The In-between

With an appropriate alternative for all of FreeIPA’s parts recognized, we targeted on designing a rollout plan for the migration to Okta. We acknowledged that there must be an extended time window for the transition; we merely wouldn’t have the ability to migrate all the customers and software integrations from FreeIPA to Okta on the similar time and with out introducing an unacceptably lengthy downtime for the workers.

To offer a bridge between Okta and FreeIPA, and to allow a easy change of 1 use case after one other, we determined to introduce a synchronization mechanism between Okta and FreeIPA. We utilized our pre-existing inside device referred to as freeipa-manager for this function, which supported managing FreeIPA entities by their YAML representations saved in a Git repository. Initially, we created accounts for all customers in Okta after which prolonged this device by including assist for creating customers primarily based on a response from Okta API.

This transition interval was not superb for the workers, since they needed to bear in mind two separate passwords for each of our IdM methods, in addition to needing to maintain monitor of which purposes have been authenticated by which system. We targeted closely on cross-team communication to make this time as painless as potential for all of the customers concerned.

The Conclusion

All in all, our migration from FreeIPA to Okta took barely lower than two years, beginning in early 2021 and ending with eradicating the FreeIPA servers themselves from our surroundings within the second half of 2022.

It was an immense studying expertise that required huge cooperation between the corporate’s departments, in addition to studying the assorted deeper internals of the authentication applied sciences concerned. Looking back, we will confidently conclude that this large change was nicely well worth the effort, bringing our infrastructure safety and the associated consumer expertise to the next stage.

Why not attempt our 30-day free trial?

Totally managed, API-first analytics platform. Get instantaneous entry — no set up or bank card required.

Get began



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments