In Just One Year: A New CIAM
Platform for a Global Giant
The last two years demanded lots of energy, fresh ideas, and perseverance from iC Consult Group. 2019 was all about building a new Chinese CIAM platform for one of the world’s leading automotive groups. The migrations continued to keep us busy worldwide in 2020. At the start of 2021, Fabian Zoller (Team Leader and Consultant), Thomas Kramer (Project Lead) and Heiko Klarl (Chief Marketing and Sales Officer) revisited what we learned and accomplished in the process.
Heiko: “A premium car manufacturer, China the economic giant, and just one year to build a new CIAM platform from scratch. Let’s be honest, how did you manage that?”
Yes, it was a huge job. But that’s the way it goes: You haven’t encountered the whole mountain until you reach the summit. Right from the start, the tasks were exciting: splitting up a centrally hosted platform, regionalizing it, and synchronously commissioning it. In the beginning, it was just a matter of updating the customer’s own CIAM platform, which was used worldwide and hosted in Germany, in order to comply with changed regulations in China.
Heiko: “Because of new data protection guidelines there, right?”
Right. Since around 2017, data from Chinese citizens may no longer be stored abroad. So, the customer had to say goodbye to their central system and keep Chinese personal data in a dedicated directory in China. This worked out well from a purely technical point of view, but further exacerbated the existing performance fluctuations and latencies.
Heiko: “I can imagine! A user in Beijing opens an app, the request goes to Germany, where IDs are needed, but these are located in Shanghai and must first be sent to Germany, and so on…”
Exactly. And trying users’ patience like this is simply not acceptable for a global company. What’s more, the technology was already a few years old, so we needed to replace the existing system with a new, decentralized one based on the latest technologies.
Ready to start your IAM project?
Our experts look forward to talking with you.
Specifically, we were looking at two regional centers: one in China for China, and one in Germany for the rest of the world. As a foundation, we chose a managed Kubernetes infrastructure provided by the customer’s hybrid cloud. The products we used were solutions from Ping Identity: PingAccess, PingFederate, PingDataSync, and PingDirectory. We implemented the managed Kubernetes solution using our Service Layers managed service platform.
This allowed us to create both infrastructure and configuration as code – and meet the very tight deadline. With Service Layers, we offer our customers something truly unique: IAM as a managed service, with global availability, based on market-leading products. The platform combines the flexibility of on-premises products with the simplicity of IDaaS, all with 100% support for DevOps and agile working models. We offer our managed service in the customer’s public cloud instance (“bring your own cloud”), in the customer’s data center, or hosted in Service Layers’ public cloud.
Heiko: “From concept to a stable running system in one year. Why was the timeframe so ambitious?”
Several factors came together. First, China had given us a hard-and-fast deadline to release a number of applications. Second, a competitor’s team was developing a system in parallel, leaving us no room for negotiation. So, we did what we could.
We took it in stride. In fact, for us, everything initially revolved around bringing together a new team on the customer side. A corresponding knowledge base also had to be created there. And then there was the coordination between all the departments involved. These departments all take an agile approach. However, because of the very broad-based project, there were several product owners with different prioritizations. Our initial role was often to mediate, and to recommend alternatives that were viable for everyone involved.
IAM: Globalization & Large-Scale Enterprise
By Warwick Ashford, KuppingerCole
There was also the newly developed Chinese frontend. The Chinese colleagues on the client’s side did a good job. But the coordination, testing, and bug fixing were sometimes a bit difficult. Also, because third-party companies were still involved.
Heiko: “For us, that was certainly not ideal. But from the customer’s point of view, this openness is a clear advantage. Especially when it comes to minor adjustments by service providers on site later on.”
Sure thing. There were just a few points whose effects were not clear to everyone at first. For example, the ADA adjustments for the American market. ADA is the Americans with Disabilities Act. It sets very strict requirements in terms of usability for people with physical disabilities. And then there were the decisions that were often made very dynamically. But, hey, at the end of the day, we got it done.
Heiko: “But the actual go-live was another challenge, wasn’t it?”
Yes, of course. After all, we had to synchronize three instances while meeting all of the respective legal requirements: the old CIAM system, and both regional instances of the new system in China and Germany. And over 200 applications had to be migrated to both regions. Among them were heavyweights like WeChat, the Chinese all-purpose app with several million integrated users. I think everyone involved was nervous before the go-live – all the way up to the C-level, which had given the project highest priority from the very start.
But it worked out. For a project of this size, and given the very ambitious timeframe, the start went extremely well. Over the following months, the applications were largely migrated smoothly. The last few will have been moved by the end of Q1, and then the legacy system can be switched off. A resounding success for all three parties involved: xdi360, iC Consult, and Service Layers.
Heiko: “So, where are we today? And where do we go from here?”
We now have a solid, regionalized CIAM up and running. The legacy system migration is almost complete. Now it will be a matter of implementing all the future-oriented features that the various stakeholders in the company have been dreaming about for a long time and that extend far beyond the previous CIAM solution that has now been replaced.
For the customer, the project has paid off on every level. First, Chinese user data can now be used in a compliant way. Second, all markets benefit from a significantly more powerful system. And third, any future extensions, additional regionalization, or adaptations to other brands can be implemented with minimal effort – thanks to our use of Service Layers. It’s fair to say that we did a really solid job.