Skip to main content
Skip table of contents

CAS Identity Federation + External IdM Support (FT-1008.007)

About this document

Scope

This document provides background information as well as a functional description of the FT-1008.007 CAS Identity Federation + External IdM Support advanced feature. The described feature is supported from the release version 4.3.5 onward.

Note

CAS Identity Federation + External IdM Support is an advanced feature and requires a special license and custom integration. Ensure that you have agreed with Mavoco about the usage of this feature before taking it into use.

This feature is part of the User Management functionality with number FN-1001.

Benefits

 By integrating CAS Identity Federation with External IdM systems, the CSP will benefit from a centralized repository for user management while leveraging the advanced security features that typically an external IdM system provides. The administration and User Lifecycle Management is simplified and controlled from a single point. User provisioning, attribute updates, and access control policies can be managed within the IdM system, and the changes can be automatically synchronized with the CAS federation. This integration streamlines the administration process, reduces manual effort, and ensures consistency in managing user identities and access across the federation.

Additionally, CSP users can leverage their existing identities and credentials from the IdM systems to authenticate across multiple applications within the CAS federation and access them seamlessly. CSP users can authenticate once and then use the authenticated session to access multiple applications without the need for repeated authentication. The user experience in the authentication process is simplified, as there is no need to create and remember multiple sets of credentials. It improves user convenience and reduces the risk of password-related issues.

Feature Availability

Feature Version

Available from

Summary of changes

v1

CMP Release 4.3.5

Initial release 

Feature overview

Goals

The aim of the CAS Identity Federation + External IdM Support feature is to allow integration into an external IAM (Identity and Access Management) System in order to facilitate Single Sign-On (SSO).

Scope

The following defines the scope of this SSO integration package. Any work in addition to this will need to be part of a customer specific work package.

This integration package supports delegated authentication only for a maximum of 5 external IAM platforms.

The scope of the integration package is show in the following diagram:

The integration package will:

  1. Create CSP Role Mapping: between external IAM Roles and CMP CAS User Groups in CMP CAS.

  2. Create CSP Authentication Flow (delegation): service chain for CMP CAS to call external IAM system for user authorisation (max. 5 external IAM platforms).

Out of scope

  • Federation Authentication Flows. Only Delegation is supported in this feature.

  • User Account Management & Management of Accounts assigned to a User will be a manual process.

    • Including creation of new Accounts, and suspension and termination of existing Accounts.

    • New Accounts to be manually added to External IAM (integration to consume CMP Kafka and/or call CMP APIs for Account Onboarding is out of scope of this feature).

  • Deletion Uof users will be done through operational process:

    • CSP IAM: CSP will delete User in External IAM.

    • CMP CAS: CSP operation team will delete User in CMP CAS using CAS admin UI.

    • CMP Portals: User information will not be deleted from CMP Portals to maintain audit logs. User information can be anonymized.

  • Synchronisation of Roles between External IAM and CMP CAS.

    • No explicit synchronization between CSP IAM and CMP for User Group information.

    • Any change to the IAM Roles, e.g., changes to allowed access, must be manually made in CMP CAS to the respective User Group(s).

    • Any new IAM Role, will need a new mapping to be created in CMP CAS.

Prerequisites and Baseline Assumptions

  • The external IAM SSO integration will support delegated authentication. Federated authentication is not supported in this package.

  • Maximum of 5 external IAM platforms.

  • External IAM has defined User Roles which can be mapped to User Groups in CMP.

    • User access must be defined in terms of a User Rrole which can be mapped to a CMP CAS User Group.

    • Bespoke access for one or more Users is not supported.

  • The User where SSO is to be enabled must be provisioned in the External IAM.

  • The external IAM Users will be provisioned and updated into CMP CAS during the authentication flow.

  • The external IAM will be extended to provide User Profiles including:

    • User Role(s),

    • Context, i.e., Account(s) that may be accesses,

    • Any restrictions between User Roles and Context (e.g., Admin for Account X, Account User for Account Y).

Functionality of the feature

CMP provides the option to integrate into a maximum of 5 external IAM (Identity and Access Management) Systems in order to allow CSPs to facilitate Single Sign On (SSO) for their employees and enterprise customers. The external IAM SSO integration only enables delegated authentication via standard OAuth2; federated authentication is not supported.

User access is defined in terms of an external IAM User Role that can be mapped to a CMP User Group. The mapping is set up and managed between the external IAM system and CMP. During the authentication flow, external IAM Users are provisioned and updated in CMP and extended to provide User Profiles that include the User Role, Context, and any restrictions between the User Roles and Context.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close