Red Forest user management with the IDM-Portal

Delegated user and authorization management in a secure AD environment is a challenge that only a few IAM solutions can handle. The IDM-Portal is compatible with ESEA/RedForest/SAE infrastructure and is used by customers as Red Forest user administration, among other things.

Public city administration with Red Forest concept and IDM-Portal

Following the introduction of a Red Forest, a long-standing IDM-Portal customer – a public city administration in the southwest of Germany – asked whether we could integrate our IAM solution into the new forest structure. Among other things, the aim was to make the IDM-Portal available for the user administration of other subsidiaries. Read on to find out what special features and solutions were involved in this project.

Our customer’s initial situation

Our customer, a public authority with around 2,000 employees, has been using the IDM-Portal for user and authorization management for many years. In the past, the organization worked with a simple domain in which the IDM-Portal was also used.

Organize multiple AD domains in Red Forest structure

Due to a growing organizational structure, a large administrative construct with several companies belonging to the authority developed over the years. Each of these worked separately with their own domains. The administrative burden was enormous and the issue of security was no longer given sufficient consideration.

The customer therefore technically managed not only itself, but also other companies, e.g. a hospital group, which also had their own domain.

Reasons for introducing Red Forest user management

Legal requirements demand that the customer works exclusively on-premises. In addition, the customer rated the Red Forest concept as particularly secure. For this reason, the decision was made to introduce it organization-wide. Read our article Red Forest and IAM in Active Directroy environments, which explains why a Red Forest concept is still a good choice for many companies.

One requirement was, for example, that no admin passwords may be stored on devices. In order to be able to change devices, access with login via an admin domain will be required in future.

As part of the central IT management of the various companies, each with their own (user) domains, Outlook/Exchange was rolled out as a first step.

The Red Forest structure enables centralized application management for different user domains of the individual companies.

The typical structure for the individual forests/domains:

1. Resource forest
2. User forest
3. Admin forest

Goals of the Red Forest rollout and Red Forest user management

With the  realignment which is focused on on-premises, the customer wants to achieve the following goals:

1. Consolidation of domain administration and secure integration of companies
2. Centralized Exchange On-Premises with uniform Exchange infrastructure for all companies to simplify the administration and maintenance of Exchange
3. Protection of the administration against external attacks through separate admin accounts
4. Standardization of user administration across all companies, i.e. Red Forest user administration with the IDM-Portal in the resource forest:

• Implementation and testing of the IDM-Portal basic functions in the Red Forest domain structure 
• Implementation and testing of the extended IDM-Portal functionalities
• Transfer from the PoC to live operation

IDM-Portal in resource forest for standardized identity management

The organization had already set up the Red Forest itself and merged the companies into a cohesive Red Forest structure in advance.

Integration of the IDM-Portal

FirstAttribute was involved in the integration of the IDM-Portal into the resource forest. In general, the resource forest contains the applications (e.g. Exchange On-Premises) that a company needs for its business operations. The IDM-Portal was also integrated into the resource forest to enable the administration of all companies.

The IDM-Portal configuration was then adapted so that the user accounts and their applications could be controlled in the respective forests.

In the standardized user administration, the name generation, password and compliance rules, but also the creation of an Exchange mailbox runs as usual via just one IDM-Portal interface.

Special features of Red Forest user administration

And there are particular challenges here: Both the IDM-Portal and Exchange are located in the resource forest. The user to be edited is in the user forest. In turn, the user forest can also have several domains. If a user is being processed in which other applications are involved, cross-forest access is required.

Red Forest user management therefore also means:

Organize and integrate identity management across multiple domains and even forests.

Project completion and your secure IAM project

As a result of the successful project, our customer now has a standardised IDM-Portal for the user administration of all companies in the Red Forest.

We are on hand to advise you on how to integrate identity and access management securely and efficiently into your Red Forest. As experts in the field of identity and access management for on-premises and cloud environments, we know what is important when it comes to user and authorization management. Get in touch with our friendly team.  

Get in touch today