Sector(s)
Team Members
A prominent government administration of one of the fastest growing and industrialised economies in North America had comprehensive requirements regarding the obsolete security and access management system making their website prone to vulnerabilities and cyber attacks. The name of the institution is not disclosed for privacy.
The government is increasingly becoming one of the favourite targets for cybercriminals. Therefore, they need IAM solutions to sustain and safeguard their digital existence against compromised user credentials, ransomware and information theft.
miniOrange partnered with this government institution to reconstruct the security infrastructure and build a robust Drupal website equipped with an Identity and Access Management system. miniOrange Drupal development team helped lead architecture, development and coordination until the implementation of the IAM solution on their Drupal website.
About the project
Requirements -
-
All users trying to access the website's contents must register with a valid phone number and email address.
-
Every time the user attempts to log in to the site two-factor authentication should be invoked based on the roles of the users.
-
There are more than 70 third-party applications in which the users should be able to SSO using Drupal credentials. These applications may support different protocols like SAML, OAuth/OpenID.
-
User data should be managed in such a way that any user information updated in the Drupal site should be synced with the third-party applications on the fly and vice versa.
Challenges -
-
One of the major challenges to this project was the narrow timeline and coordination with the rest of the teams.
-
Since the site had an obsolete infrastructure, the implementation of a sturdy IAM system required some serious reimagination.
Implementation -
The ultimate goal of this project was to facilitate a Drupal site as a complete Identity and Access Management system in itself. miniOrange Drupal IAM solution was configured on the Drupal site of the institution which is a package of six primarily contributing modules, namely -
All these miniOrange Drupal modules came together to create a strapping package of an IAM solution for the government organisation.
The OTP Verification module comes into play when the user first registers to the Drupal site. The user is mandatorily prompted to verify the phone number and email address. It removes the possibility of a user registering with either a fake email address or an invalid mobile number. This module checks the existence of the email address/mobile number and the ability of a user to access that email address/mobile number.
The Website Security - Secure Login / Network Security module was used for two principal requirements - Role-based IP Restriction and enforcing strong passwords for all users. Although Drupal suggests a strong password, it does not enforce one on the users. To overcome this minor snag, the policies of the Website Security module were utilised to enforce a strong password for all users.
The Two Factor Authentication / Passwordless Login module fulfilled one of the fundamental requirements of the organisation. The goal was to force authenticate site administrators who have complete access to the site while logging in to avoid unauthorised access in case of compromised credentials. With the help of the role-based feature of the miniOrange 2FA authentication module, this requirement was fulfilled with ease. The module was configured to invoke 2FA only for the selected roles and other roles were allowed to log in with their credentials.
SAML IDP module and OAuth Server are the core modules of the Drupal IAM solution. The requirement put forth was a straightforward Single Sign-on (SSO) use case, the organisation wanted the users to be able to SSO into the third-party applications such that the users only have to use one set of credentials and that is of the Drupal site. There were more than 70 applications/sites which were connected to the Drupal site using either SAML or OAuth/OIDC protocol. The IAM solution at the Drupal site enabled Single Sign-On for SAML as well as OAuth/OIDC protocol through the miniOrange SAML IDP module and OAuth Server modules.
User Provisioning and Sync is a salient feature of the Identity and Access Management (IAM) solution that refers to the automatic synchronisation of user data across multiple systems concurrently. Speedy and observant allocation and provisioning of digital user identities such that the users are given access to exactly and precisely what is needed. This module is one of the crucial components of the miniOrange Drupal IAM solution as it syncs the user data from the Drupal site to the third-party applications on the fly.
All these solutions come together to construct a one-stop solution for all the Identity and Access Management requirements for a Drupal web application.
The solution was delivered and configured on the Drupal site within a narrow timeline. These modules extend the functionality of the Drupal website and make it completely secure as an IAM itself.
Outcome -
-
The website of the government organisation was made completely secure with the Drupal site acting as an Identity and Access Management solution in itself.
-
The IAM solution was emplaced on the Drupal site while maintaining the privacy and integrity of the data which was one of the major concerns of the organisation.
Why Drupal was chosen
-
Drupal was utilised for its ability to scale and its flexibility.
-
Drupal is highly scalable. The Drupal core can be extended for additional functionalities through Drupal modules, which is one of the CMS' core strengths, making it an obvious choice.
-
Drupal was chosen for its inbuilt security. The Drupal security team closely monitors and analyses any vulnerabilities in both the Drupal core and its modules.
Technical Specifications
Drupal version:
