Implementing the Integrated Windows Authentication (IWA) & Identity Management Solution for HR Shared Services delivery: Challenges
Enterprises are transforming their HR functions and moving from traditional way of HR services delivery to a new model i.e. shared services delivery. Part of this solution is to build a HR portal which not only acts as Tier Zero agent of the HR service center and primary tool for HR customers like employees and manager for access to HR information but it is also used by Service center staff to connect to the call management system. This service delivery model uses a technology framework comprising various different systems like a System of records (SAP HR), Call & Case Management system (SAP CRM), Portal (SAP Netweaver Portal), Analytics system (SAP BW), Knowledge base (SAP KM) and corporate LDAPs. Imagine here, how many systems are supporting the functions of HR service centers and all of these systems have there own authentication and authorization mechanism. So the major challenges of identity management here are summarized as:·
- Provisioning & Authorization Management: Provisioning & Authorization Management: In HR shared service delivery model, System of Records (SAP HR) acts as an authoritative system to determine whether a person should exist in identity store , so a provisioning solution must, based on information from the authoritative system, automatically create the user in the other systems, and provide the necessary access rights. And even more important, when a user leaves the organization the accounts are disabled, and access rights are revoked. Similarly when a user moves between departments, access rights are granted and revoked accordingly.
- Desktop or Windows Intergration with portal : Desktop or Windows Integrations with portal: Most of the companies have their own corporate Active Directories as identity store in which each employee has an account and employees use their active directory ID to access their desktop. Now portal which has its own authentication mechanism must be integrated with existing active directory to avoid high cost maintenance of repeated login. To integrate portal with one active directory is fine however many enterprises have multi domain environment in which the same user ids exist in different active directories.
- Single-Sign-On: Portal must be the single point of access to connect to all the other systems even in Windows Integrated Authentication world.