Blog Post

Identity & Access Management @ Scheer PAS

IAM is crucial for maintaining security, compliance, and efficiency in modern IT environments, especially as organizations deal with an increasing number of digital identities and diverse systems.  

That’s why it is not surprising that we are asked by many prospects on how identity and access management works in the Scheer PAS platform. In this blog post I want to shed some light on this topic, with explaining basic concepts and their realisation in Scheer PAS.  

Authentication and Authorization – what’s the difference?

When talking about Identity and Access Management, one can distinguish two separate aspects:  

Authentication is the process of verifying the identity of a user, system, or entity. It ensures that the person or system claiming to be a particular identity is, in fact, who or what it claims to be. When you log in to an online account by entering your username and password, the system checks these credentials against stored information to confirm your identity.  

Authorization is the process of granting or denying access to specific resources or actions based on the authenticated user's identity and their permissions. Once a user's identity is confirmed through authentication, authorization determines what actions or resources that user is allowed to access. After logging into an email account (authentication), authorization determines whether you have permission to read, send, or delete emails, based on your user role or privileges. 

OpenAuth, OpenID Connect, SAML,…?

For exchanging authentication and authorization information, there exist some standard methods and protocols. Mostly used are OAuth, OpenID Connect and SAML (Security Assertion Markup Language).  

OAuth is primarily designed as an authorization protocol to define user access for specific resources hosted by a service provider without exposing the user's credentials. It is an open standard, commonly used for securing APIs and authorizing third-party applications to access user data. 

OpenID Connect (OIDC) is a specific authentication layer built on top of OAuth 2.0. While OAuth is primarily focused on authorization, OpenID Connect extends it to provide information about the end user, including authentication details in the form of JSON Web Tokens (JWTs). These JWTs are digitally signed and can be verified by the intended recipient. 

SAML is an XML-based standard primarily designed for exchanging authentication data between parties, particularly in the context of web browser single sign-on (SSO). It is often used in enterprise environments.  

Single-Sign-On, Multi-Factor-Authentication

Modern Identity & Access Management solutions provide additional convenience and security features that are nowadays de facto standard for enterprise applications. The most important ones are Single-Sign-On and Multi-Factor-Authentication.  

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications or services with a single set of login credentials (such as username and password). The main idea behind SSO is to simplify the user experience by reducing the need to remember and enter different usernames and passwords for each application.  

The goal of Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) is to increase security by requiring users to provide multiple forms of identification to access a system or application. Typically, the two factors are: Username and password as a first factor and a code from a mobile app as a second factor. This significantly improves security by reducing the risk of unauthorized access, even if login credentials are compromised. 

What are we doing with Scheer PAS?

In the Scheer PAS platform, we use Keycloak as central IAM solution. Keycloak is one of the most popular enterprise-ready open source IAM solutions and it provides a rich feature set: It supports Single-Sign-On, Multi-Factor-Authentication and several protocols like OpenID Connect, OAuth, SAML.  

In Scheer PAS, we rely on OAuth 2 and OpenID Connect as state-of-the-art authentication and authorization methods – both for Scheer PAS internal components like PAS Designer, Administration, etc., as well as for custom integration services, APIs and applications built with the Scheer PAS Designer.  

Identity & Access Management Scheer PAS - Approach

Let’s for example assume a user wants to access a custom-made application. Then the browser on the user’s end device forwards the user to the login-page provided by Scheer PAS Keycloak. By entering the user credentials, an authentication request is sent to Keycloack, which checks if the user’s identity exists and is correct. The browser receives an authorisation token from Keycloak containing information about the access rights for the requested resource, i.e. the application for lead management. The user is redirected to the application URL sending the authorization token whose signature is verified and access is checked. In case access rights exist, then the application URL is opened in the browser.  

In terms of authentication features, Scheer PAS also supports Single-Sign-On, to allow users to access multiple applications or services with a single set of login data, and Two-Factor Authentication to enhance security. 

For managing the user identity there are two options available: Either customers can store the user information within Scheer PAS Keycloak itself or the Keycloak instance can be connected to external user federation via LDAP (e.g. Active Directory) or identity providers via OpenID Connect v1.0 and SAML v2.0. Scheer PAS also provides an easy-to-use application to manage access rights and enhance user information, encapsulating the technical complexity of Keycloak.  

In summary, with Scheer PAS we provide an inbuilt Identity & Access Management with state-of-the-art convenience and security features, while in parallel allowing high flexibility for adjustments to customer specific needs, e.g. integration of several external identity providers. For securing access to APIs, Scheer PAS also includes a separate API Gateway. But more on this and about API Management in general in one of the next blog posts…. – stay tuned by following Scheer PAS on LinkedIn.  

Dr. Christian Linn - Author
Dr. Christian Linn
Head of Product Development