Tech Blog

Overcoming Configuration Management challenges in Airlock IAM

#IAM
Urs Zurbuchen

With the introduction of the YAML-based configuration format, new options have emerged to address previously challenging scenarios.

In line with goals for increased security operations efficiency, configuration management has garnered growing attention. Industry trends like declarative configuration, config-as-code, and GitOPs, to name a few, have gained significant traction and demand new configuration management capabilities:

 

  • Automation
    The functionality of central services, such as customer identity and access management, must adapt quickly and easily to changing application requirements. With today’s number of applications and their rate of change, manual configuration is both unable to keep up and too error-prone, especially under pressure.

    The solution lies in automating simple, predictable and repetitive changes while reserving UI-based work to architectural decisions and solution design tasks.
     
  • Config format as API
    Automation depends on a standardised and stable configuration file format.
     
  • Integration with external tooling
    Products need additional tools to deliver on the promises of modern configuration management paradigms, as UI-based tools do not support the necessary operational workflows.

    However, it is typically not in the customer’s best interest for a product to provide all tooling out-of-the-box. Tools often impose specific workflows that may or may not align with every environment’s requirements. Additionally, various products may use different, and potentially incompatible, configuration management approaches.

    We believe it critical to provide only product-specific tools, for example to validate an automated configuration change before deployment, where such functionality cannot easily be handled by a more generic software.

    For other needs, using prevalent standard tools is often the better choice.

Airlock IAM 8.4 introduces support for config automation, enabling customers to realise these benefits.

 

 

Challenging scenarios

Next to the above advantages, the new configuration model can help with solving two particularly difficult scenarios that Airlock IAM customers have faced:

  1. Concurrent configuration changes by multiple administrators

    With the current Config Editor, an administrator loads the active configuration into their session and applies the changes based on their task. Once changes are complete, the configuration must be activated, becoming the new productive version and the base for future edits.

    Unfortunately, due to the way the Config Editor operates, two administrators working in parallel (often on different configuration areas) can conflict: the latter activation may overwrite the earlier changes.
     
  2. Dedicated teams for specific configuration aspects
    Some customers assign specific IAM configuration aspects to dedicated teams. A common example is key management, where a specialist team handles all encryption and signing keys in an infrastructure.

    Currently, Airlock IAM does not enforce corresponding authorisations. It cannot prevent, for instance, a team managing user authentication and self-service flows from altering a token issuer signing key.

Let’s explore new ways to overcome these limitations.

Figure 1: Central config repository to enable parallel administration

Central config repository

To address the first scenario, we recommend using a central configuration repository, typically Git though other systems are also viable.

Each administrator works with their own, dedicated Config Editor. They retrieve the current configuration using standard mechanisms, e.g. 

git clone https://repository.example.com/project/iam-config

Imagine Peter needs to adjust the configuration to support a new application. After finalising and validating the change, Peter pushes it to the repository. As no other administrator was active, there is no conflict. The automated deployment process takes the new version and distributes it to relevant Airlock IAM installations, which recognise and activate it.

Next, Sue is tasked to add a new option to the onboarding process. She does this by changing some steps in the self-registration flow. Simultaneously, Mary fixes an issue in user notification emails. As her change is very simple, Mary concludes her work in almost no time and pushes it to the repository.

When Sue later tries to tries to push hers, she is notified of the conflict. To resolve it, she simply pulls Mary’s version and merges the updates.

git pull
git merge
git push

This is usually quick and non-interactive—unless they modified the same setting. In such cases, Git tools like WinMerge or Visual Studio Code offer user-friendly ways to resolve conflicts.

Figure 2: Multiple repositories for different aspects

Splitting the configuration

Solving the second scenario requires a different strategy, still involving version control. Here, multiple repositories are used, one per configuration aspect.

Inherent authentication and access control allow to restrict different teams’ access to only their segments.

Two essential preconditions must be met:
 

  • Validation of combined configuration
    The deployment pipeline must validate the complete configuration after assembling from the individual parts from the different repositories. For one, it must verify that all references are available.

    This functionality is included in the standard Airlock IAM delivery. Use the following command:
iam config validate -f <file>
  • Splitting the configuration by aspect: Initially, this requires manually dividing the main “iam-config.yaml” into several smaller files. Best practices on how to do this are beyond the scope of this article. A key challenge is that the Config Editor always outputs a single, merged configuration file, discarding any prior splits.

iam-split2files

While showcasing the capabilities of the new config model, the Airlock Pre-Sales team encountered the same challenge, namely to maintain configuration splits. To address this, we developed a lightweight tool that reconstructs a split configuration. It takes two inputs:

  • A directory containing a previous version of the IAM configuration, split into files.
  • A single file with the updated IAM configuration.

The tool updates the directory using the new configuration, preserving existing file assignments. The split is done so that concatenating the individual files reproduces the single configuration file exactly.

You can find iam-split2files in this repository on GitHub.

Airlock Consulting

If we have piqued your interest and you are interested in exploring the possibilities of the new config model and want tailored advice on how to adopt it in your environment, our consulting team is ready to assist you with your projects.

This website uses cookies
This website uses tracking and targeting technologies (e.g. cookies). Cookies necessary for the operation of the site are set. In addition, we use technologies to analyze access to our website and to personalize content and advertisements. By clicking "Accept all", you agree to the use of the above technologies and cookies (revocable at any time). Under "Settings" you can change your preferences and refuse data processing.
Necessary cookies enable you to navigate our website and provide its basic functionality. Without these cookies, essential functions cannot be provided.Statistics Cookies are used to record the use of our website statistically and to evaluate it for the purpose of optimizing our offer for you.Marketing cookies may be placed on our website by us or our advertising partners to build a profile of your interests and show you relevant content on our and third-party websites. To show you relevant content on third-party websites, we share this information with third parties, such as advertising platforms and social networks.
←  Back
ImprintPrivacy Policy

Information for you

-Our whitepapers-

White paper: The puzzle pieces of modern authentication

Identity management is like a puzzle: you have to understand the big picture, identify the relevant pieces and put them together in the right order. This white paper shows how to do that.

 

Request white paper

Whitepaper: How to make cIAM a success

Increasing requirements for security and user-friendliness make Customer Identity and Access Management an essential. Read our whitepaper to find out how you can secure your competitive advantage with the right CIAM strategy.

 

Request whitepaper

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge