Identity and Access Management system for the Department of Information Technology of Moscow
About the project:
In 2019, the integration of Blitz Identity Provider was successfully completed within the Department of Information Technology of Moscow (DIT of Moscow). The Blitz Identity Provider authentication server powers the Identity and Access Management System for Moscow’s Information Resources (abbreviated as IAMSIR).
IAMSIR comprises two circuits: the external IAMSIR and the internal IAMSIR. The external IAMSIR provides Moscow residents access to the official website of the Mayor of Moscow, along with numerous city websites and mobile applications (e.g., “Active Citizen”, “Our City”, “Moscow Electronic School”, etc.). The internal IAMSIR facilitates city government officials’ access to the city’s official information systems.
The system boasts over 8 million users with daily logins exceeding 1 million. IAMSIR is integrated with over 100 websites and mobile applications.
Implementation:
The full operation of the internal IAMSIR circuit, replacing solutions from various vendors with the unified Blitz Identity Provider platform, was accomplished within 3 months from the project’s inception.
The complete transition of the external IAMSIR circuit to the Blitz Identity Provider platform took 6 months.
Project objective:
- Replace the existing foreign solution with a domestic software solution.
- Enhance performance and reliability.
- Standardize the software platform used in both the internal and external IAMSIR circuits.
- Simplify the integration of new applications to IAMSIR by ensuring the platform adheres to standard protocols and specifications.
- Enhance user registration and login experience.
- Improve the security of user accounts.
- Provide flexible customization and adaptation capabilities of the platform, as well as ensure seamless integration within the data center infrastructure.
Key results:
The software platforms for both internal and external circuits of IAMSIR have been unified. Multiple software products responsible for user identification and authentication have been replaced by a single solution – the Blitz Identity Provider authentication server.
This change has resolved several improvements:
1. Operational efficiency:
- The streamlined operation of IAMSIR has become more efficient.
- Connecting new applications to IAMSIR is now easier due to the standardized set of protocols and specifications in both circuits.
2. Import substitution: a significant shift from foreign to domestic solutions has been achieved.
3. Performance and reliability:
- IAMSIR now efficiently handles peak loads and offers a greater performance reserve. Additionally, it uses more modest hardware resources than before. As a result, popular local websites can be integrated into IAMSIR without compromising access to electronic government services.
- The Blitz Identity Provider server allows for IAMSIR software updates without service interruptions to users.
4. Security enhancements:
- IAMSIR tracks logins from unfamiliar devices, alerting users of suspicious activities via email.
- Users have the option to activate two-factor authentication for their accounts and view security events.
- Added protection against password brute force attempts.
5. User experience enhancements:
- When users access from a recognized device, they can be remembered, eliminating the need to re-enter login credentials for up to a month.
- Corporate users have a simplified login. They can use their legal entity account from the Unified Identification and Authentication System (a government services platform). Furthermore, the initial PC setup process for digital signature-based login has been streamlined, allowing the use of any popular digital signature tools, not just CryptoPro CSP.
- New login modes have been introduced.
6. Administrative ease:
- Customized login pages, user registration, and password recovery interfaces can now be set up for different applications without altering or updating IAMSIR software.
- All IAMSIR integrations are managed through a web-based admin console. New user account attributes can be added, new user account storage can be connected, and new application connections can be registered with ease.