How to Build Your Own Identity & Access Management Using Free Open-Source Components?

Does your HR department ask for fast and standardized onboarding and offboarding for internal and external teams? Does your helpdesk want SSO access to all essential apps to reduce password reset requests? Do your department heads need independent user and group management to quickly grant their employees access to the right applications? Is your compliance officer demanding multi-factor authentication to protect critical systems and pointing out increased legal requirements for data protection and security? At the same time, your IT infrastructure is becoming more expensive and complex due to the demand for flexibility (cloud, BYOD, virtualization), and you need to cut costs?

You are not alone!

Experienced IT admins know: Open-source tools offer numerous opportunities to implement these functions without software licensing costs. Additionally, these data protection and security policies become manageable and transparent, as they can be operated independently and flexibly while keeping all data under your control.

At the same time, there is a convenient answer to all these requests: Identity & Access Management (IAM). There are many IAM systems available, each with various expensive licensing models.

So how do you decide how to proceed with the implementation?

This guide will help you make informed decisions that save time and resources.

Step 1: Educate Yourself About Protocols and Standards

• Single Sign-On (SSO): Allows users to log in once and access multiple applications. Utilizes protocols such as OAuth2, OpenID Connect, and SAML.
• User and Group Management: Centralized management of users, groups, devices, and roles (e.g., via OpenLDAP).
• Multi-Factor Authentication (MFA): Integration of mechanisms such as SMS, TOTP, or hardware tokens.

Step 2: Analyze Your Requirements

• Security and Compliance Requirements: Do you need centralized access management, compliance with standards such as GDPR, ISO 27001, or BSI Basic Protection?
• Federated Identity: Which external identity sources (e.g., Microsoft Active Directory) do you need to integrate?
• Self-Service Features: Allow users to reset passwords or change their name and contact details.
• Role and Permission Structure: Consider how complex your management processes need to be. The HR department and the respective team leads are the first points of contact for this.
• Multi-Tenancy: Is a clean separation between organizations required?
• Applications to be Integrated: Which applications should be connected? What standards and interfaces can be used for this?

Step 3: Plan Operation and Maintenance

• Scalability: Should the system be cloud-based or on-premise?
• API Protection and Access Control: Secure APIs with OAuth2 tokens.
• User Analytics: Use logs and reports to analyze activities and access.

Although open-source solutions are often free of licensing costs, there are still ongoing costs and opportunity costs associated with implementation and operation. These costs can be broken down as followed:

1. Direct Costs:
   • Infrastructure: Server costs for on-premise or cloud operations (e.g., AWS, Azure, Google Cloud).
2. Indirect Costs: These must be considered for each component, and maintenance and further development are often “forced” upon you, as components are released in new versions and migration paths must be implemented to avoid being stuck with outdated, unmaintained versions.
   • Initial Implementation: These costs can occur multiple times across various solutions: with time investment depending on team size and experience. This includes:
     • Requirements gathering and planning.
     • Setting up directory services, authentication servers, and SSO integration.
     • Testing and documentation.
   • Regular Maintenance: For example, updates, user management, and security monitoring.
   • Further Development and Adjustments: Annually, to integrate new applications or adjust access policies.

3. Additional Costs:
   • One-time Training: Initial costs to train your team in using the tools and maintenance.
   • Regular Training: To ensure your team is aware that they bear sole responsibility for support, updates, further development, and security of the identity management system.
   • Support: External support, if needed.
   • Opportunity Costs: Your IT admin team is heavily involved in managing and adjusting the Identity & Access Management system. In a DIY solution, we often see that IT admins also have to take on functional administration tasks, as the systems are too complex for non-IT personnel. This leads to high communication overhead between functional and IT administration. Consider what other strategic goals your company could pursue instead.

Conclusion

Building a DIY Identity & Access Management system with open-source components can only be worthwhile under very specific conditions. You will need:

• Deep technical know-how within your IT team, as well as experienced staff who can plan sufficient capacity for the project in the long term.
• Static and clearly defined requirements that do not change significantly over the years, as this helps avoid communication overhead.
• A long-term stable personnel budget to ensure operation, maintenance, and further development without external support,
• A risk mitigation plan, because without a vendor, IT admins are solely responsible for security, downtime, and failures, with no external support.

DIY means that you bear full responsibility for support, updates, further development, and security. Even with these prerequisites, the effort is significant—and the savings from the absence of licensing costs are often consumed by high internal operational and development costs.

With a solution like Univention Nubus, you gain the security and flexibility of open source while saving time and resources, as Nubus is built on a proven and flexible platform designed for IAM. Nubus offers you:

• Maximum flexibility and adaptability to your specific requirements,
• Transparency and independence through the use of open-source standards,
• Scalability for growing organizations,
• And a significant relief for your IT team, as many functions and applications are already integrated and ready to use.

Another advantage of Univention Nubus is the flexibility in deployment. You can run Nubus either directly on the Univention UCS appliance or in modern environments like Kubernetes. This keeps you independent of specific hardware and allows you to seamlessly integrate the system into your existing infrastructure—whether on-premise or in the cloud.

Instead of investing time and money in the development and maintenance of a DIY solution, you can benefit from Univention Nubus, a proven platform that efficiently and cost-effectively meets your requirements.

If you would like to learn more about Univention Nubus and the benefits for your company, we would be happy to advise you. Together, we can find the optimal solution to future-proof your identity and access management.

Image source: Icon created by zero_wing from flaticon.com