Imagine juggling multiple passwords, manually assigning access to new employees, and scrambling to revoke permissions when someone leaves and doing that for multiple systems. Our old approach to identity management was unsustainable. As our company is transitioning from a monolithic system to a service-oriented architecture (SOA), we faced an increasing need for a robust, centralized Identity & Access Management (IAM) solution. 

My name is Jarno Jellesma, and I’m a software engineer at Gomibo. For the past six months, I’ve been leading the IAM project to ensure our authentication and authorization processes are scalable, secure, and seamless across all services.

It’s been both a challenging and rewarding experience. Balancing responsibilities like designing the architecture, making technical decisions, and collaborating closely with teams across the company. This project has given me the chance to dive deep into IAM, grow my expertise, and contribute to a solid foundation for our evolving platform.

Why we needed this change

In the old system, user authentication and authorization is scattered across multiple applications, requiring employees to juggle different credentials. This leads to excessive administrative overhead, inefficient onboarding and offboarding, and increased security risks. Manually managing access permissions is not only time-consuming but also prone to errors, making it clear that a more streamlined and secure solution is needed.

Manually managing access permissions is not only time-consuming but also prone to errors, making it clear that a more streamlined and secure solution is needed.

To address these challenges, we are working on implementing a new system that:

• Centralizes authentication & authorization for our new service-oriented architecture.
• Automates the onboarding/offboarding process by syncing user access with HR data.
• Enables Single Sign On (SSO) to streamline authentication across all of the applications we use at our company, reducing password fatigue and improving security.

Integration in Phases

As we modernize access control within our company, we are also undergoing a broader transition to a service-oriented architecture. Rather than attempting a complete overhaul all at once, we decided on a phased integration approach for our new solution.

The first step was to integrate IAM/SSO with our newly developed service-oriented system which will gradually replace our monolithic infrastructure. This decision was driven by necessity: our new system required a more scalable and standardized approach to authentication and authorization from the start. By implementing our solution at this foundational level, we ensured that our future services would be built with security and centralized identity management baked in from day one.

Once our new system is successfully integrated, the next phase involves extending SSO to our existing applications, including third-party tools. This step allows us to unify authentication across all applications that employees use daily. By adopting this incremental approach, we maintain operational continuity while steadily improving security and user experience.

Building a Seamless Experience

Like any great transformation, implementing a new solution isn’t just about adopting new technology, it is about building a seamless experience for everyone in our company. We need to strike the perfect balance: a system that is secure but frictionless, powerful but easy to manage.

To unify authentication across all of our applications, we integrated Okta as our identity provider. Okta provides a scalable, cloud-based authentication platform that simplifies user access across applications while offering strong security features like Multi-Factor Authentication (MFA) and automated user provisioning. This allows us to centralize identity management without adding unnecessary complexity.

We wanted employees to log in once and access everything they needed without thinking about passwords again. OAuth2 with OpenID Connect became our standard for authentication, ensuring a secure, standardized login experience across applications. For authorization, we implemented role-based access control (RBAC) based on the data from our HR system, ensuring that permissions were assigned dynamically based on job roles, rather than being manually managed per user. The architecture of this system is visualized as follows:

One of our biggest wins is removing the hassle of manually creating and updating user accounts. Instead of relying on manual procedures and custom scripts, we integrated the industry standard SCIM protocol to automate user provisioning. Whenever a new employee joins, their access is automatically assigned. When they leave, access is revoked instantly. This means no more manual work for IT, freeing up their time for more important projects.

To make this work efficiently across all services, we built a custom service that implements the SCIM protocol and publishes updates to our event bus. This way, every connected service remains up to date without needing a direct connection to Okta:

A Shift in Mindset

Implementing the new system came with its share of challenges. Moving from a monolithic system to a distributed architecture introduced complexities that required new ways of thinking and problem-solving.

One of the prerequisites was mastering authentication and identity protocols. While OAuth2, OpenID Connect, and SCIM are industry standards, applying them effectively across a dynamic, service-oriented environment required a deep dive into their nuances. We had to balance security with usability, ensuring that authentication flows were both secure and seamless for employees.

Working with a distributed system also required a shift in mindset. Unlike a monolith where everything lives in a single codebase, our new approach meant that different services needed to communicate securely. This led to our event-driven approach, where changes to access are propagated across services in near real-time.

Finally, we learned the importance of an iterative approach and adaptability. Instead of trying to build a perfect system from day one, we embraced an Minimum Viable Product (MVP) mindset, rolling out our new system in phases, gathering feedback, and refining as we go. This not only accelerates adoption but also allows us to identify edge cases early and improve the system incrementally.

What’s Next

At Gomibo, we thrive in a fast-paced, problem-solving environment where engineering challenges aren’t just about writing code, but about designing systems that scale and evolve. Implementing IAM/SSO was a perfect example of this, turning a fragmented, outdated approach into a modern, secure, and user-friendly solution.

This is just one of the improvements we are making in our transition to a service-oriented architecture, and there are many more challenges to conquer. For those who love solving technical challenges, taking ownership, working with modern technologies, and shaping the future of our new distributed system, Gomibo is the place to be.

If you’re looking for a dynamic team where your ideas and expertise can make a real impact, we’d love to hear from you! Who knows? Maybe we’ll tackle the next big project together!