State-of-the-Art Identity and Access Management for the all-new Porsche Partner Network
Using a novel mix of technologies, including services of PingID and iC Consult, Porsche introduces its new login and access solution — PPN 2.0. Herwig Bonin about the challenges, tech layers and the benefits of having a secure access point for our global retail network.
The Porsche Partner Network (PPN) has been our central login and web-access management solution for the entire Porsche retail IT landscape for over fifteen years. However, with the last major update to PPN conducted in 2009, it was time for a significant upgrade. The inconvenient login solution via certificates and thus the lack of supporting new retail formats, job roles and mobile use cases were not fitting into Porsche’s digital retail transformation strategy. Last year, we, therefore, decided to replace the existing solution with a state-of-the-art system.
Our main objective was the implementation of a highly secure, globally available, and cutting-edge multi-factor-authentication for all Porsche Partners world-wide.
In May 2020, we launched the all-new PPN 2.0. Today, over 45,000 users can access more than 460 applications via single sign-on. In September 2020, we took the second big step and introduced our new Management Application (PPN Admin 2.0). More than 3800 Administrators worldwide are now able to use simplified admin processes. Onboarding of new users, for example, has been brought down from 12 hours to two minutes.
Challenges, requirements, and objectives
Prior to PPN 2.0, most of our access management solutions were dated to the early 2000s — therefore lacking a certain degree of flexibility and intuitivity, as well as causing poor performance
With PPN 2.0, we wanted to develop a new solution, not only with regards to security requirements but also concerning the development and operations processes (DevOps). As such, Infrastructure and Configuration as Code was required.
Having points of sales across the globe, high availability and low latency based on multiple Amazon Web Services (AWS) regions were especially important for our customers. Moreover, we paid particular attention to the modernization of sales at Porsche and the ever-increasing usage of mobile devices in the sales process. Modern authentication technologies and standards like push-based Multi-Factor-Authentication (MFA) solutions and OAuth/OpenID Connect had to be used to enable new devices and a more flexible way to work with PPN.
Bringing digital key features to Porsche’s central B2B platform
Our new solution consists of Ping Federate, Ping Directory and Ping Access based on Kubernetes in AWS provided by Service Layers. Service Layers specializes in the development and operation of Kubernetes Clusters for Ping Identity IAM Products.
Ping ID is used as a cloud service that provides the required MFA options. To keep the users in sync with the legacy systems, we use Ping DataSync in our data centre, installed and operated with Ansible. Ping Directory stores all users and information about the certificates. Moreover, a provisioning service was implemented to provide this information from the PPN user management portal. Ping Access serves as a single entry component and enforces the authentication of the user by using OIDC in combination with Ping Federate. Ping Access forwards all authenticated traffic to the Porsche data centre where the applications are located. Ping Federate authenticates the user with different mechanisms (certificates, username & password, Ping ID, and Mail OTP). It provides our users with self-service processes, including a password reset and account recovery.
A custom adapter was developed for Ping Federate to accept a legacy cookie as the second factor only for specific use cases. All components are deployed in AWS based on Service Layers which provides the Ping Identity stack as a service. This includes several stages from development to production. The combination of AWS and Service Layers allows a multi-region setup with enabled cross-cluster replication and synchronization. The TiSAX certified solution was intensively examined and approved by the security department of Porsche.
Usability, performance, reliability: Benefits and advantages of PPN 2.0
Porsche and our customers benefit tremendously from this state-of-the-art solution, which is based on Ping Identity products. The introduction of a convenient login solution via Face-ID or fingerprint, aligned with a modern digital user experience, is a central enabler for all retail applications, job roles, and linked use cases. Therefore, mobile devices like tablets and smartphones are now supported and can be used in sales and after-sales processes. Introducing self-service processes (like password reset, device registration, etc.), streamlined administration processes, and cutting-edge standards will massively simplify daily work in Porsche retail and speed up IT processes.
Modern and standardized authentication and authorization protocols (e.g. OIDC) are raising the Porsche Partner Network 2.0 to a new level for future integration of new applications and digital use cases, creating a seamless user experience — reliable and fast. Since it is the central platform for global retail at Porsche, it is required to ensure a performant and readily available login — and is the enabler for the cloud journey at Porsche.
Moreover, the performance of the access management components has been strongly improved. As a result, the usability and acceptance by users are now much better. Besides these major benefits, the security of the system benefited greatly by moving away from legacy custom implementations and using regular updated Ping Identity Products. The development process is now also state-of-the-art (DevOps, Infrastructure-as-Code, and cloud-based), allowing much more frequent deployments of the system as well as reducing burdens during staging processes.
A success to the core
As if these results wouldn’t be enough — we’re very proud to have been nominated as a finalist for the 2020 Identity Excellence Awards in the Cloud Identity Champion, where the best-in-class identity projects are honoured for their achievements. Thank you!
Herwig Bonin works as the Head of Retail Integration and Network Development at Porsche AG.
Ivo Hermen works as the Head of Digital Integration at Porsche AG.
About this publication: Where innovation meets tradition. There’s more to Porsche than sports cars — we’re tackling new challenges, developing digital products and thinking digital with a focus on the customer. On our Medium blog, we tell these stories. It’s about our #nextvisions, smart technologies and the people that drive our digital journey. Please follow us on Twitter (Porsche Digital, Next Visions), Instagram (Porsche Digital, Next Visions, Porsche Newsroom) and LinkedIn (Porsche AG, Porsche Digital) for more.