Okay, so hi, my name is Hans. Like the previous talk also this talk will not about ai. I will talk about, yeah, exactly about how the HGI group, which I will explain in a second. We really try to took the idealization to the next level with the help of dollars in the context of identity management for our business customers. So first of all, my name is Hans. I am head of data integration in the HTI group and let's have a look what the HGI group is.
Actually HGI stands for high technology industries and we are actually a set of companies who manufacture equipment in the field of winter sports technology, urban mobility, material transport, vegetation management and renewable energies. Let's have a look how these products look like. So for example, on the top left we can see some roadways, cable cars is another name in the winter area, probably if you are skier you were already using one of our products or it brought you to the mountain or you were skiing on snow, which was manufactured by us or prepared by us.
So additionally now with, especially with road waste, we are also going much more into urban mobility. For example, this picture here is in Mexico City because road waste are very, it's a good technology if it's a very hilly situation in a city for example. But now we are also diversifying a bit our set for example with wind turbines and so on. We are trying to not just focus on the snow area, but a lot of our companies are actually customers are ski resource. And now for sure the question is what does this have to do with identity management and custom identity management?
Because we just saw mechanical machines. Why do we need here identity management. It's actually the case that this mechanical products are supported by ecosystem of applications because first of all it's needed to control those systems. For example, here you can see that's inside a snow groomer, which is a vehicle who can prepare snow.
This is nowadays like a computer, you have a joystick, you have a tablet where you can do all your settings and so on and you can really prepare the ideal, the slope in ideal way.
We have snow measurement systems where we can tell on the C centimeter how much snow is underneath the vehicle and so on. Additionally, this control system systems are supported by reporting so that they can then optimize the way how they work with this equipment. We need to do maintenance or the customer needs to do maintenance on those machines.
They also, sometimes there are parts to exchange. So all this mechanical equipment is really supported by ecosystem of applications and who are the users of those applications? They are mainly managers who want to get an overview of what's going on in their ski resource, how the equipment is performing. Then operators who control the equipment and mechanics who then maintain it and they really want to do that in the most efficient way and for that they also need access to those digital applications.
How is the current status? So the current status is that we are a manufacturing company.
Digital world is new for us. So we created a bar shop. The bar shop needed a login in the bar shop development, we created a login, we store the data there, we have a user base in the parts shop and so on. Then next we are needing a learning platform.
Again, we created another digital identity for the user control system. Another digital identity. So a lot of our users actually have many of our applications. So they have a digital identity for each of the applications. We have quite a seasonal business. So for example, mechanics in the, before the start of this season, they are doing checks whether the machines are working, they are exchanging parts, they forget the password for example. That happens all the time and they need to remember five different credentials.
Another problem is we have completely different onboarding flows, different login screens, different ways of registration. So every single application, although it's part of the group or even part of the same brand, we call it the same company. It's completely looking differently.
Another situation is that we as a group or our brands need to invite the people or add the users to the system and that happens normally via telephone or via email and also then in a ski restore for example where we need to invite the employees of the ski restore, we have also the issue that we need to manage that internally. So the customer tells us, for example, calls us or sends us an email and tells us, okay, please add this person to us, mechanic to this application.
So there are a lot of pain points actually. So like I said, so first of all, inconsistent user experience.
So users are getting quite frustrated and this also means it's a decrease in trust in the product because if you for example use our mechanical products, you really have the feeling that they are high quality and performing well. But then if you go into this digital world, everything seems separated. Another point is what I mentioned just before, the internal effort of managing the users.
Like I said, we have a very seasonal business, which means for many months the users are not using the applications and then when they are start using the application, they need to log in, they forget their password, forgot their password, need to call us. It's not ideal. And also this creating and managing of users on behalf of the customer. So it's always us who need to do that job.
Then from a kind of security also point of view, the customer data is stored in different systems and applications. So we have a, in the end we store the same end user many times.
So once for each application and all of these applications have different policies, different rules, there's no governance which leads all this to a harmonized way of how we deal with the customer's data actually, and this really means it's not idea for the customer but also it increases the complexity and costs of maintaining these separate systems. So every time you implement an application you need to also think about how do you handle the use of management. So we said we have to stop this, we need to really come up with a more, yeah, a better system in the end.
Also we would like to allow single sign on between the applications. At the moment you need to always log in. If you access a new application, you need to remember your credentials, log in again and most of the time they forgot the credentials. What a negative effect is also of that is the user chooses very simple passwords for example because it's easy to remember.
So we said we need to set up some goals and come up with a solution.
So we said okay, first of all we want that you the user can log in to various applications across the brands because like I said, many of our users have actually products of more than one brand, especially in ski resource that you have able to log in with a single login. So you don't need to have many credentials anymore. You're getting one single identity and with that identity you can log in to the different applications. We also wanted to harmonize and standardize the login and onboarding flows. So you don't have like a short before different login screens always looking different.
We want to harmonize this so the login screen should always look the same. I mean it's quite similar as Microsoft or Google. It doesn't matter whether you use Google Drive, Google Gmail, the login is always the same.
Another important thing is providing more self-service capabilities. First of all, password management, which is actually quite standard, but also this delegation of user management so that we can invite for example the restore manager and then give them the tools so that they can manage their own employees by themself. This is not just important for that.
We have less work in the end or we distribute the work to the ski resource but also for safety reasons. We have some kind of mission critical applications where we would like where you need to have specific roles as well. We want the customer that they choose what roles they give to the employees and not that we are responsible of doing that. Another important point where is the user data and we want to give them back the control of the user data back to the customers.
At the moment with this 20 applications, 20 digital identities, it's really hard to get control of the user to get control of their personal data to sum exactly next point we have. So in ski resource especially, we have sometimes quite difficult or challenges with co with connection and the availability, availability to internet in the end. So we have machines for campus for example snow groomers, also roadways who are not always online. So we also need to have a possibility to give access to those applications who can be offline. That was a very important thing.
We also had to consider because we really want to give access to all the digital tools, which also includes the control systems
In the end, yeah, focus is protecting our customer and customers and our brands.
To summarize this in the end,
So we were looking really for a proper customer identity management solution where we can with one key or one identity, we we allow the user, our business user to access different applications like reporting applications, getting notifications if sensors are wrong or not working well, getting access to web shops but also getting access to the machines by themself.
So for example, that I can really get into the control system of a roadway that I can open a snow groom or start the engine of a snow groomer with one single identity so that the, because more and more also these mechanical machines are actually becoming digital tools or software in the end. But now we had a problem because this is not our core business. So our core business is manufacturing equipment. It's not creating a identity management solution.
So we had many discussions, how should we approach that and should we really go into building something by ourself or should we think more about use or buying it as a service? In the end,
That's where we got in touch with Dallas and they're one welcome identity platform and we analyze that platform and what we liked is really the modular approach because the different modules allowed us or matched quite well with our goals in the end. So first of all, this whole user journey orchestration, which means standardized logins, how you handle password reset, passwordless access and so on.
All these capabilities or multifactor authentication. So all these capabilities around how is the journey for user. The second part is the delegation and relationship management, which means we can invite a, the main manager to a of a ski resort to the system and delegate all this management and of employees of its employees. We can self-manage that in the end. The third part is the consent.
So we wanted to give, like I said back the control of the data to the user and the consent module allows us to really give them an overview where they gave consent, went to which application for what and all this is backed by this identity and access core system and especially based on standards like OF two, what we were hearing in the talk before and also open Id connect to allow all the applications to kind of be connected via single on.
So what we came up with is actually we created this one secure id which which has the goal to really enable easy access to the applications of the companies and partners of the HDI group with a single login. So MA, this is not a completely new concept. We have Apple id, Google, ID and so on here. The challenge was for sure that we had, we have this kind of independent companies being part of a group and to really agree on that every single user will get a single identity and can therefore access with that single identity to all the applications of all the group.
So we had many discussions also with Ali about it, how we could achieve that. And first of all we started based on our goals, how can we standardize the login and onboarding flows. So we came up with a common view in the end how you can log into all the different applications.
So every time when you need to log into a system you will get the same screen. This looks quite simple now probably, but we had many, many discussions, especially with the brands for example, brands want to have marketing material in there.
But then we actually did also research and together with S we decided actually here it's about login. We should remove all the way the kind of the distraction of the screen and just focus on login and we can see that also now new modern car manufacturer also going into the this direction. So like I said, it sounds like simple now if we see it, but we have many, many discussions to get there because then the marketing that can happen on the landing page or in different areas. But here we are focusing in logging in the user with small exception.
We allow actually to set the log on the login screen.
So Alis has this functionality of multi-brand. So we have the possibility if a brand wants to, they can actually, we can switch it on that for specific applications. We can also show a logo but we really want to reduce it to that element and not have like marketing or pictures of our, of our mountains and so on In there. All these login screens are actually supported by what we introduced kind of a my account self service page where we set like we need to give the control to the customers.
So on the their my account self service, this is also independent of the specific applications. You are here really as a user in the world of your digital identity of the group. We have like you can change your profile like language name and you have also other possibilities. You can also manage if you have the right rights, you can manage your own employees in the ski restore.
So you can add new users, you can change their permissions, you can delete them.
You can also put time based rules on it because like we have a very seasonal business, that means we could have a drive of a vehicle working for the company for two months here. We have the possibility to give them a digital identity and limit it to those two months. Then automatically he will not be able to log in anymore after those two, two months or his account will be deactivated. So these are all kind of small things which really help the customer give them the control and self-service their their users.
In the end here we are showing a picture of this delegation where like I said, the user can invite other users, assign them specific roles, raw resource specific applications with specific roles to it. And another element is the consent to also give them a simple view of a list of consent he gave.
We didn't have that before. Now we have the possibility to say, okay, you gave consent at that time for that application, for that reason in the end. And what we are also adding is the capability to remove your personal data from the systems, which is also JDPR, conform and so on.
So we have now with this kind of my account page also the possibility to extend more functionality. For example, we could also aim to add at the stage, later stage we could add reporting here. The manager could see how many people connected to their systems and how they use the different applications.
What were the challenges so far? So first of all, it's not easy in a group of independent companies. They're operating quite independently from each other to find an agreement and to come up with a solution which works for all of them. Best example is this login page.
We had so many discussions with the marketing departments of the brands because some marketing guys said no, we need to have marketing material in the login screen. Other said, no, let's go a more straightforward way. So it was really a challenge to find an agreement across the brands. The second part is, was the, to find a good architecture design for the delegation model.
And here we really appreciated the interaction with the Tallis architects, who, which with whom we discussed many different options, how we could actually find a good solution because we had to find this balance between autonomy of the brands, but using the same solution and then be able to still use by a single sign on that you can can connect from an application from light now to an application to a prenot for example.
So here there are different mechanisms.
That system is very flexible and we try to find this balance where only like in applications of the brands they they own, they can control. So you as a, you as a employee of one brand, you cannot control an application from another brand. For example, another challenge was, is actually migration of existing applications and users to the new solution, which actually we are still working on and we are taking here really a kind of a step by step approach with Dallas.
Together, we started with two applications. We said let's migrate the users of two applications to the new system. So we can also try out a single sign on mechanism. We choose two applications from two different brands. And here also there are different approaches, for example, live migration or where you don't even need to tell the customer in the end that there's a new kind of solution because we can migrate the, the, the accounts kind of on demand that we use for one application. For another application we used another approach. So here also we had a lot of flexibility.
What what is possible.
Another topic which is also still a challenge is kind of this clear understanding what's authentication, what's authorization. Do we also want to centralize the whole authorization part here We have also still many discussions. We also having discussion with Dallas, Dallas, with the one Viacom platform offers a role-based authentication. That's good enough for some of the applications. For some of the applications. So we set for all this role-based authentic authorization.
We put that into kind of this my account page where you can add users, you can manage users, you can also set the roles of the users in that, in the context of the applications for more specific attribute based out authorization, we set that responsibility of the application and they need to handle it.
Next steps. What we are we working on at the moment? So first of all, we are working together with Dallas to really add a module to this ecosystem of Dallas where offline authentication is possible.
So where we can be offline at certain, not always, but at certain moments in time we can be offline, but still a user can get access to the system. This is very crucial for our environment because for example, we cannot not open a roadway if there's no internet. So this needs to run also if there's no internet because it's about people transportation and we have some regulations there which we need to fulfill also for snow grooming. The vehicles who can prepare snow again at the, it should be still possible to start engine even if the, if the vehicle is offline.
Because in the mountain there is not always connectivity.
Another part is we now we really kind of try to start simple with two applications. Now we are increasing the capabilities of the system. We are also adding multifactor identification for some applications. We have some applications like for example in for roadway you need to have kind of a daily logbook where you register all what happens on a roadway, it's regulated by authorities and here we need to add multifactor authentication for signing this logbook in the end.
So there are different areas we are also looking at, which is not on the slide yet. Also on passport, less authentication and so on. So are different ways we are trying to make the system better and additionally we are working in migrating step by step more and more applications to the new system. The end. Do we have, sorry, we're out of time. So we're out of time? Yeah.
Okay, just wrap. That's good.
Oh,
Sorry, sorry, Hani. Sorry I didn't, I thought you were gonna have like another five questions there, but No, no, I'm afraid we haven't got any time for questions, but thanks very much for your presentation. I'm still here, so if you answer has questions. Yeah. Are you on stand or you're Yes, I'm at the Stan. Okay.
So if so, if you want to catch up with Anna, go to Stan.
