Executive Summary
A leading digital payments and merchant technology enterprise operating across cloud and on-prem environments faced fragmented access control and complex identity lifecycle management. The organization ran microservices on AWS EKS and legacy monolith systems on-premises, each using independent authentication mechanisms.
To unify identity governance, automate lifecycle operations, and enable AI-driven operations securely, the enterprise partnered with Xenonstack to deploy Agent IAM, an Agentic AI-powered federated identity framework. The solution integrated AWS IAM for cloud workloads and FreeIPA for on-prem environments, connected with ServiceNow, SAP ERP, Salesforce, and Oracle Fusion for automated Joiner–Mover–Leaver (JML) workflows, and supported AI entities like Agent SRE with secure, short-lived access tokens.
Within a few months, the organization achieved centralized access visibility, automated user provisioning, and compliance readiness across its hybrid environment.
Customer Challenge
Customer Information
Industry: FinTech / Payments Platform
Location: APAC Region
Company Size: 2,000+ employees
Business Challenges
The enterprise was expanding rapidly, transitioning from monolithic architecture to cloud-native microservices while continuing to rely on legacy transactional systems hosted on-premises.
This hybrid setup resulted in:
-
Disjointed IAM Systems: AWS IAM handled cloud identities while on-prem applications relied on manual LDAP and local authentication.
-
Inefficient User Lifecycle Management: HR onboarding triggered multiple manual provisioning steps across SAP ERP, Salesforce, and Oracle Fusion.
-
Limited Compliance Visibility: Regulatory audits (RBI, PCI-DSS, ISO 27001) required traceability of user access and activity across hybrid workloads.
-
Shadow Access Risks: Contractors and bots retained credentials even after projects ended due to lack of automated deprovisioning.
-
AI Operations Gap: New AI agents used for SRE and observability needed secure, ephemeral access tokens instead of static credentials.
The leadership aimed to build a unified IAM system capable of automating lifecycle events, reducing manual overhead, and aligning with Zero Trust principles.
Technical Challenges
-
Legacy monolith applications lacked APIs for onboarding/offboarding.
-
Separate user stores in AWS IAM and FreeIPA led to policy drift.
-
Role mapping across SAP ERP, Salesforce, and Oracle Fusion was inconsistent.
-
Manual provisioning through ServiceNow tickets delayed onboarding.
-
Limited audit trail across hybrid infrastructure impacted compliance reporting.
-
Non-human identities (automation agents, bots) lacked centralized access governance.
Partner Solution
Solution Overview
Xenonstack implemented the Agent IAM framework to deliver unified access governance across hybrid workloads.
The architecture leveraged:
-
AWS IAM for cloud and EKS-based workloads
-
FreeIPA for on-premises authentication
-
Keycloak for identity federation
-
Open Policy Agent (OPA) for policy enforcement
-
CUAs (Computer Use Agents) for legacy onboarding automation
Agent IAM was integrated with ServiceNow, SAP ERP, Salesforce, and Oracle Fusion to automate JML workflows, while AI agents such as Agent SRE used Agent IAM APIs to obtain short-lived access tokens tied to specific roles and policies.
AWS Services Used
|
AWS Service |
Purpose |
|
Amazon EKS |
Hosted cloud microservices with integrated IAM roles. |
|
AWS IAM |
Managed users, groups, and roles for cloud workloads. |
|
Amazon EventBridge |
Triggered onboarding/offboarding workflows based on HR and ITSM events. |
|
AWS Lambda |
Hosted CUAs for automating legacy app provisioning. |
|
Amazon RDS (PostgreSQL) |
Central metadata and policy store for IAM records. |
|
AWS Secrets Manager |
Managed credential rotation and temporary tokens. |
|
AWS Step Functions |
Orchestrated JML workflows and multi-application provisioning. |
|
Amazon CloudWatch |
Centralized logging and monitoring of IAM and access activities. |
|
Amazon OpenSearch Service |
Provided dashboards for access audit and compliance reporting. |
|
AWS Bedrock |
Assisted AI entities with token-based access orchestration. |
Architecture Diagram
Implementation Details
The project followed an Agile-DevOps approach with modular rollout and parallel integration streams.
Phase 1 – Foundation Setup
-
Deployed FreeIPA on-prem and integrated with AWS IAM for unified authentication.
-
Configured Keycloak as the federation gateway between on-prem LDAP and AWS services.
-
Established secure tunnels for hybrid communication using AWS Direct Connect.
Phase 2 – Policy & Automation Layer
-
Implemented OPA-based policy engine for unified RBAC and ABAC enforcement.
-
Integrated HR (Workday) and ITSM (ServiceNow) with EventBridge to automate JML triggers.
-
Connected SAP ERP, Salesforce, and Oracle Fusion using SCIM and CUAs for provisioning.
Phase 3 – AI Identity Enablement
-
Integrated AgentSRE, an observability agent, with Agent IAM APIs.
-
Configured short-lived AWS STS tokens issued dynamically by Agent IAM based on the agent’s assigned role and permissions.
-
All access events are logged to CloudWatch and OpenSearch for continuous monitoring.
Phase 4 – Testing and Rollout
-
Conducted extensive role-mapping validation across SAP, Salesforce, and Fusion.
-
Automated compliance audits using CloudWatch dashboards and OpenSearch queries.
-
Rolled out IAM automation across 10 business units in under 10 weeks.
Innovation and Best Practices
-
Federated IAM Architecture: Unified AWS IAM and Free IPA under a single governance model.
-
AI-Driven Policy Automation: Used Bedrock-assisted logic for dynamic policy recommendations.
-
CUA Framework: Enabled integration with non-API legacy systems.
-
Policy-as-Code: Implemented OPA for consistent policy enforcement.
-
DevSecOps Integration: IAM configurations deployed via CI/CD pipelines validated by GitOps.
Results and Benefits
Business Outcomes and Success Metrics
-
65% faster onboarding via automated ServiceNow-driven JML workflows.
-
Zero manual provisioning across SAP, Salesforce, and Oracle Fusion.
-
Audit compliance achieved under RBI and ISO 27001 frameworks with unified reporting.
-
Centralized governance across hybrid workloads (AWS and on-prem).
-
Reduced operational overhead by 50%, enabling IT teams to focus on innovation.
-
AI Agent access fully governed, reducing credential misuse and compliance risk.
Technical Benefits
-
Unified authentication across AWS IAM and FreeIPA.
-
Policy consistency ensured through OPA Policy-as-Code.
-
Secure, short-lived tokens for AI and automation workloads.
-
Centralized audit logging with CloudWatch and OpenSearch.
-
Improved scalability for EKS microservices with automatic IAM role synchronization.
Customer Testimonial
Lessons Learned
Challenges Overcome
-
Directory synchronization between FreeIPA and AWS IAM required custom attribute mapping.
-
Legacy applications needed secure, low-latency CUA automation pipelines.
-
Policy rationalization across SAP, Salesforce, and Fusion required multiple validation cycles.
Best Practices Identified
-
Start with a unified policy baseline before enabling cross-environment federation.
-
Implement CUA bots only after securing UI-level automation credentials via Secrets Manager.
-
Maintain separate OPA policy sets for human and AI identities for better traceability.
Future Plans
The enterprise plans to extend Agent IAM to cover:
-
Cross-account federation across AWS Organizations for partner ecosystems.
-
AI-based anomaly detection in access patterns using AWS Bedrock.
-
Additional SaaS integrations (Slack, Jira, GitHub) for full enterprise coverage.
-
Continuous compliance automation with AWS Audit Manager integration.
Xenonstack will continue to enhance the IAM governance model to support scaling AI-driven enterprise automation and deeper cross-cloud integrations.
.png)
