Architecture

learn about raidiam connect functional architecture and all components of the platform security components \# component description 1 internet perimeter defence layer a comprehensive, defence in depth internet perimeter comprising the following capabilities intrusion detection and prevention service (ids/ips) network firewalls and network access control web application firewalls ddos protection internet gateways 2 load balancer & transport termination hyper scalable application load balancer to distribute traffic within and across geographic regions and data centres with heartbeats and autoscaling built in tls termination device to enforce tls cipher suites and policies to meet fapi standards and certification including certificate validation and http header forwarding 3 api service tier / policy enforcement point (pep) a pep is an identity enabled access gateway component that serves as a gatekeeper to a digital resource it operates as a reverse proxy gateway, deployed between the consumer of the resource and the resource itself that it protects comprising a flexible policy engine, it intercepts all incoming requests and evaluates by obtaining a decision (allow or deny) based on defined policy and then enforces that decision e g permit onward connection to resource the server hosts and exposes the protected resources that the pep is protecting in oauth2 terms the iam pep is performing the role of oauth2 ‘resource server’ and is also capable of accepting and responding to protected resource requests using access tokens that it introspects with an authorization server 17 common security services common security services consist of services designed to protect the integrity, availability, and confidentiality of the platform these services include privileged access management, multi factor authentication, authorization, data encryption, intrusion detection and prevention, security event logging and monitoring, and vulnerability management directory components \# component description 4 directory services directory services comprise all the essential api endpoints required for interacting with the directory these services are securely protected using mutually authenticated tls (mtls) all directory apis are served following the restful architectural style, providing a standardized, stateless communication method that allows for scalability, simplicity, and performance 5 directory user interface directory ui is the web based graphical user interface frontend component that interacts with directory services it provides a visual interface that administrators and users can interact with to manage and access the resources of the directory all functions available through the gui are similarly available through the api as an api first platform 6 openid provider (op) & idp openid provider (op) is a system that implements the provider role of an openid connect system and issues identity tokens that describe who is authenticated as part of an oauth2 authorization identity provider (idp) is a system that creates, maintains, and manages identity information for all principals (users, services, or systems) it provides principal authentication to other service providers within a federation or distributed network and sends attribute assertions containing trusted information about the user an ipd is also the component responsible for implementing multi factor authentication of users and authenticating oauth2 clients / oidc relying parties finally, it is the central identity provider and federation point for any ecosystem enabling single sign on functionality for all registered users 7 persistent database a persistent database stores and manages all data in the system in a highly scalable and redundant fashion this database provides a way to save and retrieve data across different sessions or over a long period of time the data stored in a persistent database is often structured (both relational and non relational) and can be queried and manipulated learn more about centralized directory docid\ kt2uiavikzfzklbevp1 g public key infrastructure components \# component description 8 registration authority a registration authority (ra) is responsible for verifying the eligibility of pki participants and ensuring the accuracy of information provided during the certificate request process an ra is responsible for screening / validating the certificate request from the applicant / subscriber and deciding if it should be accepted and if acceptable, submitting the certificate request to certificate authority (ca) for signing 9 certificate authority a certificate authority (ca) authenticates the identity of the subscriber entities and binds them with a cryptographic key the ca manufactures (digitally signs the public key submitted with its private key) and issues the digital certificate and returns it to the ra for onward transmission to the subscriber these digital certificates are used in public key cryptography functions 10 certificate validation services certificate validation services are used to verify the authenticity and validity of a digital certificate this can include checking the certificate's status (whether it's active, revoked, or expired), verifying the certificate's signatures, and ensuring the certificate was issued by a trusted certificate authority 11 key management services key management services (kms) deal with the secure lifecycle management and administration of cryptographic keys used to encrypt or digitally sign data this includes dealing with the secure generation, exchange, use, storage and replacement of keys kms encompasses key lifecycle management, key storage, and cryptographic functionality 12 public key stores (jwks) public key stores (jwks) are the hosted json web key sets (jwks) for each organisation and software instance in an ecosystem the system maintains active and inactive keys at individual software and organization level which correlates to the status of the corresponding digital certificate a centrally managed and integrated public key store (in jwks format) is critical to ensuring that the ecosystem api consumers and relying parties have a single trust anchor and location to obtain the necessary public keys learn more about public key infrastructure docid\ ukxpxzgjtt4iswg9nbxe0 common services \# component description 13 email notifications email notifications service sends an email message based on certain triggers or conditions they can be used to alert users about important events, updates, or confirmations in the directory 14 sms notifications sms notifications service sends text messages to a user's mobile sms device based on specific events or conditions used in multi factor authentication process 15 esignature services esignature services provide the capability to electronically sign documents, verifying the signer's identity and their intent to sign the document this service is legally recognized in many jurisdictions and is used for contracts or other official documents 16 administration services administration services provide administrators with the capabilities to manage, control, and monitor the platform this includes user management and monitoring system activity