This document will provide a high-level understanding of IDHub's architecture. After reviewing this document, you should become well-versed with the following:
- Key Terminologies Related to IDHub's Architecture
- Multi-Tenant Cloud Infrastructure
- IDHub APIs and Connectors
IDHub is an innovative Identity and Access Management System, which does not require a single line of code. Let's dive deeper and look at the inner workings of IDHub, and discover its architecture.
IDHub has two major modules:
- User App - This is for organization End-Users. To learn more, click here.
- Request Access
- Track Requests
- View Own Profile
- Approve & Fulfill Tasks etc.
- Admin - This is for organization Administrators. To learn more, click here.
- Onboard Application & Roles
- Onboard Users
- Perform Reconciliations
- Customize Workflows
- Customize Forms
- Configure Certifications etc.
Both modules together provide a robust IDM Application to all organizations.
Sneak Peak of IDHub's Structure
The below diagram is a representation of how IDHub works, in relationship to components and services, which are described in this document.
The above application requires many functions, which are performed independently of each other. Our In-house IDM Engine, is broken down into many services, which perform all IDM functions. The engine is also called IDE, which processes all data changes. It issues changes to the application, and receives changes from the application. The various services within the IDE Engine are:
- Authorization Service
- Configuration Service
- Core Service
- Data Services
- Notifications Service
- Event Service
- Audit Service
- Provisioning Service
- Reconciliation Service
- Workflow Service
- Reporting Service
This set of services is setup for discovery and consumption, using Docker or Kubernetes modalities.
IDHub components comprise of an IDE Engine, with many services within it. The major components are:
- MongoDB - This is our Identity vault that holds and saves the data to synchronize with connected systems. It also contains configuration details and policy information.
- Keycloak - This helps integrate with other identity providers for Single Sign On and User On-boarding
Multi-Tenant Cloud Infrastructure
Multi-tenant means there are multiple tenants (or customers of IDHub), using IDHub services simultaneously. IDHub's core services make it easy to use as a shared resource, in a multi-tenant cloud format. Irrespective of the size of your organization, the cloud structure provides access to our data storage, core functionalities, and computing power to all.
Things to note:
- Irrespective of using a shared resource of IDHub, data security is of paramount importance, which will be provided.
- Every tenant will have their own dedicated & secured data source.
- Automatic upgrades will be given to every tenant, for every new product release.
- Product and/or hardware installation is not required with the multi-tenant cloud offering.
IDHub API's & Connectors
For every IDM System, the primary function is to connect with other applications, which manage identities within the application. For every connected application, there is a process for establishing the connection. To connect to various applications to IDHub, an organization can do one of the following methods:
- SCIM Based Connector Service
- REST API Endpoints
SCIM Based Connector Service
SCIM stands for, "System for Cross-Domain Identity Management". This is a universally accepted standard for Identity Management and user information exchange. IDHub's SCIM Connector can connect to:
- Directory services like - Active Directory, Oracle Unified Directory, other LDAP Servers
- Databases and Applications
- Cloud applications like - Gmail, Facebook, Twitter, Salesforce, OKTA, Confluence, O365, Dropbox etc.
The connectors can be located on the IDHub Server, or distributed on remote servers. IDHub can be connected to an organization's existing legacy Identity Management system, using shim, which allows data synchronization and sharing between systems.
REST APIs Endpoints
IDHub also provides integration points by calling REST API's, specific to the application for connecting to external applications within the organization.
These are custom end-points, which will be client and application specific.