Architectural overview
This document describes the architectural overview of Trivore Identity Service (TIS). The document is intended for readers with some technical understanding. Understanding the things described here is not needed to use the service.
Main elements
Trivore Identity Service (TIS) has several main elements, which form the service. The most important elements are listed in the diagram below. Each of these elements is covered briefly. Links for further reading is provided in each section.
Trivore Identity Service Core
TIS Core covers the Identity Management Service, TrivoreID Framework, application logic, database, web server, LDAP Server, and Management Web UI to name a few. It is an installable software product which can be purchased from Trivore Corporation.
TIS Core also has, for example, full-disk (and database) encryption, a
real globally scalable HA clustering, load-balancing, integrated
LetsEncrypt certificates, management utilities, installation and updates
simply using normal Linux packet management commands like yum update
.
TIS contains multi-tenancy, per tenant branding, comprehensive object management, Two Factor Authentication (2FA), application level diagnostics, Health Insurance Portability and Accountability Act (HIPAA) compatible secure audit trail, flexible field-level database encryption, Representational State Transfer (REST) server, modern user interface, context architecture to easily add new functionality to the Framework to form a custom application, and many other features you normally have to implement separately from scratch when building a new application. All these features are available for applications with TIS integration.
Trivore ID Framework
TIS can be used as a comprehensive web application framework ready to be used as the basis for many kinds of web applications. It has already been used for healthcare, building automation and public sector applications.
Customers may license TIS to build their own custom web applications. As such, not all features and components need to be utilised. It is also possible to license the framework to utilise features from it in the customer’s custom web application.
The framework can be easily integrated into existing and new environments by using the Client SDK.
Multitenancy
TIS is multitenant. It means many organisations or groups of users are able to use it simultaneously, safely, and independently. This is achieved by creating a multitude of independent environments called namespaces inside a TIS platform. Namespace is an isolated logical space which is inaccessible to users in other namespaces (with some controllable exceptions).
In TIS multi-tenancy also means multi-functionality. That means each namespace and signed in user account might see somewhat different view depending on the functionality purchased by the organisation, and the roles, rights, and permissions of the signed in user account. This all might initially feel complex and even confusing. It is however normal behaviour and we try to smooth things up for You by dynamically changing the contents of what a user is shown on user interface, based on user roles.
Trivore ID OpenID Connect Provider
The most recognisable element is the OpenID Connect Provider (OP), which has been enhanced with some new features. The OP implementation has been certified. The certification process is also described in detail in Scientific works on onePortal™. The OP has a separate authentication UI, which can be customised separately for each customer to meet their and their end-users' needs.
Management UI
Management UI in TIS, called "onePortal", is where the core of TIS is managed. Management UI is a modern web portal with a huge number of features. The data structures and concepts used are flexible by design and managing a large user base is effective.
Originally, the Management UI was, what onePortal mainly consisted of, but it has been growing ever since. Nowadays the base platform is much more, and more often used from a mobile or another external application, than via the Management UI.
Etymology for the term "onePortal" comes from a grand idea, there is only one web portal, from where all things are managed for a modern web application. In real life that idea boils down to the Management UI, which is the "original" onePortal. Core functionality is configured and managed there.
Self-service UI
The self-service UI is a microservice, which provides a Web based UI, where end-users can manage their own account information. The source code of the self-service UI can be provided for customers per request in case they want to make any customisations for it.
Management API
Management API enables external applications to integrate to TIS. The Management API is implemented as a REST API, which can be accessed by both Management API Clients and OAuth 2.0 Clients. Management via API is covered in detail in API Guide.
Client SDK for Management API
To make it as easy as possible for applications to integrate to TIS,
there is an SDK, which implements the interface between TIS Management
API and external applications. The SDK currently supports both Java and
Python. Support for more languages will be added as needed.
The SDK is fully documented in it's own section
and the full source code of the API is available at
Trivore's GitLab
page. The Java version of the SDK can also be found on
Maven Central
and Python version can be found on
PyPI.
External user directories
TIS has built-in support for SAML2 and LDAP protocols. This along with OpenID Connect enables external applications to directly utilise the user identities and identity federation.
The LDAP integration is documented in more detail in LDAP Server.
The main idea behind identity federation is to reduce organisation’s user account management costs. In federated identity management users have a single user account, which they can use across many services.
Identity federation increases the level of security in multiple ways. Since users have only a single account, it also reduces the number of passwords users have to remember. This leads to less passwords being reused and possibly use of stronger passwords. Also, as system administrators only have to worry about managing user accounts on a single platform, its much less likely that they make mistakes and user accounts are easy to audit.
Logical structure
The diagram below shows the logical structure of some of the main features in TIS. Some of them were already covered in the previous section. This section covers the features not covered by previous sections.
Business extensions
As each organisation has their special needs, TIS is designed to be extendible. This has lead to the existence of a number of business extensions. Some of them are general purpose and made available to most organisations and others are very customer specific and kept private for the customer. TIS has already built in private extensions for public transport, health care, banking industry and employee benefit to name a few.
Some of the more generic extensions include product and catalogue management. TIS also has a dynamic pricing engine designed to enable dynamic product and service pricing for each customer group.