Skip to content

Instantly share code, notes, and snippets.

@Lixivial
Last active December 14, 2015 23:19
Show Gist options
  • Save Lixivial/5165280 to your computer and use it in GitHub Desktop.
Save Lixivial/5165280 to your computer and use it in GitHub Desktop.
Auth environment
SA Auth Environment
The purpose of this environment is to take internal directory services and expose them to constituent
environments in a secure and scalable way.
On the internal side (designated SA LAN), we have our domain controller forest. This is represented by
two domain controllers at the moment whose sync process is not outlined in this diagram.
For the external auth environment, we have n-number of backend authentication storage providers. Backend
providers could include:
* Directory servers, such as Active Directory or OpenLDAP
* Database providers such as MySQL, SQL Server or Postgres
* File or OS-provided authentication providers such as PAM, or Windows Identity Manager.
We also have n-number of front-end identity management providers. These providers are responsible for
handling user provisioning and API abstraction of the backend auth stores. This allows us the flexibility
to providing a mixed authentication environment, while providing a consistent means of access from
constituent web apps. It also allows us to implement:
* SSO
* Exposing our domain credentials as OpenID endpoints.
* Abstraction of credential data to avoid audits given a code change.
* A single point of enforcing data and security integrity standards.
* A consistent environment with which to provide auth credentials to any future externally hosted product.
Outlined here are LDAP servers for the sake of brevity. But imagine that these could include any mixture
this is because of the said identity managers. For the first phase of this, the identity managers will
not be playing a part, and instead the constituent web apps will be provided raw LDAPS access.
_____________________ _____________________
/ \ / \
| SA LAN - StP | | SA LAN - Blm |
| samn.local | | samn.local |
| _____________ | | _____________ |
| / \ | | / \ |
| | stpeterdc1 | | | | dolphin | | _____________
| | AD ------------ LDAPS over IPSEC ------------ AD | | / \
| | Win 2k3 | | | | | Win 2k3 | | | |
| | | | | | | | | +---> eapp admin |
| \_____________/ | | | \_____________/ | | | |
\_____________________/ | \_____________________/ | \_____________/
| | _____________
________________________|_____________________________________________ | / \
/ | \ | | Operational |
| | External Auth | +---> iSMS |
| +---------------+~~~~~ ... ~~~~~+ .auth. | | | |
| | | | | | \_____________/
| | | | _______________ | | ____________
| ______v______ ______v______ ______v______ / \ | | / \
| / \ / \ / \ | idm-1 | | | | Future |
| | auth-1 | | auth-2 | | auth-n | +-> primary. <------+---> Auth |
| | primary. | | secondary. | | precedent. | | | | | | | Client |
| | | | | | | | | Crowd | | | \____________/
| | OpenLDAP | | OpenLDAP | | LDAP stack | | | OpenIDM | | |
| | Linux | | Linux | | OS | | | CloudSeal | | LDAPS
| \_____________/ \_____________/ \_____________/ | \_______________/ | HTTPS
| ^ ^ ^ | | (REST)
| | | | | _______________ | over
| | | | | / \ | IPSEC
| | | | | | idm-n | | |
| +---- LDAPS ----+---------------+---------+-> precedent. <------+
| | | |
| \_______________/ |
| |
\______________________________________________________________________/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment