Versions Compared

Old Version 1

changes.mady.by.user blake.wilkinson

Saved on

compared with

New Version Current

changes.mady.by.user blake.wilkinson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Where user information including roles and responsibilities is intended to be held in third party systems, there are 2 approaches when it comes to syncing that data.

JWT

A JWT securely transmits information between parties as an encoded claims into a compact URL-safe JSON object which is then signed to ensure data integrity. Panintelligence has the option to include complex claims data that contains a full set of permissions, roles and responsibilities for a given user that can be used to sync a user in realtime from the third party authentication system. Updates to the roles and responsibilities should be held on the third party system. Any changes are immediately reflected upon a user logging into Panintelligence.

please view our documentation at Auto User Sync

Drawio
mVer2
zoom1
simple0
inComment0
custContentId1901166594
pageId1899626497
lbox1
diagramDisplayNamejwt-process-flow.drawio
contentVer1
revision1
baseUrlhttps://panintelligence.atlassian.net/wiki
diagramNamejwt-process-flow.drawio
pCenter0
width341
links
tbstyle
height441

Using the API

Panintelligence ships with an API that can be used in order to maintain all aspects of the product. comprehensive documentation about the panintelligence API can be found here.

Similar to the JWT approach, a 3rd party system containing user metadata such as roles, responsibilities and permissions would sync at a frequency that’s appropriate for your organisation.

In the diagram below, a user sync process creates and updates users using the sync endpoint. This is a timed or triggered process. To initiate the update, a post request is made. where a user already exists with this usercode, the user is updated with the new data. If the user does not exist, it is created.

Below is an architecture diagram of a third party push. Panintelligence will receive data from the third party system that contains user data at regular intervals.

Drawio
mVer2
zoom1
simple0
inComment0
custContentId1900675092
pageId1899626497
lbox1
diagramDisplayNameUntitled Diagram-1723127272428.drawio
contentVer2
revision2
baseUrlhttps://panintelligence.atlassian.net/wiki
diagramNameUntitled Diagram-1723127272428.drawio
pCenter0
width749
links
tbstyle
height392.611083984375

Possible architectural patterns

Since the third party system either pushes the data to panintelligence via the Panintelligence API or receives data as a composite of the claims data within the JWT, there are few architectural considerations to make.

Authentication push

Your authentication server will need to have a route defined to the panintelligence API. It is advisable to do this via your load balancer.

Oauth JWT

If you’re accessing your authentication system defined as Oauth, you will need to define a route from your Panintelligence application server to your authentication server. For egress access, it is advisable to create an egress-only gateway to limit access from the internet to your application layer.

Drawio
mVer2
simple0
zoom1
inComment0
pageId1899626497
custContentId1902149675
diagramDisplayNamearch-sec.drawio
lbox1
contentVer1
revision1
baseUrlhttps://panintelligence.atlassian.net/wiki
diagramNamearch-sec.drawio
pCenter0
width901.0000000000001
links
tbstyle
height1010.5000000000001