Architectural drawing for Pi and security

Overview

Where user information including roles and responsibilities is intended to be held in third party systems, there are 2 approaches when it comes to syncing that data.

JWT

A JWT securely transmits information between parties as an encoded claims into a compact URL-safe JSON object which is then signed to ensure data integrity. Panintelligence has the option to include complex claims data that contains a full set of permissions, roles and responsibilities for a given user that can be used to sync a user in realtime from the third party authentication system. Updates to the roles and responsibilities should be held on the third party system. Any changes are immediately reflected upon a user logging into Panintelligence.

please view our documentation at https://panintelligence.atlassian.net/wiki/spaces/PD/pages/1664516098

 

 

Using the API

Panintelligence ships with an API that can be used in order to maintain all aspects of the product. comprehensive documentation about the panintelligence API can be found here.

Similar to the JWT approach, a 3rd party system containing user metadata such as roles, responsibilities and permissions would sync at a frequency that’s appropriate for your organisation.

 

In the diagram below, a user sync process creates and updates users using the sync endpoint. This is a timed or triggered process. To initiate the update, a post request is made. where a user already exists with this usercode, the user is updated with the new data. If the user does not exist, it is created.

Below is an architecture diagram of a third party push. Panintelligence will receive data from the third party system that contains user data at regular intervals.

Possible architectural patterns

Since the third party system either pushes the data to panintelligence via the Panintelligence API or receives data as a composite of the claims data within the JWT, there are few architectural considerations to make.

Authentication push

Your authentication server will need to have a route defined to the panintelligence API. It is advisable to do this via your load balancer.

Oauth JWT

If you’re accessing your authentication system defined as Oauth, you will need to define a route from your Panintelligence application server to your authentication server. For egress access, it is advisable to create an egress-only gateway to limit access from the internet to your application layer.