| // |
| // Licensed to the Apache Software Foundation (ASF) under one |
| // or more contributor license agreements. See the NOTICE file |
| // distributed with this work for additional information |
| // regarding copyright ownership. The ASF licenses this file |
| // to you under the Apache License, Version 2.0 (the |
| // "License"); you may not use this file except in compliance |
| // with the License. You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, |
| // software distributed under the License is distributed on an |
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| // KIND, either express or implied. See the License for the |
| // specific language governing permissions and limitations |
| // under the License. |
| // |
| |
| == Architecture |
| |
| Apache Syncope is made of several components, which are logically summarized in the picture below. |
| |
| [.text-center] |
| image::architecture.png[title="Architecture",alt="Architecture"] |
| |
| === Keymaster |
| |
| The *_Keymaster_* allows for dynamic service discovery so that other components are able to find each other. + |
| On startup, all other component instances will register themselves into Keymaster so that their references |
| can be found later, for intra-component communication. |
| |
| In addition, the Keymaster is also used as key / value store for <<configuration-parameters, configuration parameters>> |
| and as a directory for defined <<domains,domains>>. |
| |
| Two different implementations are provided, following the actual needs: |
| |
| . as an additional set of RESTful services exposed by the Core, for traditional deployments |
| (also known as _Self Keymaster_); |
| . as a separate container / pod based on https://zookeeper.apache.org/[Apache Zookeeper^], for microservice-oriented |
| deployments. |
| |
| include::core.adoc[] |
| |
| === Web Access |
| |
| The *_Web Access_* component is based on https://apereo.github.io/cas/[Apereo CAS^]. |
| |
| In addition to all the configuration options and features from Apereo CAS, the Web Access is integrated with Keymaster, |
| Core and Admin UI to offer centralized configuration and management. |
| |
| === Secure Remote Access |
| |
| The *_Secure Remote Access_* component is built on https://spring.io/projects/spring-cloud-gateway[Spring Cloud Gateway^]. |
| |
| In addition to all the configuration options and features from Spring Cloud Gateway, the Secure Remote Access is |
| integrated with Keymaster, Core and Admin UI to offer centralized configuration and management. |
| |
| The Secure Remote Access allows to protect legacy applications by integrating with the Web Access or other third-party |
| Access Managers implementing standard protocols as OpenID Connect or SAML. |
| |
| [[admin-console-component]] |
| === Admin UI |
| |
| The *_Admin UI_* is the web-based console for configuring and administering running deployments, with full support |
| for delegated administration. |
| |
| The communication between Admin UI and Core is exclusively REST-based. |
| |
| More details are available in the dedicated <<admin-console,usage>> section. |
| |
| [[enduser-component]] |
| === End-user UI |
| |
| The *_End-user UI_* is the web-based application for self-registration, self-service and <<password-reset,password reset>>. |
| |
| The communication between End-user UI and Core is exclusively REST-based. |
| |
| More details are available in the dedicated <<enduser-application,usage>> section. |
| |
| === Third Party Applications |
| |
| Third-party applications are provided full access to IdM services by leveraging the REST interface, either via the |
| Java <<client-library,Client Library>> (the basis of Admin UI and End-user UI) or plain HTTP calls. |