System Reference Architectures

In a large organization, using a single enterprise-wide identity infrastructure is often impossible for geographic, political, or technical reasons. For example, Utah runs hundreds of web servers. My goal as CIO was not to have everyone use a single enterprise infrastructure for web servers or even to use a single authentication and authorization component. Rather, we had to find ways for individual projects to build portions of the identity infrastructure and yet have them work in an interoperable fashion.

We've seen the role that policies and interoperability frameworks (IF) play in making this possible. The consolidated infrastructure blueprint that we saw in the last section also plays an important role. In addition to those important aids, we can give system architects a head start when they design a system by creating system reference architectures (SRAs) that show how an individual system can be put together from components in the IF so as to work with the CIB. The system architect can customize the SRA to the specific job at hand rather than starting from scratch.

As an example, suppose your enterprise infrastructure used a metadirectory to consolidate directory information and that you had also deployed a policy server and provisioning server from a particular vendor in accordance with your interoperability framework. A new project to build a partner portal has been launched. The project is of sufficient scope that it will need its own web servers, and the identity data will be stored on a local directory for business reasons unimportant to our discussion.

Figure 19-2 shows an architecture diagram for an SRA for web server authentication and authorization that the project might use as they make decisions about the platform. This diagram is much simplified, but gives the idea. The IF tells the project the recommended identity server and directory software to buy. Further, it gives information about how the identity server and directory need to interface with enterprise resources. Documentation with the SRA would give detailed information as well as point to other reference material. In an ideal situation, the project would know that these components had been tested together and that the recommendations were based on the experience of the organization and others in similar situations.

System reference architecture for web server authentication and authorization

Figure 19-2. System reference architecture for web server authentication and authorization