Architecture overview

The Unit4 Identity Services (U4IDS) is an OpenId Connect provider built on top of Thinktecture IdentityServer. U4IDS acts as a gateway between the client application and the registered company's (tenants) Identity Provider (IdP).

U4IDS components

An overview of the components in U4IDS is shown below.

Authentication flow

The sequence diagram below illustrates one of the authentication flows where the client application authenticates against the tenants identity provider using U4IDS.

  1. Request access to the application - The user is not authenticated and requests access to the client application.
  2. Client request authentication - The client calls the Identity Services to authenticate the user. The client sends the clientId and tenantID.
  3. Client validation - The Identity Services validates the client based on the sent clientId.
  4. Tenant lookup - The Identity Services finds the tenant configurations based on the tenantId sent by the client.
  5. External authentication request - The Identity Services redirect to the external Identity Provider. Based on the requested tenants configuration the Identity Services finds the external IdP, authority, and redirects.
  6. User login - The user is provided with the external IdPs login screen.
  7. Callback - When the user is successfully logged in it returns back to the Identity Services with a token (can be access token and id token, depending on the flow).
  8. Claims mapping - Maps incoming claims to OpenID Connect claims and in addition a unit4_id claim.
  9. Redirect to client - U4IDS redirects back to the client.