Architecture overview

The Unit4 Identity Services (U4IDS) is an OpenId Connect provider built on top of Thinktecture IdentityServer. U4IDS acts as a gateway between the client application and the registered company's (tenants) Identity Provider (IdP).

U4IDS components

An overview of the components in U4IDS is shown below.

Portal

The Identity Services Portal is a website that supports and simplifies the configuration and maintenance of the Identity Services, as well as the creation and operation of clients, the tenant and users, granting or denying access.

Users included in Azure Active Directory, authenticate in U4IDS Portal using their user credentials, and are authorized using the information configured in Unit4 Access Management System. This information includes a role per user, different from the one configured in U4IDS Access Management System, that determines what operations they are allowed to perform. These roles are:

Role Permissions
None User cannot access U4IDS Portal.
Reader User can perform read operations on U4IDS resources, but cannot modify anything.
Contributor User can manage U4IDS resources but cannot manage users nor modify settings.
Owner Full access to all operations.

Users without access to U4IDS Portal can request it when logging in.

Authentication flow

The sequence diagram below illustrates one of the authentication flows where the client application authenticates against the tenants identity provider using U4IDS.

  1. Request access to the application - The user is not authenticated and requests access to the client application.
  2. Client request authentication - The client calls the Identity Services to authenticate the user. The client sends the clientId and tenantID.
  3. Client validation - The Identity Services validates the client based on the sent clientId.
  4. Tenant lookup - The Identity Services finds the tenant configurations based on the tenantId sent by the client.
  5. External authentication request - The Identity Services redirect to the external Identity Provider. Based on the requested tenants configuration the Identity Services finds the external IdP, authority, and redirects.
  6. User login - The user is provided with the external IdPs login screen.
  7. Callback - When the user is successfully logged in it returns back to the Identity Services with a token (can be access token and id token, depending on the flow).
  8. Claims mapping - Maps incoming claims to OpenID Connect claims and in addition a unit4_id claim.
  9. Redirect to client - U4IDS redirects back to the client.