The Unit4 Identity Services (U4IDS) is an OpenId Connect provider built on top of Thinktecture IdentityServer. U4IDS acts as a gateway between the client application and the registered company's (tenants) Identity Provider (IdP).
An overview of the components in U4IDS is shown below.
- Unit4 Federation gateway - U4IDS does not authenticate the client, but relies on the tenant's external IdP, a federation gateway between the client and customers identity provider.
- Configurational data
- Operational data - Store for operational data. This includes authorization codes, refresh tokens, reference tokens and external refresh tokens.
- Administrator toolkit - The administrator toolkit contains tools for an administrator to register tenants and clients
- Admin API - Web APIs to register client, tenants and scopes.
- Powershell commandlets - Commandlets that help administrators automate the registration of clients and tenants.
The sequence diagram below illustrates one of the authentication flows where the client application authenticates against the tenants identity provider using U4IDS.
- Request access to the application - The user is not authenticated and requests access to the client application.
- Client request authentication - The client calls the Identity Services to authenticate the user. The client sends the clientId and tenantID.
- Client validation - The Identity Services validates the client based on the sent clientId.
- Tenant lookup - The Identity Services finds the tenant configurations based on the tenantId sent by the client.
- External authentication request - The Identity Services redirect to the external Identity Provider. Based on the requested tenants configuration the Identity Services finds the external IdP, authority, and redirects.
- User login - The user is provided with the external IdPs login screen.
- Callback - When the user is successfully logged in it returns back to the Identity Services with a token (can be access token and id token, depending on the flow).
- Claims mapping - Maps incoming claims to OpenID Connect claims and in addition a unit4_id claim.
- Redirect to client - U4IDS redirects back to the client.