Skip to main content
Version: 8.2411.x.x RR

Software Architecture

The deployment diagram of the nevisAuth architecture provides an overview of nevisAuth components. This overview illustrates how configuration fragments influence server components and how those components interact with other parts of the server.

nevisAuth deployment diagram

nevisAuth is an authentication and authorization middleware that provides secure authentication through several authentication back ends as well as additional features, such as two-factor authentication, identity federation and API authorization.

Clients may access nevisAuth either through nevisProxy, or directly through the nevisAuth API, which can be accessed through the WS-Trust web service, the RADIUS facade or the REST services.

The authentication engine (AuthEngine) is the core component for dispatching authentication requests to different subsystems and control user interaction by requesting input data from the reverse proxy.

For stateful multistep authentication and authentication session upgrade (step-up), the AuthEngine provides a session which is used to provide access to the user's current authentication data (not the credentials as these should not be stored).

nevisAuth is designed similar to a web container:

  • The AuthEngine is an authentication container, which dispatches AuthRequests to AuthStates and returns their processing result (AuthResponse) to the client.
  • An AuthState is similar to a servlet.
  • The AuthContext holds authentication data of the request and the user's session.

The AuthEngine is configured on the basis of the nevisAuth configuration (esauth4.xml). It may contain one or more AuthStates. AuthStates are logical authentication steps integrating a full authentication subsystem or just a part of it.

By using logical authentication step results, authentication steps can be combined into a complex authentication procedure without being forced to change the code. In addition, the input argument description (see <Response><Gui>) provides a specification of the login form (or data) that is required for the next step (see the figure AuthEngine - State processing and input specification).

The AuthStates access authentication back ends and other external or internal services to process the requests. Internal services provided by the AuthEngine, such as keystore services and token assembler services, are explained in chapter Authentication Engine.

The AuthStates access authentication back ends and other external or internal services to process the requests. Internal services provided by the AuthEngine, such as keystore services and token assembler services, are explained in chapter Authentication Engine. Chapter Session management focuses on session services, chapter Auditing on auditing and the chapters SOAP web services and REST service API on the API. The AuthStates are described in Authentication Plug-Ins and AuthStates.