Skip to content

Architecture

Important

Sequel Security Service v3 is designed to be hosted only by Verisk's AWS Managed Service. For other hosting options, like on-premises, please contact with SuppApp Product Team.

Sequel Security Service

The Sequel Security Service has been designed with some principles in mind:

  • Modern and standard security protocols.
  • API first
  • Cloud ready
  • Scalability.

Inspired on above principles, the security service is composed on a set of smaller services:

Security Service Architecture

The boundaries of the Security services are coloured in grey; so we consider external dependencies of the service shared resources as message bus, Sequel.Core.Logging repositories and SQL servers.

All web services that composes the Security Service share some principles:

  • API first: all operations are exposed in the APIs.
  • APIs documented with Swagger.
  • Support deployments in IIS and containers.
  • Log all events using Sequel.Core.Logging.
  • Expose health checks endpoints.
  • Fully integration with the enterprise message bus.
  • Support scale-out.

Authentication Web Service

Provides authentication using the OAuth2 and OpenID Connect protocols for interactive clients and machine to machine clients. Apart of the authentication protocol endpoints, this service offers the web forms for the users to enter their credentials in order to obtain an access token that will be reused across multiple applications in the suite; this service will serve the login and reset password screens, reused by all the products.

This service is a web application built with:

  • ASP.NET Core 6.0 + Razor views
  • EntityFramework Core 6.0
  • Duende IdentityServer 6.1
  • Sequel.Core.Logging libraries

Authorisation Rest API

This REST API offers a fast access to all queries related to authorization: in other words to effective permissions that a user or groups has. Information provided by this service is retrieved from Security Rest API and cached; in other words, we can consider this service a proxy that caches effective permissions information from Security Rest API. It is required to be authenticated for accessing this service.

This service is a web application built with:

  • ASP.NET Core 6.0 + Razor views
  • EntityFramework Core 6.0
  • Swagger
  • Sequel.Core.Logging libraries
  • Sequel.Core.MessageBus libraries

Security Rest API

REST API for managing all the resources related to security (users, roles, etc.) and to query security data (list of users, list of roles, etc.). It is the unique component in the system with access to security databases. This API will be responsible for publishing any changes in the security data to the service bus, so other applications could consume those messages and keep their data updated.

This service is a web application built with:

  • ASP.NET Core 6.0 + Razor views
  • EntityFramework Core 6.0
  • Swagger
  • Sequel.Core.Logging libraries
  • Sequel.Core.MessageBus libraries

Multi-tenancy support

The persistence layer has been built to support multi-tenancy in the future versions; but in the current version the system is no multi-tenant.. So, the current state of project doesn't support real multi-tenancy; however, all persistence layer and security API is multi-tenant.

As result of this work; the databases are managed following the below diagram. However, all request are redirected to the default tenant internally; so, we will have two databases:

  • Multi-tenancy database: Single database per system; used to store specific information (like connection string) for each tenant.
  • Security database: one per tenant; stores all authentication and authorization information.

Administration website

Static website application for managing security data, depends on Security Rest API and Authentication Service. It's a single page application (SPA) using:

  • ASP.NET Core 6.0
  • ReactJS

LDAP Sync Windows Service

Windows Service for synchronizing users and groups from an Active Directory; this is an optional component. Depends on Security Rest API. It is built with:

  • ASP.NET Core 6.0
  • LDAP
  • Sequel.Core.Logging libraries
  • Sequel.Core.MessageBus libraries

Azure AD Sync Windows Service

Windows Service for synchronizing users and groups from Azure AD; this is an optional component. Depends on Security Rest API. It is built with:

  • ASP.NET Core 6.0
  • MS Graph
  • Sequel.Core.MessageBus libraries

Sequel.Security.Integration NuGet package

Package useful for other teams to integrate their applications with the Sequel Security Service. Helps to register a resources, clients,... This component is not part, purely talking of the Security Services and evolves with different versions and all versions are backward compatible between the security services and the integration package; however, using the latest version will ensure the best user experience.

User web component

It is a web component for managing concepts of the user session like current user information, inactivity and single sign-out. This component is provided with the aim of being integrated in all Sequel's applications in order to improve UI/UX consistency in user info/session management.

Legacy Security Sync Services

Some applications like Claims, Origin and Workflow need to keep the legacy security schema in sync with the Security Service; this is done with a windows service that consumes all messages with changes published by security. The owner of those consumers are those applications; however, the first implementation was provided by Sequel's Security Team.

The legacy security sync service is built using:

  • ASP.NET Core 6.0
  • Sequel.Core.Logging libraries
  • Sequel.Core.MessageBus libraries

Service bus integration

Security services emit messages to the bus (RabbitMQ) for different reasons; that we will cover in the next sections.