2.2. Functional components

This section provides an overview of the functional components of Univention Nubus for Kubernetes. For each component, it describes the purpose and the main tasks.

Fig. 2.5 provides an overview of all the functional components grouped by their main tasks:

1. End user facing

2. Authentication and Authorization

3. Integration

4. Connectors

Univention Nubus for Kubernetes consists of the following functional components:

1. Authorization Service

2. Directory Manager

3. End User Self Service

4. Identity Provider

5. Identity Store and Directory Service

6. Intercom Service

7. Management UI

8. Portal Service

9. Provisioning Service

10. IAM Connector

Fig. 2.5 Overview of functional components in Univention Nubus for Kubernetes

2.2.1. End user facing

Functional components that provide features that directly serve the end user are end user facing. These components are the following:

• Portal

• End User Self Service

• Management UI

Fig. 2.6 Functional components facing the end user

2.2.1.1. Portal Service

The Portal Service is a web application that shows administrators and end users the applications they have access to, manages sign-in and sign-on redirects, and visually integrates different applications into one desktop.

Purpose

• Delivers customer access, for example for end users using openDesk.

• Delivers access to administer user accounts and user groups in Nubus.

• Delivers user interface (UI) integration layer for other services, such as modules in openDesk.

Tasks:

• Login form for end users to sign in.

• Portal UI.

• Link to end user self service.

• Link to administer user accounts and user groups.

• Link to other openDesk modules.

• Present notifications from a central notification service.

2.2.1.2. Management UI

The Management UI allows customers to administer IAM resources like user accounts and user groups.

Purpose

User interface (UI) for administration of directory objects, such as user account objects, user group objects, and asset objects. Administrators manage user account and group objects through the Management UI, if Nubus has no external IAM system connected. For more information, see Connectors.

Tasks

• CRUD operations for directory objects, such as user account objects and user group objects.

• UI for the CRUD operations that depends on permissions.

2.2.1.3. End User Self Service

The End User Self Service allows end users to modify certain data of their own user account object, including a password reset service.

Purpose

UI for end users to manage distinct attributes of their user account object

Tasks:

• Maintenance of user account data, such as profile information.

• Actions for forgotten password and password change.

2.2.2. Authentication and Authorization

The Guardian is a generic Authorization Service where applications can register rules and roles. They can then use it to authorize the operations they offer to clients.

Functional components listed in this section provide features for authentication and authorization. They’re the following:

• Authorization Service

• Directory Manager

• Identity Provider

• Identity Store and Directory Service

Fig. 2.7 Functional components for authentication and authorization

2.2.2.1. Identity Provider

The Identity Provider service is responsible for authentication, token creation, renewal, and removal. The Identity Provider includes the software stack for Keycloak and the integration to the Identity Store and Directory Service.

Purpose

Authentication provider using the authentication protocols SAML and OpenID Connect.

Tasks

• Session handling for user authentications.

• Offers authentication protocols SAML, and OpenID Connect.

2.2.2.2. Authorization Service

The Authorization Service is responsible for managing user permissions and organizing them in roles. The software stack also has the name Guardian.

Purpose

The authorization service provides authorization for other Nubus components, such as the End User Self Service.

Note

For the time being, no Nubus component uses the Authorization Service. As soon as components use it, this section explicitly lists them.

Tasks:

• Authorize operations in Management UI.

• Deliver API for CRUD operations for rules.

• Deliver UI for management of rules.

See also

Guardian Manual

for more information about the Guardian in Guardian Manual [3].

2.2.2.3. Directory Manager

The Univention Directory Manager (UDM) REST API offers an HTTP REST interface to manage the user account, user group, and asset objects stored in the Identity Store and Directory Service.

Purpose

Façade in front of the Directory Service, that transforms business actions on user account objects, user group objects, and asset objects. It orchestrates CRUD operations for the Directory Service.

Tasks:

• Applies business logic on user account objects, group objects, and asset objects.

• Transforms objects to and from directory service.

• Triggers events for provisioning.

2.2.2.4. Identity Store and Directory Service

The Identity Store and Directory Service uses OpenLDAP as the primary database for user account, user group, and asset objects.

Purpose

Persistence layer for structured directory service data. It implements availability and performance requirements. The structured data is user account objects, user group objects, and asset objects.

Tasks:

Delivers user account objects and user group objects through CRUD operations.

2.2.3. Integration

Functional components listed in this section provide functions for the integration of the components into the central user interface (UI), as well as, the Authentication and Authorization. They’re the following:

• Intercom Service

• Provisioning Service

Fig. 2.8 Functional components for integration

2.2.3.1. Provisioning Service

The Provisioning Service is a system that notifies interested services about changes in the IAM database, for user creation.

Purpose

Connection and synchronization of user account objects, user group objects and asset objects, that the directory Identity Store and Directory Service manages, with functional components that have their own data persistence.

Tasks:

Delivers objects based on events from the directory store to the functional component.

2.2.3.2. Intercom Service

The Intercom Service is an intermediary for communication between applications like Nextcloud, OX App Suite and Matrix.

Purpose

Intermediary to allow sharing of resources between different backends directly from the browser.

Tasks

Provide restricted usage of resources across functional components.

2.2.4. Connectors

Connectors enable the connection of external systems to Nubus.

Fig. 2.9 Functional components for connectors

2.2.4.1. IAM Connector

A central external identity and access management (IAM) system is the leading and authoritative source system for management and maintenance of user accounts and user group memberships.

Purpose

The connector serves the setup of a direct interface between the external IAM and the Authentication and Authorization from Nubus.

Tasks

• Synchronize user account and user group data from the external IAM to Nubus.

• Provide an unidirectional or bidirectional synchronization.

2.2.4.2. Nubus Directory Importer

The Nubus Directory Importer is a distinct implementation of the IAM Connector, as shown in Fig. 2.10.

Fig. 2.10 Nubus Directory Importer as implementation for an IAM Connector

Purpose

The connector synchronizes the Directory Manager in Nubus with the directory structure of several external directories using LDAP.

Tasks:

• Search for user account objects and user group objects in the source and the target through LDAP.

• Determine the differences between the source and target to calculate the modification operations.

• Synchronize the found objects to the Directory Manager through the UDM HTTP REST API.

See also

How-to connect to external IAM

for more information about how to connect Nubus through the Nubus Directory Importer with an external directory service.