2.2. Functional components

This section provides an overview of the functional components of Univention Nubus for Kubernetes. For each component, it describes the purpose and the main tasks.

Fig. 2.5 provides an overview of all the functional components grouped by their main tasks:

1. End user facing

2. Authentication and Authorization

3. Integration

4. Connectors

Univention Nubus for Kubernetes consists of the following functional components:

1. Authorization Service

2. Directory Manager

3. End User Self Service

4. Identity Provider

5. Identity Store and Directory Service

6. Intercom Service

7. Management UI

8. Portal Service

9. Provisioning Service

10. IAM Connector

Fig. 2.5 Overview of functional components in Univention Nubus for Kubernetes

2.2.1. End user facing

Functional components that provide features that directly serve the end user are end user facing. These components are the following:

• Portal

• End User Self Service

• Management UI

Fig. 2.6 Functional components facing the end user

2.2.1.1. Portal Service

The Portal Service is a web application that shows administrators and end users the applications they have access to, manages sign-in and sign-on redirects, and visually integrates different applications into one desktop.

Purpose

• Delivers customer access, for example for end users.

• Delivers access to administer user accounts and user groups in Univention Nubus for Kubernetes.

• Delivers user interface (UI) integration layer for other services.

Tasks:

• Login form for end users to sign in.

• Portal UI.

• Link to end user self service.

• Link to administer user accounts and user groups.

• Link to other modules.

• Present notifications from a central notification service.

See also

Portal Service in the interfaces section

for information about incoming and outgoing interfaces.

Portal Service in the deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Portal Service in components section

for information about internal components and behavior.

2.2.1.2. Management UI

The Management UI allows customers to administer IAM resources like user accounts and user groups.

Purpose

User interface (UI) for administration of directory objects, such as user account objects, user group objects, and asset objects. Administrators manage user account and group objects through the Management UI, if Nubus has no external IAM system connected. For more information, see Connectors.

Tasks

• CRUD operations for directory objects, such as user account objects and user group objects.

• UI for the CRUD operations that depends on permissions.

See also

Management UI in interfaces protocols section

for information about incoming and outgoing interfaces.

Management UI in the deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Management UI in components section

for information about internal components and behavior.

2.2.1.3. End User Self Service

The End User Self Service allows end users to modify certain data of their own user account object, including a password reset service.

Purpose

UI for end users to manage distinct attributes of their user account object

Tasks:

• Maintenance of user account data, such as profile information.

• Actions for forgotten password and password change.

See also

End User Self Service in the interface section

for information about incoming and outgoing interfaces.

End User Self Service in the deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

End User Self Service in components section

for information about internal components and behavior.

2.2.2. Authentication and Authorization

The Guardian is a generic Authorization Service where applications can register rules and roles. They can then use it to authorize the operations they offer to clients.

Functional components listed in this section provide features for authentication and authorization. They’re the following:

• Authorization Service

• Directory Manager

• Identity Provider

• Identity Store and Directory Service

Fig. 2.7 Functional components for authentication and authorization

2.2.2.1. Identity Provider

The Identity Provider service is responsible for authentication, token creation, renewal, and removal. The Identity Provider includes the software stack for Keycloak and the integration to the Identity Store and Directory Service.

Purpose

Authentication provider using the authentication protocols SAML and OpenID Connect.

Tasks

• Session handling for user authentications.

• Offers authentication protocols SAML, and OpenID Connect.

See also

Identity Provider in interfaces and protocols section

for information about incoming and outgoing interfaces.

Identity Provider in deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Identity Provider in components section

for information about internal components and behavior.

2.2.2.2. Authorization Service

The Authorization Service is responsible for managing user permissions and organizing them in roles. The software stack also has the name Guardian.

Purpose

The authorization service provides authorization for other Nubus components, such as the End User Self Service.

Note

For the time being, no Nubus component uses the Authorization Service. If components use it, this section explicitly lists them.

Tasks:

• Authorize operations in Management UI.

• Deliver API for CRUD operations for rules.

• Deliver UI for management of rules.

See also

Authorization Service in interfaces and protocols section

for information about incoming and outgoing interfaces.

Authorization Service in the deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Authorization Service in components section

for information about internal components and behavior.

Guardian Manual [3]

for more information about the Guardian.

2.2.2.3. Directory Manager

The Univention Directory Manager (UDM) REST API offers an HTTP REST interface to manage the user account, user group, and asset objects stored in the Identity Store and Directory Service.

Purpose

Façade in front of the Directory Service, that transforms business actions on user account objects, user group objects, and asset objects. It orchestrates CRUD operations for the Directory Service.

Tasks:

• Applies business logic on user account objects, group objects, and asset objects.

• Transforms objects to and from directory service.

See also

Directory Manager in interfaces and protocols section

for information about incoming and outgoing interfaces.

Directory Manager in deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Directory Manager in components section

for information about internal components and behavior.

2.2.2.4. Identity Store and Directory Service

The Identity Store and Directory Service uses OpenLDAP as the primary database for user account, user group, and asset objects.

Purpose

Persistence layer for structured directory service data. It implements availability and performance requirements. The structured data is user account objects, user group objects, and asset objects.

Tasks:

• Delivers user account objects and user group objects through read operations.

• Triggers events for provisioning.

See also

Identity Store and Directory Service in interfaces and protocols section

for information about incoming and outgoing interfaces.

Identity Store and Directory Service in deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Identity Store and Directory Service in components section

for information about internal components and behavior.

2.2.3. Integration

Functional components listed in this section provide functions for the integration of the components into the central user interface (UI), as well as, the Authentication and Authorization. They’re the following:

• Intercom Service

• Provisioning Service

Fig. 2.8 Functional components for integration

2.2.3.1. Provisioning Service

The Provisioning Service notifies interested services of changes to directory objects in the Identity Store and Directory Service. For example, imagine a service that wants to take action in its database, such as populating initial data for a user when an administrator creates a user account in the IAM database. Interested services register with the Provisioning Service in advance.

Purpose

Connection and synchronization of user account objects, user group objects and asset objects, that the Identity Store and Directory Service manages, with functional components that have their own data persistence.

Tasks:

• Informs about changes in the Identity Store and Directory Service.

• Delivers objects based on events from the Identity Store and Directory Service to the functional component.

See also

Provisioning Service in interfaces and protocols section

for information about incoming and outgoing interfaces.

Provisioning Service in deployment view section

for information about Docker images, Kubernetes pods, and Helm Charts used for deployment.

Provisioning Service in components section

for information about internal components and behavior.

2.2.3.2. Intercom Service

The Intercom Service is an intermediary for communication between applications like Nextcloud, OX App Suite and Matrix.

Purpose

Intermediary to allow sharing of resources between different backends directly from the browser.

Tasks

Provide restricted usage of resources across functional components.

See also

Intercom Service in interfaces protocols section

for information about incoming and outgoing interfaces.

Intercom Service in components section

for information about internal components and behavior.

Deployment of Intercom Service

in Univention Nubus for Kubernetes - Operation Manual [1] for information about the deployment of Intercom Service.

2.2.4. Connectors

Connectors enable the connection of external systems to Nubus.

Fig. 2.9 Functional components for connectors

2.2.4.1. IAM Connector

A central external identity and access management (IAM) system is the leading and authoritative source system for management and maintenance of user accounts and user group memberships.

Purpose

The connector serves the setup of a direct interface between the external IAM and the Authentication and Authorization from Nubus.

Tasks

• Synchronize user account and user group data from the external IAM to Nubus.

• Provide an unidirectional or bidirectional synchronization.

See also

IAM Connector in components section

for information about internal components and behavior.

2.2.4.2. Nubus Directory Importer

The Nubus Directory Importer is a distinct implementation of the IAM Connector, as shown in Fig. 2.10.

Fig. 2.10 Nubus Directory Importer as implementation for an IAM Connector

Purpose

The connector synchronizes the Directory Manager in Nubus with the directory structure of several external directories using LDAP.

Tasks:

• Search for user account objects and user group objects in the source and the target through LDAP.

• Determine the differences between the source and target to calculate the modification operations.

• Synchronize the found objects to the Directory Manager through the UDM HTTP REST API.

See also

Nubus Directory Importer in components section

for information about internal components and behavior.

How-to connect to external IAM

for more information about how to connect Nubus through the Nubus Directory Importer with an external directory service.