Architecture Overview

The Identix IDP Broker is designed as a modular, pluggable identity orchestration platform. It acts as an intermediary between various Identity Providers (IDPs) and Relying Party (RP) applications, providing a unified interface for authentication, authorization, and user management.

Core Design Principles

Modularity: All external integrations (SMS, Email, Security, Storage) are implemented as pluggable providers.
Tenant Isolation: Support for multi-tenancy with isolated configurations, domains, and user stores.
Developer-First: Extensible architecture that allows developers to add new capabilities without modifying the core engine.
Security by Design: Integrated secret management, audit logging, and modern authentication protocol support (OAuth2, OIDC, SAML).

High-Level Architecture

The system consists of several key layers:

Backend (Spring Boot & Kotlin): The core engine handling security, protocol brokering, and business logic.
Frontend (React & TypeScript): A modern, responsive dashboard for administrators and a user portal for end-users.
Integration Layer: A provider-based system for connecting to third-party services.
Persistence Layer: Database-agnostic storage with support for SQLite, PostgreSQL, and MySQL.

The Pluggable Provider System

The heart of Identix's extensibility is its provider system. Instead of hardcoding integrations, Identix uses an abstraction layer that allows dynamic instantiation of service providers.

Key Components

IntegrationProvider Interface: The base contract that all providers must implement. It defines methods for initialization, health testing, and metadata retrieval.
ProviderFactory: A central registry and factory that instantiates providers based on stored configurations. It handles decryption of secrets and runtime initialization.
IntegrationService: The service layer that manages the lifecycle of integrations (CRUD operations, default settings, and stats).

Provider Types

Identix categorizes integrations into several types:

EMAIL: SendGrid, SMTP, AWS SES.
SMS: Twilio, AWS SNS, Azure ACS.
MESSAGING: WhatsApp Business.
SECURITY: Google reCAPTCHA v3, Arkose Labs.
WEBHOOK: Generic outgoing webhooks for event-driven orchestration.

Data Flow: Authentication Brokering

Initiation: An RP application redirects a user to Identix via OAuth2/OIDC.
Home Realm Discovery (HRD): Identix identifies the user's organization based on email domain or selection.
User Journey: The user follows a configurable flow (e.g., Password + MFA).
Federation: If required, Identix redirects the user to an upstream IDP (e.g., Azure AD, Google).
Transformation: Claims from the upstream IDP are transformed and mapped to the Identix user profile.
Completion: Identix issues its own tokens (JWT) and redirects the user back to the RP application.

State Management

Backend: Utilizes Spring Security for session management, with pluggable storage (Redis or In-Memory).
Frontend: Uses Zustand for global state management, ensuring a reactive and performant UI without the boilerplate of Redux.

Deployment Options

Identix is container-ready and can be deployed on:

Docker: Simple containerized setup.
Kubernetes: Scalable orchestration with Helm charts.
Virtual Machines: Traditional deployment on Linux/Windows.

Core Design Principles​

High-Level Architecture​

The Pluggable Provider System​

Key Components​

Provider Types​

Data Flow: Authentication Brokering​

State Management​

Deployment Options​