Since Hitachi ID Identity and Access Management Suite is a sensitive security application, with privileged access to many other systems in an organization and with access to sensitive personal data, most organizations are unwilling to expose Hitachi ID Identity and Access Management Suite directly to the public Internet. This creates a problem for mobile device access to self-service, as illustrated in Figure [link].
Outbound connections are routine, inbound connections are risky and rarely permitted
Hitachi ID Systems has developed a solution to this problem, by installing and activating an app natively on iOS and Android devices and hosting a proxy server in the cloud. This arrangement is shown in Figure [link].
Using this architecture:
- An app is installed on user devices.
- Users sign into Hitachi ID Identity and Access Management Suite with their PC and ask to activate their device.
- The PC-based web UI displays an activation QR ode.
- The user runs the app on their device, which scans this QR code.
- The QR code includes encryption key material and a URL for a proxy service, in the cloud (i.e., on the public Internet).
- Users use the app to (indirectly) access the on-premises Hitachi ID Identity and Access Management Suite web portal.
- The app connects to the cloud proxy, requesting content from the on-premises portal.
- The proxy checks key material provided by the app and may discard connection attempts. In this way, connections from regular browsers or devices which have not been correctly activated for a particular Hitachi ID Identity and Access Management Suite instance are easily discarded.
- Simultaneously, a service on the Hitachi ID Identity and Access Management Suite server connects to the proxy server, asking for page requests to fulfill.
- The proxy passes requests from mobile devices to connections from the Hitachi ID Identity and Access Management Suite server.
- All connections that cross the corporate perimeter firewall in this architecture are outbound -- from the Hitachi ID Identity and Access Management Suite server to the cloud proxy.
- All connections are encrypted.
Cloud proxy architecture