The following architectural description applies to the entire Hitachi ID Identity and Access Management Suite when it is delivered as a service, hosted and operated by Hitachi ID Systems:
Hitachi ID Identity and Access Management Suite is available for deployment "in the cloud." This means either that Hitachi ID hosts and manages the entire system, in which case it is delivered as a service, or Hitachi ID customer deploys to its own IaaS platform, in which case it's just "cloud hosted."
In either case, Figure [link] shows the basic architecture.
Network Architecture - Hitachi ID Suite-as-a-service
In the figure:
- Two virtual networks are deployed, in two geographic regions. If Hitachi ID hosts, this means two different Amazon availability zones.
- On each virtual network, there are four core elements:
- A Hitachi ID Suite application server, running Windows 2016.
- A Hitachi ID Suite database, running SQL 2016. This is normally on the same VM as the app server.
- A firewall, augmenting the packet filtering provided by the IaaS service provider. Hitachi ID uses a Linux-based firewall with packet filtering in the OS kernel.
- Optionally, a mobile proxy, to enable smart phone access to the UI.
- A total of three application servers is deployed, to ensure fault tolerance.
- Data replication between the three application servers is provided by the core application. In-application data replication is encrypted, asynchronous, fault tolerant and able to operate over large geographical distances (high packet latency / limited bandwidth).
- Each application server exposes a full UI over an HTTPS URL. This URL may be public or may be made available to certain IP subnets or over a VPN if the customer prefers to a private URL.
- Load balancing across the three active application servers is provided, using a combination of geographic proximity and round-robin load balancing provided by DNS based (Amazon Route 53) and cloud based load balancers.
- Two or more connector proxy servers are deployed on-premises on the customer's private network. These servers run connectors which are responsible for integrations with existing on-premises systems and applications, such as Active Directory, Exchange, SAP, z/OS, etc.