CIAM application reference architecture

Organizations focused on Customer Identity Access Management (CIAM) architectures have distinct architectural considerations. CIAM infrastructures are typically built to accommodate a high number of users and requests to the applications. Applications are built out with multiple levels of redundancy and may be located in multiple data centers around the world in an active/active configurations. A typical architecture may include only a single application, multiple applications, or many applications, with different infrastructure requirements. Rather than shared infrastructure, typically each application has a separate stack for isolation and performance. In addition, there is often a requirement to let the users deeply into the application before requiring the user login or register.
In an Okta environment, CIAM users are typically stored in Universal Directory, instead of on premise LDAP, AD, or databases.

Approach

To deploy Access Gateway to secure applications in an environment described above, it is best to begin deployment of a base architecture and then add specific features as needed. This methodology will allow an organization to begin moving forward in an agile fashion and not become overly bogged down in requirements analysis.

Key steps in determining an overall architecture include:

  • Identify which applications should be accessible through Access Gateway from the internet and which should require the user have access to the internal network. Typically this starts as a subset of applications, and expands over time.
  • Identify how applications are to be integrated with Okta and Access Gateway. Typical integrations include:
    • Large number of unprotected URLs (pass through)
    • Header based
    • SAML
    • Anonymous personalization of sites
    • Others
  • Identify how many users will access the applications and how often. This will help determine how many instances of Access Gateway are required, what number of load balancers are necessary and generally how the architecture components will be distributed.

Access Gateway CIAM architectures

Access Gateway CIAM installations can be deployed in any number of possible combinations. Common architecture are:

Simple CIAM application reference architecture The simplest of all architectures, the single Access Gateway server architecture is typical in development and test scenarios.
Single cluster CIAM application reference architecture The single cluster Access Gateway is an architecture representing the components required for protecting a single web resources using Access Gateway. This architecture extends the simple Access Gateway instance architecture by introducing an Access Gateway cluster.
Single split cluster CIAM application reference architecture The single split cluster Access Gateway is an architecture representing the components required for protecting multiple similar web resources using Access Gateway. This architecture extends the single cluster Access Gateway architecture by introducing an Access Gateway cluster split across multiple virtual environments.
Hybrid multi-cluster spring CIAM application reference architecture
The hybrid multi-cluster split Access Gateway is an architecture representing the components required for protecting multiple sets of web resources, with different requirements, using Access Gateway. This architecture combines the single cluster Access Gateway and single split cluster architecture by introducing an Access Gateway cluster split across clusters and multiple virtual environments.
Multi-cluster CIAM application reference architecture The multi-cluster Access Gateway architecture represents the components required for protecting multiple sets of web resources, with different requirements, using Access Gateway. This architecture extends the single cluster Access Gateway architecture by using multiple Access Gateway clusters distributed across multiple virtual environments.

Architecture functional area breakdown

Architectures are broken down into the following functional areas:

External internet The external internet represents clients that access applications, as well as including your Okta Org.
DMZ The DMZ houses an Access Gateway cluster, and associated components, to allow access to applications from the external internet.
Internal The internal network houses the applications being protected by Access Gateway as well as other components required to make these applications widely available.