Skip to Content
Last modified by Erik Bakker on 2026/01/02 10:29
From version 26.1
edited by Erik Bakker
on 2026/01/02 10:29
Change comment: There is no comment for this version
To version 11.1
edited by Erik Bakker
on 2022/07/26 13:40
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,1 @@
1 -Communication between models
1 +API Gateway Security - External IDP
Content
... ... @@ -1,5 +1,5 @@
1 1  {{container}}{{container layoutStyle="columns"}}(((
2 -In this microlearning explains about sharing data across systems in a multi-model environment using event streaming and web services. It discusses the processes, best practices, and considerations for implementing these concepts. Take a look to gain a deeper understanding of how communication between systems in different models can be achieved effectively.
2 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security.WebHome||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
3 3  
4 4  Should you have any questions, please get in touch with [[academy@emagiz.com>>mailto:academy@emagiz.com]].
5 5  
... ... @@ -6,83 +6,54 @@
6 6  == 1. Prerequisites ==
7 7  
8 8  * Expert knowledge of the eMagiz platform
9 -* Fundamental [[eMagiz Multi-model>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-multi-model-explained.WebHome||target="blank"]]
10 -* Fundamental [[eMagiz Event Streaming>>doc:Main.eMagiz Academy.Fundamentals.fundamental-event-streaming-introduction||target="blank"]]
11 -* Fundamental [[eMagiz API Gateway>>doc:Main.eMagiz Academy.Fundamentals.fundamental-api-gateway-introduction||target="blank"]]
12 -* Fundamental [[eMagiz Messaging>>doc:Main.eMagiz Academy.Fundamentals.fundamental-messaging-introduction||target="blank"]]
13 13  
14 14  == 2. Key concepts ==
15 15  
16 -* Model - the integration model of a client that runs on a specific cloud slot of eMagiz
17 -* Multi-model - several integration models of a single client
12 +This microlearning focuses on using an external IDP to validate whether a user is authorized to execute a certain action on your API Gateway and what configuration is needed in eMagiz to make this work.
18 18  
19 -When selecting a method to communicate between models always consider the following concepts:
20 -* Security
21 -* Loose coupling
22 -* Maintainability
23 -* Clarity
14 +* The Token and Issuer URL of the external IDP need to be known
15 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
24 24  
25 -== 3. Main Multi-Model Integration Patterns ==
17 +== 3. External IDP ==
26 26  
27 -Most users would think that communication via queues to connect two separate eMagiz models is a bright idea. However, this is something that we do not encourage. We discourage this for several practical and technical reasons alike.
19 +In the crash course on the API Gateway we discussed the various options available to [[secure>>doc:Main.eMagiz Academy.Microlearnings.Crash Course.Crash Course API Gateway.crashcourse-api-gateway-security.WebHome||target="blank"]] your API Gateway properly. In this microlearning, we will expand our knowledge on that topic by looking at a special case of securing your API Gateway. That case is special as you use an external identity provider (IDP) to govern the roles and users that have rights on your API Gateway.
28 28  
29 -When looking at the practical side of things getting it configured correctly is time-consuming and an error-prone action (as is evident by the question). Furthermore, it can lead to unexpected situations where you make a typo to listen to a queue on which no messages are provided. This queue will, however, be registered on the JMS level (when you activate the flow in question with the custom configuration), which can lead to confusing queue statistics and even more troublesome false-positive alerting based on missing queue metrics or missing consumers.
21 +When selecting the option OAuth2.0 (or OpenID Connect) you have the option to use the IDP provided by eMagiz which makes the configuration easy or you could use an external IDP which you have control over and want to use for this purposes.
30 30  
31 -On top of that, when you allow one model to write and read from queues registered in another model, maintaining both models will become very complex. This holds for the ones working on the project at the moment but also for those working on it at a later stage and does that need to provide (incidental) support on the environments.
23 +In this microlearning we will highlight what you need to configure in Design and Deploy to make this work within the tooling of eMagiz.
32 32  
33 -Another practical reason for not wanting this is that we do not actively support this use case from eMagiz. This means that when we update our technical infrastructure, we will not consider this scenario. This could lead to additional work in the future and reduced stability of your solution.
25 +=== 3.1 Design ===
34 34  
35 -From the technical point of view, the consequence of this construction is that both models need to know each other certificates and credentials, which are not considered secure. On top of that, because you, theoretically, can exchange data from any queue to any queue, you could create a situation in which updates in one model trigger changes in the other model (i.e., when using the same data model) that are unexpected (and frankly unwanted).
27 +On the security level of the API Gateway in Design you need to select the desired option, for example OAuth2.0. Instead of not filling in the token and issuer URL, indicating that you want to use the eMagiz IDP, you need to fill these in to reference the IDP of your choice. Below you see an example of how this could be configured.
36 36  
37 -At the moment, the two most frequently used ways to provide communication between systems in a multi-model environment are event streaming and web services. This microlearning will discuss the processes of sharing data across systems in a multi-model environment using these concepts, including best practices.
38 -In the figure below, both processes are illustrated. The process at the top illustrates event streaming, and the process at the bottom illustrates web services. Model A and model B are two different models, where a system in model B should have access to the same data as the system in model A. For example, the systems in both models should be the same.
29 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-security-config-design.png]]
39 39  
40 -[[image:Main.Images.Fundamental.WebHome@fundamental-multi-model-best-practice--event-streaming-and-webservices.png]]
31 +Note that the environmentID in this example should be replaced with an actual environmentID that references your environment.
41 41  
42 -=== 3.1 Event Streaming ===
33 +=== 3.2 Deploy ===
43 43  
44 -To understand the following section, it is necessary to have some background information about event streaming, which can be found [[here>>doc:Main.eMagiz Academy.Fundamentals.fundamental-event-streaming-introduction||target="blank"]].
45 -The first option is to decide the alignment of the data models between both models. Whenever data from the first model is transferred to the second model, and the topic is considered input for other systems and integrations in that other model, the data needs to be transformed to the common data model of that second model. This way, the topic can be exposed to any system and pattern in the second model. The picture below denotes this situation. These are the specific considerations when implementing this approach:
35 +Normally, eMagiz will automatically update the User Management information based on the configuration in Design. However, because the identity check is not done by eMagiz but by an external party you need to manually enter the roles and users and configure the scope correctly on role level.
46 46  
47 -* Leverage the credentials of the first eMagiz model in the second model
48 -* Create transparent systems with clear names and ensure to align the message type names
37 +To do so navigate to User Management in Deploy and add the users you want manually by pressing the New button and providing them with a name. Do subsequently the same for the roles. On role level do not forget to correctly enter the scope to make the call work. Note that the help text on the scope level gently reminds you what you need to do to make this work.
49 49  
50 -It is necessary to transform topics to allow communication between systems in different models using event streaming. This is because it is impossible to retrieve data from a topic that exists in one model through a different model. So, systems in model B cannot immediately access the topic present in model A. The topic needs to be transformed to ensure that systems in model B can use the data on the topic in model A. By changing the topic, all systems in model B can access the transformed topic.
39 +[[image:Main.Images.Microlearning.WebHome@expert-securing-data-traffic-api-gw-security-external-idp-scope-configuration.png]]
51 51  
52 -To ensure that the topic from model A can be transformed, model B needs credentials from model A. So, to allow for this pattern, credentials must be shared between models.
41 +{{warning}}When implementing this you would be the first to do so with this setup. This means there might be some unexpected behavior when configuring this.{{/warning}}
53 53  
54 -An advantage of this pattern is that there is no dependency across models. If the system in model A breaks down, the system in model B can still work. A disadvantage of this pattern is that there may be struggles with the setup since no direct accessibility can be achieved. Moreover, as mentioned above, credentials have to be shared, which may threaten security.
43 +== 4. Assignment ==
55 55  
56 -=== 3.2 Webservices ===
45 +No assignment
57 57  
58 -Web services can also be used to communicate between systems in different models. This means that model A has a web service in place, and model B has a web service in place, between which data can be exchanged.
59 -An advantage of this pattern is that it is easy to keep an overview. Setting it up does not involve many unclarities. A disadvantage is that there is much dependency across models. If the web service in model A crashes, the system in model B cannot receive data anymore.
47 +== 5. Key takeaways ==
60 60  
61 -=== 3.3 Naming Conventions ===
49 +* The Token and Issuer URL of the external IDP need to be known
50 +* Users and Roles under User Management need to be manually configured and maintained to keep them in sync with the external IDP
51 +* When implementing this you would be the first to do so with this setup.
62 62  
63 -For clarity purposes, it is advised to give the systems that are the same across models the same name and the name of the other model in which the system is present. So, as illustrated in the figure, the system names in model A and B are partly the same (‘SYS’) and indicate which model also holds the system (model B in model A, model A in model B). This way, it remains clear which models have the same systems, and systems can be found more easily.
53 +== 6. Suggested Additional Readings ==
64 64  
65 -== 4. Key takeaways ==
55 +If you are interested in this topic and want more information, please read the help text provided by eMagiz.
66 66  
67 -* Event streaming and webervices are mainly used to communicate between systems across models.
68 -* To allow communication between systems in different models using event streaming, it is needed to transform topics.
69 -* Communication between systems in different models can also directly be achieved using web services.
70 -* For clarity purposes, it is advised to give the systems that are the same across models the same name, as well as the name of the other model in which the system is present.
71 -* Both patterns have their advantages and disadvantages.
57 +== 7. Silent demonstration video ==
72 72  
73 -* Consider the following when communication between two models
74 -** Security
75 -** Loose coupling
76 -** Maintainability
77 -** Clarity
78 -
79 -== 5. Suggested Additional Readings ==
80 -
81 -* [[Fundamentals (Navigation)>>doc:Main.eMagiz Academy.Fundamentals.WebHome||target="blank"]]
82 -** [[eMagiz Security Guide (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-security-guide||target="blank"]]
83 -** [[Multi-Model Explained (Explanation)>>doc:Main.eMagiz Academy.Fundamentals.fundamental-emagiz-multi-model-explained.WebHome||target="blank"]]
84 -* [[Advanced (Menu)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.WebHome||target="blank"]]
85 -** [[Solution Architecture (Navigation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Solution Architecture.WebHome||target="blank"]]
86 -*** [[Checklist for Splitting Models (Explanation)>>doc:Main.eMagiz Academy.Microlearnings.Advanced Level.Solution Architecture.Checklist for Splitting Models.WebHome||target="blank"]]
87 -* [[Communication between models (Search Result)>>url:https://docs.emagiz.com/bin/view/Main/Search?sort=score&sortOrder=desc&highlight=true&facet=true&r=1&f_space_facet=0%2FMain.&f_type=DOCUMENT&f_locale=en&f_locale=&f_locale=en&text=communication+between+models||target="blank"]]
88 -)))((({{toc/}}))){{/container}}{{/container}}
59 +As this is more of theoretical microlearning, there is no video accompanying the microlearning.)))((({{toc/}}))){{/container}}{{/container}}