Authentication & Authorization

Authentication Flow

1. Unauthenticated user attempts to access a Brighterion application such as Case Management
2. The UI requests an access token from auth-broker.
3. User is redirected to MC Connect with a SAML authentication request
4. User signs into MC Connect and authenticates with:
   • login + password
   • two factor authentication using RSA secure ID tokens
5. SAML response generated with attributes and sent back to auth-broker
   • UserId or email
   • tenantKey or companyId
6. Auth-broker validates the SAML response and uses the user ID from the response to retrieve roles from MCCUP.
7. Auth-broker redirects to its own endpoint /oauth/authorize.
8. Auth-broker sends a one-time authorization code to the client - authorization code flow.
9. The UI calls auth-broker to exchange the authorization code for access and refresh tokens.
10. The UI uses the access token to make requests to application AWS API Gateway

Authorization Flow

1. The UI invokes an API request with the access token it received from auth-broker.
2. API Gateway calls a Lambda authorizer to validate the token.
3. Lambda authorizer calls /oauth/check-token on auth-broker which validates the signature, expiration timestamp, and verifies the token hasn't been revoked.
4. If the validation is successful, API Gateway extracts user ID, roles, and tenant key from the token and adds them to the request as HTTP headers.
5. The destination microservice uses the user information in the headers to authorize the request.

SP Initiated Workflow

IDP Initiated Workflow

The workflow is the same as SP initiated workflow; the only difference is the fact that the user doesn't have to enter the credentials when the UI sends a SAML request to MC Connect.

Logout Workflow

Infrastructure Diagram

The API gateway in the case management VPC uses an authorizer Lambda in a separate VPC, so we can have a single instance of auth-broker used by different environments. Having separate instances of auth-broker for each environment would require multiple MC Connect setups. This is only applicable for dev and staging environments; each production environment has its own auth-broker.

MC Connect

MC Connect is the IDP (Identity Provider) for the Brighterion applications.

• It integrates with auth-broker through SP or IDP initiated SAML2 workflow
• We trust MC Connect to authenticate users coming into our system
• They handle the user registration, management, and role management for users
• Provides MC API gateway endpoint to retrieve roles and user information (MCCUP)