System Architecture
EmpowerID implements a unified architecture designed for deployment flexibility across SaaS, private cloud, and on-premise environments. The platform maintains a consistent code base and feature set regardless of deployment model, ensuring operational uniformity across different infrastructure types.
Understanding EmpowerID's architecture is fundamental to effective system administration. This architectural overview describes the system's structure, deployment models, infrastructure components, processing patterns, and data organization. This knowledge informs deployment planning, capacity decisions, high availability configurations, and troubleshooting approaches.
Deployment Models
EmpowerID provides four distinct deployment approaches, each maintaining identical code base and functionality. The choice of deployment model affects infrastructure requirements and management responsibilities but does not impact platform capabilities.
SaaS Deployment
SaaS deployment runs on EmpowerID-managed cloud infrastructure. Organizations require only a cloud gateway for communication with on-premise systems, with an optional API gateway available for enhanced integration scenarios. EmpowerID handles all aspects of cloud environment management including availability, scaling, maintenance, and updates. This model eliminates customer infrastructure administration while ensuring high availability and global accessibility.
Private Cloud
Private cloud deployments install EmpowerID within customer-controlled cloud tenants. Organizations maintain control over their cloud environment and data while optionally contracting with EmpowerID for managed services. This approach accommodates specific compliance requirements, custom network configurations, and tailored integration patterns while leveraging cloud-native capabilities for scaling and availability.
On-Premise Containerized
Containerized on-premise deployments run Docker containers orchestrated by Kubernetes or Docker Swarm on customer hardware. This deployment model provides complete infrastructure control while maintaining containerization benefits. Organizations with strict data residency requirements or compliance mandates requiring data within internal network boundaries typically select this approach.
On-Premise Server-Based
Server-based deployments install EmpowerID components as Windows services on traditional server infrastructure. This model integrates with existing Windows Server environments and server management practices, supporting organizations with established infrastructure investments and expertise in traditional server administration.
Deployment Model Comparison
| Aspect | SaaS | Private Cloud | On-Premise Containerized | On-Premise Server-Based |
|---|---|---|---|---|
| Infrastructure Management | EmpowerID-managed | Customer-managed cloud tenant | Customer-managed hardware | Customer-managed hardware |
| Required Customer Infrastructure | Cloud gateway, optional API gateway | Full cloud tenant infrastructure | Kubernetes/Docker Swarm on servers | Windows server infrastructure |
| Scaling Approach | Managed by EmpowerID | Cloud-native scaling | Container orchestration | Traditional server scaling |
| Data Location | EmpowerID cloud tenant | Customer cloud tenant | Customer data center | Customer data center |
| Maintenance Responsibility | EmpowerID | Customer or managed service | Customer | Customer |
Infrastructure Components
EmpowerID's infrastructure comprises several core components that work together to provide identity management capabilities.
Worker Containers and Servers
Worker containers and servers manage backend processes, handling all long-running jobs and core application functionality. These components execute application logic, job scheduling, and essential operations supporting platform infrastructure.
Worker containers can be scaled independently to match processing workload. Organizations experiencing high provisioning volumes or frequent inventory operations can add worker instances without modifying other infrastructure components. The job processing system automatically distributes work across all available workers.
UI Service Containers and Servers
UI service containers and servers handle frontend operations, managing user interfaces and delivering application access. These components facilitate user interactions with the platform, supporting web-based interfaces and interactive activities. The UI services serve as the primary access point for end users and external API clients.
Microservices and Application Gateways
EmpowerID employs a microservices architecture enabling modular development and deployment of features. This design supports flexibility, scalability, and resilience. Redundant application gateways ensure services remain accessible and stable during infrastructure changes or failures, providing load balancing and request routing.
PSM Containers
Organizations implementing Privileged Access Management (PAM) capabilities deploy PSM (Privileged Session Manager) containers to secure session management for privileged access scenarios.
Cloud-Based Architecture
Cloud deployments, whether SaaS or private cloud, utilize Kubernetes clusters to host platform components. This centralized approach manages worker containers, UI service containers, and microservices within orchestrated cluster environments.
Cloud infrastructure integrates with availability zones for enhanced reliability. EmpowerID components duplicate across multiple zones, utilizing managed database services with active geo-replication for data synchronization and disaster recovery. Redundant application gateways ensure uninterrupted service delivery across zone boundaries.
Cloud deployments achieve high availability through component distribution across availability zones. If one zone experiences an outage, components in other zones continue operations without interruption. Database geo-replication maintains synchronized copies, enabling automatic failover for database operations.
The EmpowerID Cloud Gateway facilitates communication between cloud-hosted components and on-premise systems. This gateway interacts with message broker services (such as Azure Service Bus) ensuring secure, outbound-only connections that eliminate inbound firewall requirements for on-premise infrastructure while maintaining real-time data exchange.
On-Premise Architecture
On-premise deployments are available in containerized and server-based configurations.
Containerized Configuration
Containerized on-premise deployments combine Windows and Linux servers. Docker containers run on Windows nodes for application management, while SQL servers operate in clustered environments ensuring data redundancy and reliability. Kubernetes clusters manage microservices, UI containers, and worker containers, coordinated through Linux nodes responsible for cluster management. This architecture provides full hardware control while supporting compliance with organizational policies.
Server-Based Configuration
Server-based deployments implement Windows services on Windows servers for processing and UI infrastructure. The identity warehouse resides on SQL servers configured with clustering and SQL Server Always On high availability features. This configuration supports organizations familiar with traditional server management practices and facilitates integration with existing systems.
For detailed deployment procedures and configuration requirements, see the Managing EmpowerID On-Premise section.
Processing Architecture
EmpowerID's processing architecture distributes workload through server roles and asynchronous job processing.
Server Roles
Server roles define specific tasks that servers or containers perform within the system.
Frontend or UI Servers host processes supporting workflow interfaces and API endpoints. These servers manage web UIs, facilitate user interactions, and serve as the primary access point for end users.
Backend or Application Servers handle complex, long-running security processes, data synchronization, and policy enforcement. These servers are designed primarily for application processing operations.
Job Processing
Server jobs are granular tasks running asynchronously, dividing operations into smaller, manageable units for efficient processing.
Jobs operate based on data state, claiming records as they process them. This prevents multiple jobs from working on the same record simultaneously, maintaining data integrity. Each job accesses the database to determine which tasks require execution, claims specific records, processes them, and updates their state.
Multiple servers can handle the same job types, supporting load balancing and failover. If one server becomes unavailable, others continue processing without interruption. Jobs can resume from where they left off in the event of failure, ensuring robustness and reliability.
The state-driven job model ensures no work is lost during server failures. Job records remain in the database with their current state. Other active servers detect stalled jobs and claim them for processing. This automatic recovery occurs without administrator intervention, though monitoring job processing queues helps identify systemic issues requiring attention.
Permanent Workflows
Permanent workflows run continuously, performing scheduled repetitive tasks on consistent loops. These workflows function similarly to server jobs but provide greater flexibility through visual workflow design rather than code-based implementation.
Organizations create, modify, and deploy permanent workflows through Workflow Studio without requiring code changes. Only one instance of a permanent workflow executes at any time across all servers. A Permanent Workflow server job manages initiation and recovery of enabled permanent workflows.
Data Architecture
EmpowerID's data architecture centers on a comprehensive identity warehouse storing all platform data and providing structured access through a component model. The warehouse serves as the foundation for all processing operations, storing identity information, access assignments, system configurations, and operational state.
Identity Warehouse
The identity warehouse is the central data repository containing EmpowerID-specific objects, configuration data, and external system data inventories. This expansive database comprises over 1,200 tables, over 700 constructed views, and more than 20,000 stored procedures.
The warehouse inventories data from various systems such as SAP, Active Directory, and other connected platforms. As data enters the system, it processes and aggregates within the warehouse, streamlining management and accessibility across the platform.
Data Processing and State Management
Data from external systems enters the warehouse on continuous and scheduled intervals using various protocols. The warehouse continuously updates, reconciles, and synchronizes data between external sources and database storage, providing seamless integration.
Data processing involves claiming records, updating target systems, and reinventorying systems to ensure synchronization. This approach maintains data accuracy and ensures changes consistently reflect across all connected systems.
Component Model
The component model forms the foundation of EmpowerID's architecture, enabling an organized and modular approach to identity management.
Each object within EmpowerID is treated as a component with distinct properties and methods. Components represent identities, roles, resources, policies, and all other platform entities. The component model uses SQL tables and views to represent component data, structured to facilitate comprehensive data management.
EmpowerID components are accessible via APIs, allowing programmatic interaction with stored data and process execution. The UI also provides access to components, enabling users to manage identities and processes intuitively.
All interactions within EmpowerID, whether through UI or API, trigger specific component methods. This ensures processes execute efficiently and consistently regardless of access method, maintaining operational consistency and simplifying maintenance.
The component model's modular architecture allows individual elements to be developed, deployed, and updated independently, ensuring processes scale efficiently and maintain high performance as organizational needs evolve.