Search
K

Proxy app deployment architectures

The Maverics Identity Orchestrator is designed to help solve a range of identity problems, and therefore can be deployed using different patterns to best solve the problem at hand. This article describes the most common deployment architectures, and the associated pros and cons.

Central Pool

In this deployment model, a centralized pool of Orchestrator instances are used to protect applications. This model works well when a team is comfortable making network changes, and would prefer to not interface with application teams regularly.
Central Pool

Pros

  • Centralized configuration management.
  • Minimal app owner engagement required.
  • Contained footprint of Orchestrators.

Cons

  • Apps are susceptible to side channel traffic unless mitigations are put in place.
  • Networking changes required.
  • Added latency, although the delta is usually sub-second.

Local Proxy

The local proxy pattern co-locates the Orchestrator on the same host as the application. This model works well for header-based apps, or for application teams that control the auth flow for their app.
Local Proxy

Pros

  • No additional infrastructure required.
  • No networking changes required.
  • Negligible impact on application performance.

Cons

  • App owner engagement required.
  • Additional load on existing application servers.
  • Some web server changes required.

RP-IDP

The RP-IDP architecture is a combination of the "central pool" and "local proxy" models. This pattern works particularly well for administrators who are moving off a legacy web access management solution such as SiteMinder or Oracle Access Manager, but can be used successfully for a variety of use cases.
RP-IDP

Pros

  • Centralized configuration management.
  • No networking changes required.
  • Battle-tested architecture.

Cons

  • Some app owner engagement required.
  • Additional load on existing application servers.
  • Some web server changes required.