Introduction

From an high-level point of view, the component architecture of Apache Syncope can be summarized by following figure.

Apache Syncope Architecture
Apache Syncope is composed by two main subsystems: core and console.

The core

The web application that implements IdM features; it offers a RESTful interface for caller applications, implements the provisioning core by mean of its workflow engine and its propagation layer, manages data persistence.

Apache Syncope core logic

This central component orchestrates the whole data flow throughout the system. Gets involved upon RESTful calls, processes data alongside the defined workflow, propagates to and synchronize from configured external resources, if needed.

RESTful controllers

RESTful controllers take care of the communication with outside world. Implemented by leveraging Spring's REST and MVC features, these controllers exchange data in both XML and JSON formats.

Workflow engine

Workflow engine is a pluggable aspect of Apache Syncope: this lets every deployment choose among one of provided engine implementations or define new, custom ones.

Default implementation is based on Activiti BPM, reference Open Source implementation that supports the definition of an XML descriptor in which user lifecycle is defined. This aspect makes the whole system very flexible to adapt to different situations.
Default implementation also provides notification, approval, and end-user request management.

JPA persistence layer

All the data in Apache Syncope (users, roles, attributes, resources, ...) is managed at an high level with a standard JPA 2.0 approach and persisted to underlying database.

Apache OpenJPA, the chosen JPA implementation, makes Apache Syncope to be successfully deployable on most DBMS without any modification on the source code; in order to have an idea of this possibility, take a look at available options.
Currently, Apache Syncope officially supports MySQL, PostgreSQL and Oracle DB.

Connectors layer

Connector layer is implemented with ConnId; ConnId is designed to separate the implementation of an application from the dependencies of the system that the application is attempting to connect to.

Connid is the continuation of Identity connectors, a project that used to be part of the market leader Sun IdM and have been released by Sun as an Open Source project. This makes the connectors layer particularly reliable since most connectors are already implemented in the framework and widely tested. Lately, the original project has been forked into the new ConnId project, whose main purpose is to provide all that is required nowadays for a modern Open Source project: Apache Maven driven build, artifacts and mailing lists. Additional connectors – like as SOAP, CSV and Active Directory – are also provided.

Apache Syncope supports either

  • propagation towards external resources (when user data is copied from Syncope to external resources)
  • synchronization from external resources (when user data is pulled from external resources into Syncope)
Propagation and synchronization operations – a.k.a tasks – are saved for reporting and later re-execution.

The console

The web management interface for configuring and administering Syncope core, implemented with Apache Wicket

Like as other external applications, the console communicates with the core by REST calls.