signservice

Logo

Signature Service Architectural Overview

Overall Structure

A signature service application consists of one, or more, SignService Engine Instances. An instantiation of an engine is intended to support a specific configuration, and normally there is an 1-to-1 relationship between an engine instance and a specific SignService client (i.e., a relying party).

Each engine is configured with a number of modules for handling tasks like user authentication, protocol handling, certificate issuance and more. Normally, an engine instance serves one client, but nothing in the design should prevent several relying parties from sharing the same configuration (except for keys and such).

The figure below illustrates a SignService Application that has three configured engines (i.e., three configurations), and how a SignService Engine Manager is used to communicate with the correct engine, based on which URL a request was received.

SignServiceApp

The SignService Application is a simple service that knows very little by itself. It is setup to listen to one, or more, endpoints, and when a HTTP-request arrives it asks the SignService Engine Manager which engine that should be handled the incoming request.

The API between the application and the engine is very simple. The engine exposes just one method: processRequest and the return value from this method can be any of:

It is possible to deploy a SignService application in two ways:

Deployments

SignService Engine

The figure below illustrates a SignService engine and how its processing logic uses a set of different module instantiations. The engine itself is configured with some basic settings such as credentials, but most of the configuration comes from each injected module instance. Therefore, the engine can be kept reasonable simple, and specific module complexity is abstracted away.

SignServiceEngine

Engine Processing Flow

This section describes the processing flow when a request is received and processed. The flow starts after that the SignService application has found out which engine instance to pass the incoming request to.

Flow


Copyright © 2022-2024, Myndigheten för digital förvaltning - Swedish Agency for Digital Government (DIGG). Licensed under version 2.0 of the Apache License.