Cloud Application Gateway

The Cloud Application Gateway (CAG) is an upcoming feature that replaces two existing components interacting with identity and access systems of our cloud customers:

• Omada Data Warehouse (ODW) collectors
• Omada Provisioning Service (OPS) - Preview and Hosting Services

CAG changes the interaction model with Omada Identity Cloud (compared to the components mentioned above). ODW and OPS require to be directly accessible through a network connection by the Enterprise Server, but CAG can run inside the customer's network without the requirement for individual infrastructure for every Omada Identity Cloud environment. It removes the necessity for an IPSec VPN connection at the same time. CAG and VPN cannot coexist simultaneously, VPN is disabled when CAG is active.

CAG relies on secure TLS connection (Port 443) to Omada Identity Cloud. Notifications to CAG are performed over the CAG-initiated secure WebSocket channel (also port 443). Omada Identity Cloud will not be able to reach the CAG directly.

The solution will be available for download from the Cloud Management Portal for Horizons-enabled instances.

Enable Cloud Application Gateway

To enable the CAG feature perform the following actions:

1. In the Management Portal, enable the Cloud Application Gateway setting for the selected environment.
2. Download the .zip format file for the CAG.
3. Unpack the .zip format file and run the installer following the instructions.

Architecture overview

Core capabilities

The following capabilities are already available today:​

• Performing provisioning jobs/tasks​
• Thresholds handling​
• Testing connection for a given system within system onboarding​
• Performing a schema discovery for connectors/collectors providing that capability​
• Previewing queries and mappings within system onboarding

Future capabilities

The following capabilities are envisioned as part of this solution:

• Connecting to the customer's infrastructure (access/master data) without the necessity of using an IPSec tunnel​
• Connecting to the customer's infrastructure (access/master data) without the necessity of any Omada Identity Cloud components to directly connect to the Cloud Application Gateway through a network connection​ (pull instead of the current push approach)
• Easy CAG onboarding for customers to their Omada Identity Cloud instance​
• Easy CAG upgrade for customers with an automatic over-the-air (OTA) update process​
• Mutual authentication between the Cloud Application Gateway and Omada Identity Cloud

System requirements

The following general and deployment-method-specific requirements need to be fulfilled to properly operate the CAG.

note

The Provisioning Worker Service and Import Worker Service each consume between 30 to 50 MB of memory when in the idle state. Each individual Provisioning Worker utilizes around 10 MB of memory when in idle state, with the demanded capacity increasing with running imports or performed provisioning tasks. It is especially impacted by large amounts of data imports with CustomRowFilter configured that might also contain nested URLs.

General conditions

Before you initiate the deployment process, make sure that the following conditions are met:

• Operating System - Windows Server 2022 is required, with all editions supported
• .Net Framework - Version 4.8 is required for the legacy libraries and integrations
• ASP.NET Runtime - Version 8.0x is required

Deployment-specific conditions

The following conditions must be met based on the chosen deployment variant.

Physical server installation

1. Fulfill the general conditions.
2. Copy the application files and follow the deployment script or initiate the installer.
3. Configure the Windows Firewall and, if it applies, the Internet Information Services (IIS).

Virtual machine installation

1. Provision a virtual machine with a minimum capacity of:
   1. 2 vCPUs
   2. 16 GB of RAM
   3. 20 GB of memory drive
2. Use a supported virtualization hypervisor, for example, the VMware ESXi or Hyper-V.
3. Copy the application files and follow the deployment script or initiate the installer.
4. Configure the Windows Firewall and, if it applies, the Internet Information Services (IIS).

Deployment recommendations

As best practice, deploy the Cloud Application Gateway in its own VLAN. Allow it to access only the necessary services and ports that are managed by Omada Identity Cloud. CAG operates in an inside-out manner, it initiates all connections.

The mandatory CAG ports and endpoints are tcp/443 to the following endpoints:

• https://cops-api.omada.cloud
• https://dz-XXXX-YYY-wa-ci.omada.cloud
• https://dz-XXXX-YYY-wa-is.omada.cloud
• wss://dz-XXXX-YYY-wa-is.omada.cloud

where:

XXXX = Delivery Zone Identifier (that is, 0501)
YYY = Delivery Region Identifier (that is, ceu)