Authentication architecture

The authentication architecture for system APIs consists of:

  • The InsuranceSuite application (such as PolicyCenter)
  • Guidewire Identity Federation Hub
  • The insurer's identity provider (IdP)
  • A set of one or more caller applications

Note that some parts of the architecture are relevant for all system API calls, regardless of the type of caller. Other parts of the architecture are relevant only for certain types of callers.

Guidewire Hub

Guidewire Identity Federation Hub (Guidewire Hub) is the trusted auth server for all Guidewire cloud applications, including caller applications that insurers create to access Guidewire cloud resources. Guidewire Hub uses OAuth 2.0 and SAML for identity management services.

The primary responsibilities of Guidewire Hub are:

  • For internal users and external users:
    • To receive authentication requests from InsuranceSuite applications and caller applications
    • To federate those authentication requests to the correct IdP
    • To construct JWTs that verify users and identify their authorization
  • For services:
    • To authenticate services
    • To construct JWTs that verify services and identify their authorization

The insurer's identity provider

An identity provider (IdP) is an application or service that creates, maintains, and manages identity information for internal and external users. Every insurer using Guidewire cloud applications must provide an identity provider (IdP).

The primary responsibilities of the IdP are:

  • For internal users and external users:
    • To maintain user names and passwords
    • To maintain information that identifies each user's authorization
    • To authenticate users and provide their authorization information when a request is received from Guidewire Hub

The IdP does not play a role in service authentication or authorization.

The caller applications

Every caller application that uses system APIs must provide authentication information with every API call (except for unauthenticated calls).

From an authentication perspective, the primary responsibilities of each caller application are:

  • For internal users and external users:
    • To send authentication requests to Guidewire Hub (which will then federate those requests to the appropriate IdP)
  • For anonymous users:
    • To send unauthenticated requests to create accounts (The response to these requests includes a self-signed JWT created by PolicyCenter)
  • For services:
    • To send authentication requests to Guidewire Hub (which are executed by Guidewire Hub without any involvement of the IdP)
  • For all callers:
    • To temporarily store JWTs created by Guidewire Hub so that they can be included in system API calls made for the associated callers
    • To temporarily store self-signed JWTs created by PolicyCenter for anonymous users so that they can be included in system API calls made for those anonymous user

The InsuranceSuite system APIs

From an authentication perspective, the primary responsibilities of the system APIs are:

  • For authenticated callers:
    • Verify that each API call includes valid authentication
    • Limit the access of each API call to only those endpoints, operations, fields, and specific resources that the user is authorized to use
  • For unauthenticated callers:
    • Limit the access of each API call to the appropriate endpoints, operations, fields, and resources
      • Typically, this access is limited to either API metadata only, or account creation for callers who will become anonymous users