Dynamic Sequence – Login & Secured Access

Crew Management System – end-to-end login and secured access sequence showing Azure AD authentication, Zscaler-controlled enterprise access, protected API traversal through Akamai, Azure Application Gateway, and IBM API Connect, BFF token validation and request admission, backend RBAC + ABAC authorization enforcement, and final authenticated screen rendering in the React Single Page Application.

User

Operational user, supervisor, or admin opening the CMS web application in the browser

Browser / React SPA

Loads the web app, redirects to login, receives tokens, and invokes secured frontend-facing APIs

Azure AD

Enterprise identity provider responsible for SSO, authentication, and token issuance

Zscaler

Enterprise-controlled zero-trust access layer for user-originated traffic

Akamai

Public edge entry applying WAF, DDoS protection, bot filtering, and controlled routing

Azure Application Gateway

Protected origin ingress with WAF before traffic reaches private AKS-hosted application entry points

IBM API Connect

API exposure, governance, and controlled forwarding for frontend-facing APIs

BFF Service

Validates Azure AD access token, performs request admission checks, and routes the request to backend services

Backend Service

Performs RBAC + ABAC authorization enforcement and returns the user-authorized business response

Returned Result

Authenticated response returned to the frontend so the CMS screen can be rendered

1. Open CMS URL

User opens the CMS URL in the browser

2. Load SPA shell

Browser loads the React application shell

3. Redirect to enterprise SSO

React redirects the user to Azure AD login

4. Authenticate user

User completes Azure AD SSO / MFA challenge

5. Return identity tokens

Azure AD returns ID token and access token to the browser

6. Invoke secured frontend-facing API

React sends HTTPS API request with bearer access token to the frontend-facing API path

7. Apply enterprise zero-trust access

User-originated traffic passes through Zscaler zero-trust access controls

8. Apply edge security controls

Akamai applies WAF, DDoS protection, bot filtering, and secure routing

9. Route to protected origin

Azure Application Gateway forwards the request to the protected application entry layer

10. Apply API exposure and forwarding

IBM API Connect forwards the authenticated request to the BFF service

11. BFF receives secured request

BFF receives the secured API request from the frontend-facing path

12. Validate token and request admission

BFF validates token signature, issuer, audience, expiry, claims, and request admissibility

13. Forward to backend service

BFF forwards the request to the appropriate backend service

14. Enforce backend authorization

Backend service enforces RBAC + ABAC before processing the business request

15. Build user-authorized response

Backend service returns the user-authorized response to the BFF

16. Return final payload to frontend

BFF returns the final API response back through the secured path to the React SPA

17. Render authenticated CMS screen

React renders the authenticated CMS screen for the user

Identity boundary: Azure AD is responsible for user authentication and token issuance. The browser receives identity tokens after successful Azure AD SSO and uses the access token for API calls.

Secured API path: Frontend-facing APIs follow the protected access path through Zscaler, Akamai, Azure Application Gateway, IBM API Connect, and then the BFF before any backend service is reached.

Trust and authorization model: The frontend is not treated as a trust boundary. Token validation and request admission are handled by the BFF, while RBAC + ABAC authorization is enforced in backend services.

        User interaction
        Frontend / browser
        Identity provider
        Enterprise / edge security
        Ingress / API gateway
        BFF processing
        Backend authorization
        Returned result
      