Dynamic Sequence – Login & Secured Access

Crew Management System – user login flow, Azure AD authentication, enterprise security path, BFF validation, backend authorization, and final screen rendering
User
Operational user, supervisor, or admin opening CMS in browser
Browser / React SPA
Loads the web app, redirects to login, stores token, and calls secured APIs
Azure AD
SSO, identity provider, and token issuer
Zscaler
Enterprise-controlled zero-trust access path
Akamai
Edge security, WAF, DDoS, bot protection, optional caching
Azure Application Gateway
Protected ingress and routing to application components
BFF / Orchestration
Validates request context and forwards to backend services
Backend Service
Server-side RBAC / ABAC enforcement and business response
1. Open CMS URL
User opens CMS in browser
2. Load SPA
Load React application shell
3. Redirect to SSO
Redirect user to Azure AD login
4. Authenticate
User submits credentials / SSO challenge
5. Issue token
Azure AD returns access token to browser
6. Call secured API
React sends HTTPS API request with bearer token
7. Apply enterprise access control
Traffic passes through Zscaler
8. Apply edge security
Akamai applies WAF, DDoS, bot controls, and routing
9. Route to protected origin
Application Gateway routes request to protected application entry
10. Validate request context
BFF receives request and validates token / request context
11. Forward to backend
BFF forwards request to backend service
12. Enforce authorization
Backend validates RBAC / ABAC before processing
13. Build response
Backend returns user-authorized response to BFF
14. Return final payload
BFF returns final API response back through secured path to browser
15. Render page
React renders the authenticated CMS screen
Identity boundary: Azure AD is responsible for user authentication and token issuance. The browser receives the access token after successful sign-in.
Security path: All secured API traffic follows the enterprise access path through Zscaler, Akamai, and Azure Application Gateway before reaching application components.
Trust model: Authorization is enforced server-side in the BFF and backend service layers. The frontend is not treated as a trust boundary.
User interaction Frontend / browser Identity provider Security path BFF / orchestration Backend authorization Returned result
This login sequence shows how the CMS user authenticates through Azure AD, how secured API traffic traverses enterprise and edge security controls, and how the backend validates authorization before the final screen is rendered.