Integration Architecture

Fits your existing stack. Replaces nothing. Adds the missing layer.

Raidiam Connect sits above your API gateways, IAM systems, and cloud providers. It adds the trust, identity, certificate, and governance layer that none of them provide — without replacing anything you already have.

API-first by design

Every capability in Raidiam Connect is available via API. The portal is a convenience layer — not a requirement. Your existing developer portal, internal tools, or custom UI can consume Connect's trust services directly via REST APIs and OpenID Federation endpoints. All registration, discovery, certificate management, and policy operations are programmatically accessible.

Enterprise Integration

How Connect fits into your existing stack

API Gateway Integration

Kong, Apigee, AWS API Gateway

Connect publishes participant metadata and certificate status via federation endpoints. Your API gateway validates incoming mTLS connections against Connect’s published JWKS and certificate chain.

Integration pattern

Gateway queries .well-known/openid-federation endpoint → retrieves entity statement → validates x5c certificate chain against published JWKS

Standards & protocols

OpenID Federation (entity statements, trust chains)JWKS (RFC 7517) for key publicationX.509 certificate validationmTLS (RFC 8705) for transport securityOCSP / CRL for real-time certificate status

Authorization Server Integration

Ozone, ForgeRock, Ping, Keycloak

Your auth server resolves client identity via OpenID Federation instead of manual bilateral registration. Connect does NOT manage consent — that remains in your auth server.

Integration pattern

Auth server resolves client via OpenID Federation entity statement → pulls verified metadata and JWKS → issues certificate-bound tokens per RFC 8705

Standards & protocols

OpenID Federation (trust chain resolution)RFC 7591 / 7592 (Dynamic Client Registration)RFC 7519 (JWT) for entity statementsRFC 8705 (certificate-bound access tokens)FAPI 2.0 Security ProfilePAR (RFC 9126), RAR (RFC 9396)

Identity Provider Integration

Okta, Azure AD, existing IDP

Operator access to Connect’s dashboard authenticates via your existing IDP. Participant-facing portals support federation-based SSO.

Integration pattern

OIDC Authorization Code + PKCE → SSO into Connect dashboard → SAML bridge for legacy IDPs

Standards & protocols

OpenID Connect Core (authorization code flow)PKCE (RFC 7636)SAML 2.0 (for legacy IDP bridge)SCIM (optional, for user provisioning)

PKI & Certificate Integration

Venafi, HashiCorp Vault, AWS ACM, existing CA

Connect’s HSM-backed CA issues transport, signing, and encryption certificates. If you have an existing PKI, Connect can operate as a subordinate CA or validate externally-issued certificates against your trust chain.

Integration pattern

CSR submission via API → RA policy validation → CA issuance (HSM-backed) → JWKS publication → OCSP responder + CRL distribution

Standards & protocols

X.509v3 certificates (transport, signing, encryption)PKCS#10 (CSR format)OCSP (RFC 6960) for real-time revocation checkingCRL (RFC 5280) with delta CRL supportJWKS (RFC 7517) with x5c and x5t#S256FIPS 140-2 Level 3 HSMs

Monitoring & Events Integration

Splunk, Datadog, Kafka, Azure EventGrid

Shared Signals pushes signed security events to your SIEM or event bus. Each signal is a signed SET token verifiable against Connect’s published JWKS.

Integration pattern

Connect emits SET token (RFC 8417) → signed webhook delivery → your event bus ingests → SIEM alerts and dashboards

Standards & protocols

SET (RFC 8417) — Security Event TokensSSE (Shared Signals and Events framework)CAEP / RISC for session and risk eventsWebhook delivery (HTTPS POST, signed)At-least-once delivery with exponential backoff

Need help with these integrations? Raidiam Enable provides OIDF-certified SDKs, reference implementations, and hands-on engineering support for every integration point above. Or work with your existing vendors — every protocol listed here is an open standard.

Enterprise reference architecture

Your bank has multiple brands, jurisdictions, and technology stacks. Connect governs trust consistently across all of them — without replacing anything.

Enterprise Reference Architecture

One trust plane across every brand, jurisdiction, and stack

Your bank is not one stack. Different brands, different geographies, different vendors, different clouds. Raidiam Connect governs trust consistently across all of them.

GLOBAL BANK GROUPRAIDIAM CONNECT — Ecosystem Control PlaneTrust AnchorFederationPKIPolicyDiscoveryMetadataSignalsLifecycleVisibilityRETAIL BANKING — LONDONAzure UK SouthKong API GatewayForgeRock Auth ServerOkta IDPTemenos Core BankingMobile BankingOpen Banking APIsPartner APIsRetail PaymentsCard Services120+ fintechs · 40+ partners · 3M+ customersPRIVATE BANKING — JERSEYAWS eu-west-1Apigee API GatewayPing Identity AuthAzure AD IDPAvaloq Core BankingClient PortalAdvisory PlatformCustody & WealthRegulatory ReportingCross-Border Access30+ wealth advisors · 15+ custodians · HNW clientsDIFFERENT VENDORS · DIFFERENT CLOUDS · DIFFERENT JURISDICTIONSONE TRUST MODELRETAILAzure UK SouthKongForgeRockOktaTemenosvsPRIVATEAWS eu-west-1ApigeePing IdentityAzure ADAvaloqRaidiam Connect governs trust, identity, and policy — regardless of the underlying technology

Your bank has multiple brands, jurisdictions, and technology stacks. Raidiam Connect doesn't replace any of them — it provides the trust and federation layer that governs participant identity, certificates, and policy consistently across all of them.

Deployment models

Choose the deployment model that matches your security and sovereignty requirements.

Most common

SaaS (hosted by Raidiam)

Multi-tenant, multi-region. Data residency in your chosen region. 99.99% SLA. Most common for enterprises.

Dedicated

Private Cloud

Dedicated instance in your preferred cloud (AWS, Azure, GCP). Full network isolation. For organisations requiring dedicated infrastructure.

Sovereign

Bring Your Own Database

Connect’s compute runs in Raidiam’s cloud. Your data stays in your database, accessible via VPN. For maximum data sovereignty.

Discuss your integration architecture
Build Once. Expand Everywhere.

Where will your ecosystem take you?

Whether you're a regulator building a national digital economy, an enterprise platformising across brands and clouds, or a bank that wants to stop rebuilding trust for every new use case — there's a next step.

See It in Action

See how one investment in Raidiam Connect covers your first use case — and the next hundred

See It in Action

Request a Briefing

For regulators and central banks — how to build the foundations for an expandable digital economy

Request a Briefing

See the Proof

Brazil started with 2 data-sharing scopes. Today it has hundreds — all on the same infrastructure

See the Proof

Not sure where to start? Build the business case → · See if this is right for you → · Developer Portal & API docs → · Security & Trust Center →