Identity Mesh Logo Identity Mesh

Architecture

A modular, layered architecture built on a five-stage sync pipeline: Import, Join, Attribute Flow, Projection, and Export. Every component is designed for reliability, auditability, and extensibility.

Contact Sales Explore Features
Identity Mesh Architecture Diagram

Sync Pipeline

Every identity change flows through five deterministic stages, each with its own rules and audit trail.

1

Import

Connectors read objects from source systems (Active Directory via LDAP, SQL databases via queries) and stage them into the Management Space. Supports full and delta import modes with watermark-based change detection.

Delta sync via uSNChanged / watermark columns Batch upsert (100 per batch) Watermark checkpoint after each batch
2

Join

Anchor-based join rules match imported connector objects to existing mesh identities. If no match exists and the join rule permits creation, a new mesh object is created. This is how identities from multiple sources converge into a single record.

Declarative anchor rules per connector Auto-create or join-only modes Multi-source identity correlation
3

Attribute Flow

Inbound flow rules map connector attributes to mesh attributes. Each rule can include a transform script (ToLower, Trim, Replace, Concat, etc.) and a confidence score. When multiple sources provide the same attribute, the highest-confidence value wins.

Safe transform engine (no eval, whitelisted functions) Confidence-based conflict resolution Reference attribute → relationship resolution
4

Projection

Projection rules define how mesh objects are represented in each target system. Attribute rules map mesh attributes to target attributes, optionally applying outbound transforms. Delta computation compares projected values against the last exported snapshot to emit only actual changes.

Per-connector projection rules Outbound transform scripts Snapshot-based delta computation
5

Export

The export queue processes pending changes in priority order. Each item is locked, exported to the target connector, and marked complete. Failed exports retry with exponential backoff (up to 3 attempts). Pause/resume releases queued items back to pending.

Priority queue with locking Retry with exponential backoff Per-object audit trail

Architecture Components

Sync Engine

Windows service that runs the five-stage pipeline on configurable schedules.

  • Import, Join, Flow, Projection, Export pipeline
  • Multi-instance with connector assignment
  • Pause/resume with mid-sync cancellation
  • Heartbeat monitoring and orphan run detection
  • MeshComposer for dynamic group membership

Admin API & UI

REST API (.NET Minimal API) and Angular web console for configuration and monitoring.

  • 60+ REST endpoints for full control
  • Role-based access control (21 permissions)
  • Audit log with per-object change tracking
  • Export preview and queue management
  • Dashboard with run history and change trends

Connector Layer

Pluggable DLL architecture for importing from and exporting to external identity systems.

  • Active Directory (LDAP/LDAPS, delta via uSNChanged)
  • SQL Database (SQL Server, Azure SQL, multiple auth modes)
  • IIdentityConnector interface for custom connectors
  • Hot-reload connector DLLs via FileSystemWatcher
  • DPAPI-encrypted secrets with reference resolution

Key Capabilities

Built-in features that make Identity Mesh production-ready

Multi-Instance Engines

Run multiple sync engine instances across servers with connector-to-instance assignment. Each instance heartbeats independently and can be paused or resumed individually.

Confidence-Based Attributes

When multiple sources provide the same attribute, the value with the highest confidence score wins. HR systems can be authoritative for job title while AD is authoritative for login name.

Safe Transform Engine

No-eval expression engine with whitelisted functions (ToLower, Trim, Replace, Concat, Coalesce, etc.). Scripts are validated before storage and cached for performance.

MeshComposer

Dynamic group membership engine with nested criteria groups (AND/OR logic). Auto-populates groups based on attribute rules and publishes membership changes to target connectors.

Export Preview & Delta

Preview what would be exported per connector before committing. Snapshot-based delta computation ensures only actual changes are written to target systems.

Full Audit Trail

Every import, join, attribute change, and export is logged. Run history tracks adds, updates, and deletes per connector. Object-level audit shows the complete change history.

Deployment Model

Self-hosted on your infrastructure for complete data sovereignty

Sync Engine

Windows Service installed via MSI. Supports multiple instances on the same or different servers.

  • Named instances via --instance-name
  • DPAPI-encrypted credential storage
  • Connectors loaded from local DLL folder

Admin API & Web UI

Minimal API with Angular frontend. Integrated Windows Authentication with role-based permissions.

  • Negotiate (Kerberos/NTLM) authentication
  • Swagger UI for API exploration
  • SQL Server database (EF Core)

Technical Specifications

Technology Stack

Sync Engine .NET 8 / Windows Service
Admin API .NET 10 / Minimal API
Web UI Angular
Database SQL Server / EF Core

Security

Authentication Negotiate (Kerberos/NTLM)
Authorization RBAC (21 permissions)
Secrets DPAPI encryption
Config masking Passwords redacted in API

Integration Protocols

Active Directory LDAP / LDAPS
SQL Database SQL Server / Azure SQL
Admin API REST / JSON
Extensibility IIdentityConnector SDK

Data Model

Database tables 26
Rule types Join, Flow, Projection, Composer
Attribute storage Multi-valued with confidence
Audit granularity Per-object change history

Ready to See It in Action?

Let us walk you through the architecture and show how Identity Mesh fits your environment.

Contact Sales Request a Demo