Kundenportal Hosting Guide

🤖 Generated with Claude Code

✅ Reviewed by author

Co-Authored-By: Claude (noreply@anthropic.com)

External documentation for Makler IT / Security teams.

1. Overview

The Kundenportal is a multi-tenant web application (SPA) that enables Endkunden to access their Polizzen, documents, and submit Schadenmeldungen.

Architecture Summary:

SPA Frontend: Hosted on Together-Cloud (*.myversum.at)
EndcustomerApi: Runs on customer infrastructure (inside CCAOnline)
Customer Data: Remains on customer infrastructure (Blue zone)

See architecture diagram: hosting-network-flow.svg

Why This Architecture?

Goal	Implementation
Data Protection	Customer data never leaves your infrastructure. Together-Cloud only hosts the SPA shell and static assets.
No Customer Deployment	Together manages SPA updates centrally. No frontend deployment required on customer side.
Version Compatibility	SPA version auto-selected based on your CCAOnline version. No coordinated upgrades needed.
Simple Firewall Rules	Two static IPs to whitelist for Together services (see Section 3.2).

2. Infrastructure Requirements

No additional servers required. The Kundenportal uses the existing CCAOnline infrastructure:

CCAOnline: Current version with Kundenportal support enabled
Database: Existing CCA database with ecav2 schema views
NotificationApi: MFA codes and activation emails sent via Together-Cloud NotificationApi

For CCAOnline server requirements, refer to the CCAOnline documentation.

3. Network Configuration

3.1 Outbound Firewall Rules

CCAOnline requires outbound HTTPS (443) access to the following Together-Cloud endpoints:

Destination	Purpose
`*.api.cca.online`	Management API
`*.cca.online`	MFA email delivery
`*.servicebytogether.at`	Identity Server
`*.myversum.at`	Portal hostnames

3.2 Inbound Requirements (CCAOnline Routes)

The following CCAOnline routes must be accessible from the internet (HTTPS only):

Path	Called By	Purpose
`/health`	Together-Cloud, Endkunde	CCAOnline health + version (SPA version selection)
`/endcustomer/*`	Endkunde	EndcustomerApi - Auth, Account, API endpoints
`/api/*`	Together-Plattform	Integration callbacks (e.g., `/api/togetherSign/callback`)

Together Service IPs

Service	Source IP	Endpoints
Together-Cloud (Management Server)	`40.91.210.71`	`/health`
Together-Plattform	`193.80.22.145`	`/api/*`

Whitelist these IPs for server-to-server communication. Endkunde requests originate from public internet.

Important: The /health endpoint must return details.applicationVersion. Together-Cloud uses this to determine which SPA version to serve.

For detailed API documentation, see SwaggerHub EndCustomerApi.

Note: The SPA may call routes with double slashes (e.g., //endcustomer/token). Ensure your reverse proxy handles this correctly.

3.3 DNS Configuration

Custom Domain Setup:

To use a custom domain (e.g., portal.makler.at), configure a CNAME record pointing to the Together-Cloud hosting:

portal.makler.at  CNAME  <provided-by-together>.myversum.at

Contact TOGETHER support for the specific CNAME target.

4. SSL/TLS Certificates

SSL/TLS certificates for *.myversum.at are managed by Together-Cloud. No customer action required.

For custom domains, certificate provisioning is handled automatically via Together-Cloud after DNS configuration is complete.

5. Security & Data Classification

5.1 Data Flow

Endkunde Browser
    │
    ├─── SPA assets ───> Together-Cloud (Yellow zone: public data only)
    │
    └─── API requests ──> CCAOnline (Blue zone: protected customer data)

5.2 Data Residency

Zone	Data	Location
Yellow (Together-Cloud)	SPA code, static assets, portal config	West Europe (EU)
Blue (Customer)	Polizzen, documents, Endkunden data	Customer CCAOnline server

Together-Cloud infrastructure is hosted in West Europe (EU) for GDPR compliance.

Protected customer data never leaves customer infrastructure. The SPA retrieves data via authenticated API calls to CCAOnline.

5.3 Security Measures

Together-Cloud is protected by:

Application Gateway WAF v2 - Web Application Firewall
Microsoft Defender for Cloud - Security monitoring

5.4 Authentication Flow

Endkunde navigates to portal URL
SPA loads from Together-Cloud
SPA redirects to CCAOnline for authentication (MFA)
CCAOnline issues Bearer token
SPA uses token to access EndcustomerApi

5.5 Customer Infrastructure Security

Planned: Customer infrastructure security requirements documentation.

6. Integration Points

Endpoint	Location	Purpose
`https://{portal}.myversum.at`	Together-Cloud	Portal frontend (SPA)
`https://kundenportal-mgmnt.api.cca.online`	Together-Cloud	Management API
`https://notification-api.cca.online`	Together-Cloud	MFA email delivery
`{ccaonline}/endcustomer/token`	Customer	OAuth token endpoint
`{ccaonline}/endcustomer/authorize`	Customer	OAuth authorization
`{ccaonline}/endcustomer/api/*`	Customer	EndcustomerApi (data)

7. Health Check Verification

Before go-live, verify:

Outbound connectivity: CCAOnline can reach Together-Cloud endpoints (Section 3.1)
DNS resolution: Custom domain resolves correctly (if applicable)
CCAOnline health: {ccaonline}/health returns:
- "status": "UP"
- "details": { "applicationVersion": "x.x.x" }
EndcustomerApi health: {ccaonline}/endcustomer/health returns healthy
Portal load: Navigate to portal URL, verify SPA loads
Authentication: Complete login flow with test Endkunde

Note: Together-Cloud (40.91.210.71) periodically checks /health to verify availability and determine SPA version compatibility.

8. Support

For questions or support, contact TOGETHER:

Email: support@tis-cca.com

1. Overview​

Why This Architecture?​

2. Infrastructure Requirements​

3. Network Configuration​

3.1 Outbound Firewall Rules​

3.2 Inbound Requirements (CCAOnline Routes)​

Together Service IPs​

3.3 DNS Configuration​

4. SSL/TLS Certificates​

5. Security & Data Classification​

5.1 Data Flow​

5.2 Data Residency​

5.3 Security Measures​

5.4 Authentication Flow​

5.5 Customer Infrastructure Security​

6. Integration Points​

7. Health Check Verification​

8. Support​