Skip to main content
Complete enterprise-grade authentication and identity management architecture with Keycloak as the authoritative identity provider.

Executive Summary

This implementation provides a production-ready authentication system with:
  • Keycloak as Single Source of Truth - All identity centralized
  • JWT Standardization - All auth methods produce JWTs
  • Service Principals - Long-lived credentials for batch jobs
  • API Key Management - Legacy support with JWT exchange
  • Identity Federation - LDAP, SAML, OIDC integration
  • SCIM 2.0 Provisioning - Automated user management
  • Kong JWT Validation - High-performance gateway validation
  • OpenFGA Permission Inheritance - Service principals inherit user permissions
  • Hybrid Session Model - Stateless users + stateful services

Architecture Diagram

Documentation

Architecture Decision Records

Key Design Decisions

Getting Started

  1. Review ADR-0031 through ADR-0039
  2. Follow Deployment Guide
  3. Configure identity providers per Federation Guide
  4. Create service principals per Service Principals Guide
  5. Generate API keys per API Key Guide

Support