Add security architecture pattern infospace

This commit is contained in:
2026-05-19 07:12:07 +02:00
parent 3ca891de4a
commit 5bb4b40b86
81 changed files with 6836 additions and 0 deletions

View File

@@ -0,0 +1,47 @@
# Pattern: Identity Broker
Status: seed
Readiness target: RL3 production
Primary owners: NetKingdom, key-cape, Keycloak
Genesis family: Identity and access
## Problem
External, customer, or ecosystem identities cannot be trusted directly
by every product service without duplicating federation and mapping
logic.
## Context
Use this pattern when tenants bring their own IdP, when operators need
multiple upstream identity sources, or when the platform must normalize
federated identity into the IAM Profile.
## Forces
- Upstream IdPs have different claim shapes and assurance semantics.
- Tenant membership is not the same as global user identity.
- Product applications need stable claims.
- Federation errors can create cross-tenant or privilege confusion.
## Solution
Broker external identity through a controlled IAM layer that validates
upstream issuer trust, maps claims into the NetKingdom IAM Profile, and
records federation source, tenant membership, assurance, and lifecycle
state.
## Verification
- Each upstream IdP has explicit trust metadata and claim mappings.
- Tenant membership is resolved after federation, not assumed from raw
upstream claims.
- Assurance and MFA evidence are normalized for privileged flows.
- Federation failures fail closed with auditable reason codes.
## Related Patterns
- Central Identity Provider.
- Tenant Membership Boundary.
- Role Composition.
- Object-Level Authorization Check.