This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-central-identity-provider.md

1.4 KiB

Pattern: Central Identity Provider

Status: seed Readiness target: RL3 production Primary owners: NetKingdom, key-cape, Keycloak Genesis family: Identity and access

Problem

Services drift into local user stores and inconsistent login behavior when there is no shared identity source.

Context

Use this pattern for platform services, admin tools, product applications, and operational interfaces that need interactive user login or identity claims.

Forces

  • Product teams need a simple integration point.
  • Platform operators need lifecycle, MFA, and audit consistency.
  • Lightweight local identity and expanded Keycloak deployments need to share a stable profile contract.
  • Tenant users and platform operators must remain distinguishable.

Solution

Route interactive authentication through a central IdP and expose a stable NetKingdom IAM Profile to consumers. The implementation may be lightweight key-cape mode or expanded Keycloak mode, but applications consume the same issuer, audience, subject, tenant, role, and assurance shape.

Verification

  • Applications reject tokens from unknown issuers or audiences.
  • Privileged flows require MFA or equivalent assurance evidence.
  • User disablement removes access across integrated services.
  • Audit events identify user, tenant, issuer, and client.
  • Identity Broker.
  • Tenant Membership Boundary.
  • Human/Agent Identity Split.
  • Delegated Authorization.