Commit Graph

3 Commits

Author SHA1 Message Date
c3f721397a Implement NK-WP-0012 IAM profile specification 2026-05-22 14:35:31 +02:00
57073af68c Register NK-WP-0011 in State Hub; archive NK-WP-0001
Set NK-WP-0001 status to canonical 'archived' (was non-canonical
'deferred', which the hub rejected). Backfill NK-WP-0011 workstream and
task ids from State Hub registration.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 00:07:06 +02:00
ab79a32eba Cancel NK-WP-0001-T04; extract Keycloak federation into NK-WP-0011
NK-WP-0001-T04 (privacyIDEA, Keycloak path) -> cancelled, superseded by
NK-WP-0003-T04 in the deployed KeyCape stack. T05-T08 (Keycloak SSO,
realm/MFA flow, user mgmt, DR) -> cancelled and migrated to NK-WP-0011.

NK-WP-0011 reframes the deferred Keycloak work as expanded-mode enterprise
federation: Keycloak as an identity broker for Entra ID / AD / SAML that
issues IAM Profile-conformant tokens, refined against the current stack
(OpenBao runtime secrets, CloudNativePG, flex-auth/Topaz PDP, recursive
platform/tenant model) rather than the original greenfield assumptions.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 23:48:51 +02:00