# SSO-MFA Platform — Stack Migration Workplan # NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape **Updated:** 2026-03-19 **Workstream:** sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be) ## Stack Decision Keycloak + privacyIDEA replaced by: - **LLDAP** — lightweight LDAP directory (user store) - **Authelia** — authentication frontend (password auth + OIDC upstream) - **KeyCape** — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter) - **privacyIDEA** — MFA engine (unchanged, still in `mfa` namespace) Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin) ## Task Status | Task | ID (hub) | Status | Notes | |------|----------|--------|-------| | T01 — Vault & secret bootstrap | 7992528c | done | | | T02 — K8s foundations | 721ca6b2 | done | Manifests authored; pending live cluster | | T03 — PostgreSQL | 7fa60004 | done | Manifests authored; pending live cluster | | T04 — privacyIDEA | 6ad1296a | **todo** | Manifests exist in k8s/privacyidea/; pending cluster | | T05 — SSO core (new stack) | b9f73aa6 | **in-progress** | See below | | T06 — Realm config & MFA flow | 3b6379a4 | todo | | | T07 — User mgmt & self-service | c7cf902a | todo | | | T08 — Backups, DR, break-glass | 9cbd1d89 | todo | | ## T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape) ### Done - [x] LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh - [x] Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh - [x] KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh - [x] NetworkPolicy: netpol-sso.yaml updated for new components - [x] Keycloak manifests staged for deletion ### In Progress (this session) - [x] keycape/create-pi-token.sh - [x] lldap/README.md - [x] authelia/README.md - [x] keycape/README.md - [x] Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth.*, CP-NK-006 lldap.*) - [x] Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections) - [x] Update k8s/README.md (network policy table) - [x] Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks) - [x] Commit all changes — commit 0754dc3 - [x] Update state hub tasks — T05 marked done, milestone event logged ### Done-criteria for T05 - All manifests present and consistent - gen-secrets.sh generates correct secrets for new stack - verify-t05.sh checks all three components - Committed to main