RFC-IAM-0001: Federated Identity and Access Management Architecture
RFC-IAM-0001: Federated Identity and Access Management Architecture
RFC Metadata
| Field | Value |
|---|---|
| RFC ID | RFC-IAM-0001 |
| Title | Federated Identity and Access Management Architecture |
| Status | Draft |
| Category | Standards Track |
| Author | Platform Engineering |
| Created | 2026-02-10 |
| Last Updated | 2026-02-10 |
| Version | 1.0.0 |
Abstract
This RFC defines the architecture for web UI authentication and application-level authorization for platform developer tools. It positions Azure Active Directory as the authoritative identity source and Keycloak as the centralized identity provider, enabling single sign-on across all platform web applications.
The architecture enforces a strict authorization hierarchy where Azure AD permissions represent an immutable ceiling that downstream systems cannot exceed. Azure AD and Keycloak operate as a conjunctive (AND) authorization gate—access requires both systems to permit the action.
Scope Boundaries
| In Scope | Out of Scope |
|---|---|
| Human users logging into web UIs | Machine/workload identity |
| Application authorization (what users can do) | Service-to-service authentication |
| OIDC/OAuth browser-based flows | SSH, database, kubectl access |
| API access via bearer tokens from OIDC | AI agent identity management |
| Platform application integration; Developer portal authentication (see RFC-DEVELOPER-PLATFORM) | Network-level access controls |
This RFC addresses interactive human users accessing web interfaces—not automated workloads, infrastructure access, or machine identity.
Relationship to Other RFCs
This RFC is part of a family of platform architecture specifications:
| RFC | Domain | Scope |
|---|---|---|
| RFC-IAM-0001 (this document) | Web UI Auth & App Authorization | Human → Web Application |
| RFC-SECOPS-0001 | Secrets Management | All secrets lifecycle (Vault as central authority) |
| RFC-DEVELOPER-PLATFORM (planned) | Developer Portal | Backstage, capability-based UI, self-service |
| RFC-WORKLOAD-IDENTITY (planned) | Workload Identity | Service-to-service auth, machine identity, AI agents |
| RFC-TENANT-SECURITY (planned) | Tenant Application Security | WAF, network policies, routing, ingress protection |
| RFC-PAM-0001 (planned) | Privileged Access | SSH, database, kubectl access (Teleport) |
RFC-SECOPS-0001 is the authoritative specification for secrets management—not just machine secrets, but all secrets where Vault serves as central authority. This RFC defers to RFC-SECOPS-0001 for all secret storage, distribution, and rotation concerns.
Table of Contents
Core Sections
-
- 1.1 Background and Context
- 1.2 Current State Analysis
- 1.3 Operational Challenges
- 1.4 Motivation for This Architecture
-
- 2.1 Problem Restatement
- 2.2 Design Goals
- 2.3 Non-Goals
- 2.4 Architectural Invariants
- 2.5 Success Criteria
-
- 3.1 System Overview
- 3.2 Trust Hierarchy Model
- 3.3 Authority Domains
- 3.4 Trust Boundaries
- 3.5 Data Flow Model
-
- 4.1 Azure Active Directory
- 4.2 Keycloak Identity Provider
- 4.3 HashiCorp Vault
- 4.4 External Secrets Operator
- 4.5 Crossplane
- 4.6 Developer Portal (Reference: RFC-DEVELOPER-PLATFORM)
- 4.7 Target Applications
Domain-Specific Sections
-
- 5.1 Permission Inheritance Principle
- 5.2 Azure AD as Authorization Ceiling
- 5.3 Keycloak Role Mapping
- 5.4 Application-Level Authorization
- 5.5 Authorization Decision Flow
-
Secrets Management (Defers to RFC-SECOPS-0001)
- 6.1 Normative Reference: RFC-SECOPS-0001
- 6.2 Scope of This Section
- 6.3 Identity-Bound Secrets
- 6.4 Vault Policy Integration with Keycloak
- 6.5 Keycloak Client Secret Coordination
-
- 7.1 Declarative Configuration Model
- 7.2 Crossplane Provider Integration
- 7.3 Helm Chart Templating Strategy
- 7.4 Resource Reconciliation
- 7.5 Configuration Boundaries
-
- 8.1 Integration Patterns
- 8.2 Authentication Integration
- 8.3 Authorization Integration
- 8.4 Secrets Integration
- 8.5 Crossplane Resource Integration
- 8.6 Developer Portal Integration (Reference: RFC-DEVELOPER-PLATFORM)
- 8.7 Extension Model
- 8.8 CI/CD Integration
Supplementary Sections
-
- 9.1 Organizational Authority Boundaries
- 9.2 Alternative Identity Architectures
- 9.3 Alternative Authorization Models
- 9.4 Alternative Secrets Management Approaches
- 9.5 Alternative GitOps Strategies
-
- 10.1 Anticipated Extensions
- 10.2 Scalability Considerations
- 10.3 Migration Pathways
Appendices
-
- A.1 Term Definitions
- A.2 ADR Index
- A.3 Diagram Index
-
- B.1 Normative References
- B.2 Technology Documentation
- B.3 Informative References
- B.4 Internal References
Reading Paths
For Platform Architects
Understanding the complete system design:
- Introduction — Problem context
- Requirements — Constraints and invariants
- Architecture — High-level design
- Authorization Model — Permission hierarchy
- Rationale — Design decisions
For Security Engineers
Evaluating security boundaries and controls:
- Requirements §2.4 — Security invariants
- Architecture §3.4 — Trust boundaries
- Authorization Model — Full section
- Secrets Management — Full section
For DevOps Engineers
Understanding operational integration:
- Components — System components
- GitOps Integration — Deployment model
- Application Integration — Platform applications
- Secrets Management §6.3-6.4 — Secret distribution
For Application Developers
Understanding how to integrate applications:
- Architecture §3.1 — System overview
- Authorization Model §5.5 — Authorization flow
- Application Integration §8.1 — Integration patterns
- Glossary — Terminology
Document Navigation
| Previous | Index | Next |
|---|---|---|
| — | Table of Contents | 1. Introduction → |
End of Index