Skip to content

Latest commit

 

History

History
45 lines (33 loc) · 3.32 KB

iamArchitecture.md

File metadata and controls

45 lines (33 loc) · 3.32 KB
Raw

Identity and Access Management (IAM)

The IAM (Identify and Access Management) architecture of ZAC is illustrated in the following diagram:

C4Context
    title ZAC IAM architecture

    Person(Employee, "Employee", "An employee of a municipality")

    Enterprise_Boundary(b0, "ZAC and related Common Ground components") {
        System(OPA, "Open Policy Agent")
        System(ZAC, "ZAC", "Zaakafhandelcomponent")
    }

    Enterprise_Boundary(b1, "Centralized services") {
        System(Keycloak, "Keycloak")
        System(OpenLDAP, "OpenLDAP")
    }

    Rel(Employee, ZAC, "Uses")
    Rel(Employee, Keycloak, "Authenticates", "OIDC")
    Rel(Keycloak, OpenLDAP, "User federation", "LDAP")
    Rel(ZAC, Keycloak, "Uses", "OIDC")
    Rel(ZAC, OpenLDAP, "Get groups", "LDAP")
    Rel(ZAC, OPA, "Manage policies", "REST")

    UpdateElementStyle(ZAC, $bgColor="red", $borderColor="red")
    UpdateElementStyle(Keycloak, $bgColor="darkgrey", $borderColor="darkgrey")
    UpdateElementStyle(OpenLDAP, $bgColor="darkgrey", $borderColor="darkgrey")

    UpdateLayoutConfig($c4ShapeInRow="4", $c4BoundaryInRow="4")
Loading

The following components are part of the ZAC IAM architecture:

Component Description ZAC usage
OPA Open Policy Agent. Policy engine that manages security policies. ZAC manages all security policies (= role-permission mappings) in OPA.
Keycloak Open Source Identity and Access Management product. ZAC uses Keycloak for authentication and authorization. Both the ZAC frontend (= the browser) as well as the ZAC backend (= Docker container / Kubernetes pod) authenticate to Keycloak using OIDC (OpenID Connect). Keycloak in turn used OpenLDAP for user federated.
OpenLDAP Open Source LDAP server. ZAC retrieves available user groups from OpenLDAP. Keycloak uses OpenLDAP for user federation. OpenLDAP is leading for all users and groups as well as for federated user authentication (user passwords are only stored in OpenLDAP, not in Keycloak).

As can be seen above ZAC currently requires OpenLDAP as user store solution. Integration with Active Directory is foreseen in future but not yet implemented.

For details about the OPA access control policies and roles used by ZAC please see: access control policies.