Identity Policy
Rules
This document defines the rules all services and users must obey regarding identity and access.
Guarantees
- Unified Login: A single set of credentials and session is used across all platform services.
- MFA Enforcement: Multi-factor authentication is mandatory for all administrative access and any service exposed to the public internet (where supported).
- Session Isolation: Authentication is handled by the platform, not the application, ensuring a uniform security posture.
Service Requirements
All services integrated into the platform MUST:
- Delegate Auth: Rely on the platform’s Identity Provider via OIDC, SAML, or Auth Proxy headers.
- Use Group-Based Access: Authorization should be based on IdP groups (e.g.,
admins,family), not individual user accounts. - Support SSO: Be configured to allow seamless login via the platform session.
Auth Requirements by Exposure Category
| Category | Authentication | Authorization | Notes |
|---|---|---|---|
| Public | SSO + MFA enforced at ingress | IdP groups required | No anonymous access unless explicitly approved in a Service Contract. |
| Internal | SSO enforced at ingress | IdP groups required | Local accounts disallowed except break-glass. |
| VPN-Only | SSO enforced at ingress | IdP groups required | VPN enrollment required for network access. |
| Management | MFA required for all access | Admin-only groups | SSH keys or short-lived certs required for shell access. |
Management Access Rules
- Administrative endpoints MUST be reachable only from Admin LAN or VPN networks.
- SSH access MUST use keys or short-lived certificates; passwords are forbidden.
- All management access MUST be attributable to a named admin identity and logged.
Negative Constraints
- Services MUST NOT maintain their own local user databases for “standard” access.
- Local “admin” or “break-glass” accounts MUST have high-entropy, randomly generated passwords stored in a secure vault.
- Clear-text passwords MUST NEVER be stored in the Git repository.