Role: Identity & Access
Responsibility
The Identity role provides the “Who” for the entire platform. it manages user identities, credentials, and group memberships, and provides a unified authentication experience (SSO).
Key Guarantees
- Centralized Truth: One directory for all human users.
- MFA Enforcement: Critical services must require multifactor authentication.
- SSO: Users should only need to authenticate once to access multiple platform services.
Related Models & Policies
Implementation Options
| Option | Best Fit | Good At | Costs / Risks | Integration Notes |
|---|---|---|---|---|
| Authentik | All stacks | Flexible flows, “one IdP for everything”. | Operating an IdP (backup, upgrades, DB). | Choose enforcement at ingress: forward-auth, oauth2-proxy, or mesh-based. |
| Keycloak | K8s, Talos | Enterprise-grade, standard OIDC/SAML, great docs. | Heavy; tuning/upgrade complexity. | Pairs well with oauth2-proxy and standard OIDC clients. |
| Authelia | K3s, Nomad | Light-weight auth portal, simple 2FA, forward-auth. | Less of a “platform” than Authentik/Keycloak. | If OIDC is needed for apps, a full IdP might still be required. |
Typical Stack Pairings
- Traefik: Authentik + forward-auth (or Authelia)
- NGINX Ingress: Authentik/Keycloak + oauth2-proxy
- Any: IdP + apps using OIDC directly (for “native SSO” apps)