Cybersecurity

Identity & Access Security: Centralized Identity Provider

Robust authentication, seamless federation, and scalable identity control.

In large-scale digital environments, managing user access securely and efficiently is critical. This project was developed for a major international organization seeking to unify identity management across internal and external systems. The goal was to implement a centralized Identity Provider (IdP) that could support federated access, multi-factor authentication (MFA), and single sign-on (SSO), while ensuring compliance with global security standards.

An employee in an office in front of her computer is required to undergo a security check

Objective

To design and deploy a secure, scalable identity platform that enables:

    • Centralized authentication for critical systems.
    • Integration with multiple identity sources.
    • Full traceability and lifecycle management of users.
    • Regulatory compliance from the initial deployment.

Solution Adopted

The solution was built around Keycloak, deployed on GKE Autopilot, and integrated with Azure AD and external identity providers. It included hybrid MFA, token validation via Apigee, and full infrastructure automation using Terraform and GitOps workflows. The system was designed to be scalable, secure, and compliant with GDPR and ISO 27001.

Key Actions

    • Set up federated identity with Azure AD and external clients using OIDC and SAML.
    • Implemented multi-factor authentication with TOTP and email-based OTP.
    • Integrated token validation through Apigee for secure API access.
    • Enabled identity lifecycle management using SCIM and webhook-based provisioning.
    • Defined role-based and attribute-based access control policies (RBAC/ABAC).
    • Deployed observability stack with Prometheus, OpenTelemetry, and Cloud Monitoring.
    • Aligned architecture with GDPR, ISO 27001, and DevSecOps principles.

Technologies

    • Keycloak as the Identity Provider.
    • GKE Autopilot and Cloud SQL for infrastructure.
    • Terraform and GitOps for deployment automation.
    • TLS 1.3 and OPA for security enforcement.
    • TOTP, email OTP, and WebAuthn for MFA.
    • Apigee, OAuth 2.0, and JWT for API integration.
    • Prometheus, OpenTelemetry, and Cortex XSIAM for observability.
    • GDPR, ISO 27001, and OWASP ASVS for compliance.

Savings & Benefits

    • 60% reduction in incident response time for access-related events.
    • Secure authentication for over 2,500 internal users and 190 external users.
    • Regulatory compliance achieved from the MVP stage.
    • Scalable infrastructure with no need for redesign.
    • Total cost of ownership up to six times lower than equivalent SaaS solutions.