Skip to main content

ADR 007: Select IAM Tool

Date: 2025-09-10

Status: Accepted

Decision Makers: @JulianSobott @cr0ssing @luckey @DerLinne

Context

We need a central IAM Tool, which is powerful to fulfill all requirements and is open-source. In civitas v1, Keycloak was used for this. Although it is a bit more complex than other tools, it is very powerful and integrated well in the platform.

Checked Architecture Principles

  • [full] Model-centric data flow – Configurable-as-code via keycloak-config-cli (see ADR 005)
  • [full] Distributed architecture with unified user experience – Centralizes auth/SSO and can be themed to feel like one UI while remaining a decoupled service.
  • [partial] Modular design – Provides a single responsibility (IAM/SSO) and could be replaced by any OIDC/SAML provider. Keycloak specific features, could make this change difficult.
  • [full] Integration capability through defined interfaces – Implements OpenID Connect/OAuth2, plus an Admin REST API.
  • [full] Open source as the default – Fully open source with active community.
  • [full] Cloud-native architecture – Official containers, Kubernetes-ready, supports HA and horizontal scaling.
  • [full] Prefer standard solutions over custom development
  • [full] Self-contained deployment
  • [full] Technological consistency to ensure maintainability
  • [full] Multi-tenancy – Realms enable strong tenant isolation
  • [full] Security by design – Centralized auth, OIDC, fine-grained policies, least-privilege patterns and modern security protocols.

Decision

Keycloak should be used as a central Identity and Access Management tool. It worked very well in v1, is well maintained, and still satisfies all our required features. Most of the tools have direct integrations with keycloak.

Consequences

All tools must connect to Keycloak via OIDC

Alternatives

  • Authentik: Not so powerful and stable for larger projects

See also