A secure Federation and Single Sign-On solution for hybrid and multi-cloud environments.
Tech Stack: Keycloak, OpenStack Keystone (with Kolla-Ansible AIO OpenStack), AWS IAM Identity Center, ELK Stack + Filebeat, Docker, Ansible
Setup & Logstash config: Docs
ELK rule & Response playbook: Incident Response
Fragmented identity management across public and private cloud leads to credential sprawl, misconfigurations, and fragmented auditing (The MxN problem) ⇒ A centralized SSO solution is required to unify identity management across hybrid cloud environments.
- Centralized identity across private & public cloud
- Hardened authentication & session security
- Unified logging & monitoring
- Anomaly detection, threat visibility & semi-automated response
A centralized identity fabric enables secure SSO across hybrid cloud. Global STS authenticates users, exchanges tokens, and enforces policy decisions, while platform IAM services map access rights. All activities are centrally monitored for security visibility.
Due to time constraints, the system was implemented in a simplified form: Keycloak serves as Global STS, PDP, and token exchange service. Users authenticate once to obtain a Home Token for AWS and OpenStack access. Logs are centralized in ELK, with incident response automated via Ansible.
Although simplified, the architecture preserves the security model via centralized identity, token federation, and semi-automated monitoring & response.
- Functionality Test: SSO login via Keycloak to Horizon and seamless access to AWS Console; all auth logs centralized in ELK.
- MFA Enforcement: Keycloak enforces OTP-based MFA with mandatory authenticator verification.
- Unsigned Token: Tampered or unsigned OIDC tokens are rejected, preventing unauthorized access.
- Impossible Travel Alert: Geo-anomalous logins trigger Kibana alerts and semi-automatic session revocation with Ansible.
- Replay Attack: Replayed authentication requests are blocked and logged as LOGIN_ERROR.
- Vault-based secret management & key rotation
- Ingress layer with Traefik & ModSecurity
- OPA-driven centralized policy enforcement for JiT access provisioning and ABAC
- GitOps workflow as single source of truth