Identity Management

By webmestre , 30 January 2026

Identity management is fundamental in a multi-tenant system. It enables secure operation while remaining open to the needs and participation of multiple organizations and communities. Some tasks and roles require privileged access, which must be handled with responsibility, accountability, and traceability — while also respecting user privacy where appropriate.

At the same time, we must mitigate the significant risk of privileged access falling into the wrong hands, and be prepared for contingencies in case credentials are misused. Strong identity governance is therefore both a security and an operational requirement.

Usability is also a key factor. Integrating multiple systems, each with separate credentials, quickly becomes a burden for users. For this reason, providing Single Sign-On (SSO) is essential.

Our identity management is implemented using Keycloak, integrated with OpenLDAP, and RADIUS. By incorporating identity management into the platform, we establish a foundation for secure and effective identity handling, use it for multiple purposes (either access to websites, routers...) as well as the possibility to federate identities with external directories and providers (such as eduroam, social identity providers, or other partner organizations).

Implementation Model

In Keycloak, identities are organized into realms, which act as logical directories. Within each realm, we define groups and roles, which are then assigned to users.

Groups are structured by function and context, including:

  • Organization members (prefix om_)
    Example: members of organization ACME belong to group om_acme.
  • Team or functional groups (prefix tm_)
    Example: system administrators belong to group tm_admins.
  • Compensation or governance board members (prefix tc_)
    Example: members of the regional governance board for “La Muntanya” belong to group tc_lamuntanya.

Currently, the identity manager includes around 80 defined groups.

When a user is created, in addition to their personal attributes (name, email, etc.), they are assigned to the relevant groups. Applications and services then grant access privileges to these groups rather than to individual users.

This model provides flexibility and operational efficiency. When a user changes organization, role, or location, it is sufficient to update their group memberships. Access privileges are then automatically granted or revoked across the platform, ensuring consistent, scalable, and auditable access control.