Building an Enterprise IAM Laboratory for Identity Engineers.
Modern Identity and Access Management is often learned by configuring individual products. While valuable, this approach rarely explains why organizations progressively adopt new identity architectures as they evolve.
IAM Labs was created to bridge this gap. Rather than presenting Keycloak, Active Directory or OpenID Connect as isolated technologies, the project follows the realistic evolution of a fictional software company called ACME. As the company grows, new business requirements emerge, requiring increasingly sophisticated Identity and Access Management solutions.
Each architectural iteration introduces one additional enterprise concept while preserving the previous implementations. The objective is not only to understand how modern IAM systems are built, but also why organizations adopt them as they scale.
IAM Labs demonstrates the progressive evolution of an enterprise Identity and Access Management infrastructure.
Instead of focusing on a single technology, the laboratory explores how organizations evolve from local authentication to centralized identity, enterprise directories, identity federation, Single Sign-On and automated provisioning.
The project is intentionally designed as an incremental learning journey. Every architecture introduces a new enterprise concept while building upon the previous one, allowing learners to understand the motivation behind each architectural decision.
The laboratory follows the evolution of a fictional software company called ACME.
Initially, the company relies on local user accounts. For a small startup this solution is simple, inexpensive and easy to administer.
As the organization grows, identity management rapidly becomes more complex. New developers join the engineering team, additional applications are introduced and maintaining separate user accounts inside every application becomes increasingly difficult.
This evolution naturally introduces new business requirements, including centralized authentication, enterprise directories, identity federation and automated provisioning. Each stage of the laboratory mirrors the challenges faced by a real organization adopting modern Identity and Access Management practices.
As ACME expands, several challenges emerge.
These requirements become the foundation for progressively introducing enterprise Identity and Access Management architectures.
IAM Labs is intentionally built in iterations. Each architecture introduces one additional enterprise concept while preserving the previous implementations.
The project currently explores three major architectural stages.
The initial architecture represents a small software company where applications manage users and passwords locally. Authentication is performed independently by each application, requiring administrators to manually manage user accounts.
The first evolution introduces Keycloak as a centralized Identity Provider. Applications delegate authentication through OpenID Connect while continuing to manage authorization locally. A provisioning engine synchronizes users from Keycloak into Gitea, separating authentication from application management.
The current implementation introduces Microsoft Active Directory as the organization's Source of Truth. Keycloak federates identities through LDAP, while enterprise applications authenticate using OpenID Connect. Passwords are managed exclusively by Active Directory, providing centralized identity management and enterprise authentication.
The current implementation represents a modern enterprise Identity and Access Management architecture designed around the principle of separation of responsibilities.
Rather than allowing each application to manage users independently, IAM Labs centralizes identity management while preserving application- specific authorization.
The infrastructure is composed of Microsoft Active Directory, Keycloak, Gitea, PostgreSQL, Docker Compose and a custom Python-based provisioning engine.
Active Directory acts as the organization's authoritative identity repository, Keycloak provides federated authentication through LDAP, and enterprise applications authenticate users using OpenID Connect.
One of the primary design objectives of IAM Labs is to demonstrate the clear separation between identity management, authentication, authorization and provisioning.
| Responsibility | Component |
|---|---|
| Identity Store | Active Directory |
| Password Management | Active Directory |
| Identity Provider | Keycloak |
| Authentication | Keycloak |
| Provisioning | Provisioning Engine |
| Authorization | Gitea |
| Repository Management | Gitea |
This architecture reflects common enterprise IAM practices where each component has a single responsibility and applications no longer manage credentials directly.
Authentication is centralized inside Keycloak using OpenID Connect. Applications never validate user credentials directly. Instead, they redirect users to the Identity Provider, which authenticates them and returns a signed identity token.
This approach enables Single Sign-On, reduces password duplication and ensures that authentication policies are managed consistently across all integrated applications.
Once authentication has been completed, Gitea creates a local session while continuing to manage repositories, permissions and user activity.
As organizations continue to grow, identity management eventually moves beyond the Identity Provider itself.
IAM Labs therefore introduces Microsoft Active Directory as the organization's Source of Truth. Employee identities, passwords and organizational groups are stored inside the enterprise directory, while Keycloak federates these identities through LDAP.
This architecture mirrors the deployment adopted by many enterprise organizations, where the corporate directory becomes the authoritative repository for identities and authentication policies.
Authentication alone is not sufficient to integrate enterprise applications. Although users authenticate through Keycloak, applications such as Gitea still require local accounts to manage permissions, repositories and activity.
To bridge this gap, IAM Labs introduces a modular provisioning engine implemented in Python. The engine retrieves users from Keycloak, compares them with the users already present inside Gitea and computes a provisioning plan before performing any modification.
Rather than blindly creating accounts, the provisioning engine follows a reconciliation approach. It identifies missing users, determines which actions are required and supports dry-run executions before applying changes.
Provisioning is controlled through Keycloak realm roles.
Only users assigned the
gitea-user
role are synchronized into Gitea.
This allows the Identity Provider to manage every employee while
provisioning access only for those requiring the application.
IAM Labs combines widely adopted enterprise technologies to demonstrate how modern Identity and Access Management infrastructures are designed and deployed.
| Component | Technology |
|---|---|
| Enterprise Directory | Microsoft Active Directory |
| Identity Provider | Keycloak |
| Federation | LDAP |
| Authentication | OpenID Connect |
| Application | Gitea |
| Provisioning | Python |
| Database | PostgreSQL |
| Deployment | Docker Compose |
Together, these technologies provide a realistic laboratory for exploring modern enterprise Identity and Access Management, demonstrating how authentication, federation and provisioning interact within a scalable architecture.
Building an Identity and Access Management platform is not simply a matter of deploying authentication software. Every architectural decision affects how identities are managed, how trust is established between systems and how organizations scale over time.
One of the main lessons emerging from IAM Labs is the importance of separating identity management, authentication, authorization and provisioning into independent components. This separation not only improves security but also allows each component to evolve independently while remaining interoperable through open standards.
The project also highlights an important architectural principle: applications should no longer be responsible for validating credentials. Instead, authentication is delegated to a centralized Identity Provider, while each application remains responsible for managing its own resources and authorization policies.
Finally, IAM Labs demonstrates that enterprise identity is an evolutionary process. Organizations rarely adopt a complete IAM ecosystem from the beginning. Instead, they progressively introduce new technologies as business requirements evolve.
IAM Labs has been intentionally designed as an evolving laboratory. Future architectural iterations will progressively introduce additional enterprise Identity and Access Management capabilities.
Each iteration will continue following the same philosophy adopted by the project: introducing one new architectural concept while preserving and extending the previous implementations.
IAM Labs has been designed for students, junior Identity Engineers and software engineers who want to understand how enterprise Identity and Access Management systems are designed in practice.
Rather than providing isolated configuration examples, the laboratory offers a realistic business scenario where architectural decisions emerge naturally from organizational growth. Learners can therefore understand not only how to configure modern IAM technologies, but also why they are introduced and how they interact within a complete identity ecosystem.
IAM Labs is released as an open-source educational project. The complete source code, documentation and deployment instructions are available on GitHub.
Identity has become one of the most critical components of modern software systems. As organizations continue to grow, authentication alone is no longer sufficient. Identity management must support federation, interoperability, automated provisioning and clear separation of responsibilities between infrastructure components.
IAM Labs was created to demonstrate this evolution through practical architectures rather than isolated technologies. By combining enterprise directories, federated authentication, provisioning engines and modern identity standards, the laboratory provides a foundation for understanding how contemporary IAM systems are designed, implemented and extended.
Ultimately, the project is not about learning Keycloak or Active Directory. It is about understanding the architectural principles that allow enterprise identity ecosystems to remain scalable, interoperable and maintainable as organizations evolve.
Written by
Cristian Lepore