IAM Labs

Building an Enterprise IAM Laboratory for Identity Engineers.

Modern Identity and Access Management is often learned by configuring individual products. While valuable, this approach rarely explains why organizations progressively adopt new identity architectures as they evolve.

IAM Labs was created to bridge this gap. Rather than presenting Keycloak, Active Directory or OpenID Connect as isolated technologies, the project follows the realistic evolution of a fictional software company called ACME. As the company grows, new business requirements emerge, requiring increasingly sophisticated Identity and Access Management solutions.

Each architectural iteration introduces one additional enterprise concept while preserving the previous implementations. The objective is not only to understand how modern IAM systems are built, but also why organizations adopt them as they scale.

Project Vision

IAM Labs demonstrates the progressive evolution of an enterprise Identity and Access Management infrastructure.

Instead of focusing on a single technology, the laboratory explores how organizations evolve from local authentication to centralized identity, enterprise directories, identity federation, Single Sign-On and automated provisioning.

The project is intentionally designed as an incremental learning journey. Every architecture introduces a new enterprise concept while building upon the previous one, allowing learners to understand the motivation behind each architectural decision.

Learning Journey

The laboratory follows the evolution of a fictional software company called ACME.

Initially, the company relies on local user accounts. For a small startup this solution is simple, inexpensive and easy to administer.

As the organization grows, identity management rapidly becomes more complex. New developers join the engineering team, additional applications are introduced and maintaining separate user accounts inside every application becomes increasingly difficult.

This evolution naturally introduces new business requirements, including centralized authentication, enterprise directories, identity federation and automated provisioning. Each stage of the laboratory mirrors the challenges faced by a real organization adopting modern Identity and Access Management practices.

Business Requirements

As ACME expands, several challenges emerge.

These requirements become the foundation for progressively introducing enterprise Identity and Access Management architectures.

Architecture Evolution

IAM Labs is intentionally built in iterations. Each architecture introduces one additional enterprise concept while preserving the previous implementations.

The project currently explores three major architectural stages.

Architecture 0 — Local Authentication

The initial architecture represents a small software company where applications manage users and passwords locally. Authentication is performed independently by each application, requiring administrators to manually manage user accounts.

Architecture 0

Architecture 1 — Centralized Identity

The first evolution introduces Keycloak as a centralized Identity Provider. Applications delegate authentication through OpenID Connect while continuing to manage authorization locally. A provisioning engine synchronizes users from Keycloak into Gitea, separating authentication from application management.

Architecture 1

Architecture 2 — Enterprise Directory

The current implementation introduces Microsoft Active Directory as the organization's Source of Truth. Keycloak federates identities through LDAP, while enterprise applications authenticate using OpenID Connect. Passwords are managed exclusively by Active Directory, providing centralized identity management and enterprise authentication.

Architecture 2

Current Architecture

The current implementation represents a modern enterprise Identity and Access Management architecture designed around the principle of separation of responsibilities.

Rather than allowing each application to manage users independently, IAM Labs centralizes identity management while preserving application- specific authorization.

The infrastructure is composed of Microsoft Active Directory, Keycloak, Gitea, PostgreSQL, Docker Compose and a custom Python-based provisioning engine.

Active Directory acts as the organization's authoritative identity repository, Keycloak provides federated authentication through LDAP, and enterprise applications authenticate users using OpenID Connect.

Separation of Responsibilities

One of the primary design objectives of IAM Labs is to demonstrate the clear separation between identity management, authentication, authorization and provisioning.

Responsibility Component
Identity Store Active Directory
Password Management Active Directory
Identity Provider Keycloak
Authentication Keycloak
Provisioning Provisioning Engine
Authorization Gitea
Repository Management Gitea

This architecture reflects common enterprise IAM practices where each component has a single responsibility and applications no longer manage credentials directly.

Authentication

Authentication is centralized inside Keycloak using OpenID Connect. Applications never validate user credentials directly. Instead, they redirect users to the Identity Provider, which authenticates them and returns a signed identity token.

This approach enables Single Sign-On, reduces password duplication and ensures that authentication policies are managed consistently across all integrated applications.

Once authentication has been completed, Gitea creates a local session while continuing to manage repositories, permissions and user activity.

Enterprise Directory

As organizations continue to grow, identity management eventually moves beyond the Identity Provider itself.

IAM Labs therefore introduces Microsoft Active Directory as the organization's Source of Truth. Employee identities, passwords and organizational groups are stored inside the enterprise directory, while Keycloak federates these identities through LDAP.

This architecture mirrors the deployment adopted by many enterprise organizations, where the corporate directory becomes the authoritative repository for identities and authentication policies.

Provisioning Engine

Authentication alone is not sufficient to integrate enterprise applications. Although users authenticate through Keycloak, applications such as Gitea still require local accounts to manage permissions, repositories and activity.

To bridge this gap, IAM Labs introduces a modular provisioning engine implemented in Python. The engine retrieves users from Keycloak, compares them with the users already present inside Gitea and computes a provisioning plan before performing any modification.

Rather than blindly creating accounts, the provisioning engine follows a reconciliation approach. It identifies missing users, determines which actions are required and supports dry-run executions before applying changes.

Provisioning is controlled through Keycloak realm roles. Only users assigned the gitea-user role are synchronized into Gitea. This allows the Identity Provider to manage every employee while provisioning access only for those requiring the application.

Technology Stack

IAM Labs combines widely adopted enterprise technologies to demonstrate how modern Identity and Access Management infrastructures are designed and deployed.

Component Technology
Enterprise DirectoryMicrosoft Active Directory
Identity ProviderKeycloak
FederationLDAP
AuthenticationOpenID Connect
ApplicationGitea
ProvisioningPython
DatabasePostgreSQL
DeploymentDocker Compose

Together, these technologies provide a realistic laboratory for exploring modern enterprise Identity and Access Management, demonstrating how authentication, federation and provisioning interact within a scalable architecture.

Lessons Learned

Building an Identity and Access Management platform is not simply a matter of deploying authentication software. Every architectural decision affects how identities are managed, how trust is established between systems and how organizations scale over time.

One of the main lessons emerging from IAM Labs is the importance of separating identity management, authentication, authorization and provisioning into independent components. This separation not only improves security but also allows each component to evolve independently while remaining interoperable through open standards.

The project also highlights an important architectural principle: applications should no longer be responsible for validating credentials. Instead, authentication is delegated to a centralized Identity Provider, while each application remains responsible for managing its own resources and authorization policies.

Finally, IAM Labs demonstrates that enterprise identity is an evolutionary process. Organizations rarely adopt a complete IAM ecosystem from the beginning. Instead, they progressively introduce new technologies as business requirements evolve.

Future Roadmap

IAM Labs has been intentionally designed as an evolving laboratory. Future architectural iterations will progressively introduce additional enterprise Identity and Access Management capabilities.

Each iteration will continue following the same philosophy adopted by the project: introducing one new architectural concept while preserving and extending the previous implementations.

Who is this project for?

IAM Labs has been designed for students, junior Identity Engineers and software engineers who want to understand how enterprise Identity and Access Management systems are designed in practice.

Rather than providing isolated configuration examples, the laboratory offers a realistic business scenario where architectural decisions emerge naturally from organizational growth. Learners can therefore understand not only how to configure modern IAM technologies, but also why they are introduced and how they interact within a complete identity ecosystem.

Open Source

IAM Labs is released as an open-source educational project. The complete source code, documentation and deployment instructions are available on GitHub.

GitHub Repository →

Final Thoughts

Identity has become one of the most critical components of modern software systems. As organizations continue to grow, authentication alone is no longer sufficient. Identity management must support federation, interoperability, automated provisioning and clear separation of responsibilities between infrastructure components.

IAM Labs was created to demonstrate this evolution through practical architectures rather than isolated technologies. By combining enterprise directories, federated authentication, provisioning engines and modern identity standards, the laboratory provides a foundation for understanding how contemporary IAM systems are designed, implemented and extended.

Ultimately, the project is not about learning Keycloak or Active Directory. It is about understanding the architectural principles that allow enterprise identity ecosystems to remain scalable, interoperable and maintainable as organizations evolve.

Written by

Cristian Lepore