Keycloak is a popular open‑source Identity & Access Management (IAM) server, but like most IAMs it lets any admin make instant, irreversible changes. In regulated or high-security setups that "god mode" is a nightmare.
We built Keycloak-IGA, a fork that bakes a light weight approval workflow into the server, which must be cleared before high stakes changes can go live:
Features include:
- Draft → Pending → Approved states for user, role, client & realm changes
- Quorum engine (default "70%" of admins) - four-eyes control enforced by code
- Zero overhead unless you switch it on
- Emits audit events aligned with PCI-DSS, SOX, ISO 27001, HIPAA, NIST 800‑53
Looking for feedback on:
- Does the built‑in model beat the usual "proxy + ticket + webhook" approach?
- Is 70% quorum sane? Would you prefer fixed reviewers, AD groups, etc.?
- What's missing before you'd trust this in prod?
SaltNHash•5h ago
Keycloak is a popular open‑source Identity & Access Management (IAM) server, but like most IAMs it lets any admin make instant, irreversible changes. In regulated or high-security setups that "god mode" is a nightmare.
We built Keycloak-IGA, a fork that bakes a light weight approval workflow into the server, which must be cleared before high stakes changes can go live:
Features include: - Draft → Pending → Approved states for user, role, client & realm changes - Quorum engine (default "70%" of admins) - four-eyes control enforced by code - Zero overhead unless you switch it on - Emits audit events aligned with PCI-DSS, SOX, ISO 27001, HIPAA, NIST 800‑53
Try it in a few mins git clone https://github.com/tide-foundation/keycloak-IGA cd keycloak-IGA docker compose up # spins a demo realm with IGA extensions pre-wired
Walkthrough video(4min): https://www.youtube.com/watch?v=BrTBgFM7Lq0
Looking for feedback on: - Does the built‑in model beat the usual "proxy + ticket + webhook" approach? - Is 70% quorum sane? Would you prefer fixed reviewers, AD groups, etc.? - What's missing before you'd trust this in prod?
Background & design notes: https://github.com/keycloak/keycloak/discussions/41350
MIT licensed, so fork away, and tell us what you think.
Thanks!