Skip to content

Identity Providers

Azure AD Configuration

Overview

Azure AD serves as the primary identity provider for all internal users, providing enterprise-grade security features and seamless integration with Microsoft ecosystem.

Key Features

Multi-Factor Authentication (MFA)

  • Enabled by default for all internal users
  • Support for Microsoft Authenticator, SMS, and hardware tokens
  • Conditional access based on location and device compliance

Conditional Access Policies

Policy Examples:
  High-Risk Users:
    - Require MFA
    - Block risky sign-ins
    - Require compliant device

  External Access:
    - Require MFA
    - Approve device registration
    - Monitor for anomalies

  Privileged Users:
    - Require MFA always
    - Limit access locations
    - Session timeout: 4 hours

Role-Based Access Control

Role Permissions Typical Users
Global Admin Full Azure AD management IT Administrators
User Admin User and group management HR, IT Support
Security Admin Security policies and reports Security Team
Application Admin Enterprise app management DevOps, IT

Integration Points

With Odoo

  • Protocol: SAML 2.0
  • Claim Mapping: Email, groups, department
  • Session Management: 8-hour timeout with refresh

With AWS

  • Identity Federation: Azure AD → AWS IAM Roles
  • Access Method: Temporary credentials via SAML
  • Permission Model: Least privilege principle

Keycloak Configuration

Overview

Keycloak manages external user identities and provides customizable authentication flows for customer-facing applications.

Key Features

Realm Management

Realms:
  OVES-Customers:
    - Customer user management
    - Subscription service integration
    - Self-service password reset

  OVES-Partners:
    - Partner portal access
    - Resource sharing
    - Collaboration tools

  OVES-Franchisees:
    - Franchise management
    - Regional customization
    - Performance dashboards

Authentication Flows

  • Standard Flow: Username/password with optional MFA
  • Browser Flow: Social login integration (Google, Facebook)
  • Direct Grant: API access for mobile applications
  • Client Credentials: Service-to-service authentication

Identity Brokering

External identity provider integration: - Google: Customer convenience - Facebook: Social authentication - LinkedIn: Partner network integration

Integration Points

With Odoo

  • Protocol: OpenID Connect
  • Token Management: JWT with 1-hour expiry
  • Scope Management: Limited to customer data only

With Customer Portal

  • SSO Experience: Seamless login across all customer services
  • Session Sharing: Unified session management
  • Logout Handling: Global logout from all applications

Identity Provider Comparison

Feature Azure AD Keycloak
Primary Users Internal (Employees, Contractors) External (Customers, Partners)
Authentication Enterprise MFA, CAP Social login, Standard MFA
Protocol Support SAML, OIDC, OAuth 2.0 OIDC, SAML, OAuth 2.0
Customization Limited to Microsoft ecosystem Highly customizable
Hosting Microsoft Cloud Self-hosted or cloud
Cost Model Per-user licensing Open source + hosting
Compliance Enterprise (SOX, HIPAA) Configurable

Security Models

Azure AD Security

Zero Trust Implementation

Verification Levels:
  Level 1 - Basic:
    - Username/password
    - Device registration

  Level 2 - Enhanced:
    - MFA required
    - Device compliance check

  Level 3 - High Security:
    - Hardware token MFA
    - Approved location only
    - Privileged access workstation

Privileged Identity Management (PIM)

  • Just-in-time access: Temporary elevation for admin tasks
  • Approval workflows: Multi-person approval for sensitive operations
  • Access reviews: Regular permission audits

Keycloak Security

Customer Data Protection

  • Data Minimization: Only collect necessary user information
  • Consent Management: Clear opt-in/opt-out mechanisms
  • Right to be Forgotten: Data deletion workflows

Session Security

Session Configuration:
  Timeout Settings:
    - Idle timeout: 30 minutes
    - Max session: 8 hours
    - Remember me: 30 days

  Security Headers:
    - SameSite cookies
    - Secure flag enabled
    - HttpOnly protection

Integration Architecture

Federated Authentication Flow

sequenceDiagram
    participant U as User
    participant A as Application
    participant IDP as Identity Provider
    participant O as Odoo

    U->>A: Access Request
    A->>IDP: Redirect to Login
    IDP->>U: Authentication Challenge
    U->>IDP: Credentials
    IDP->>A: SAML/OIDC Response
    A->>O: Authenticated Request
    O->>U: Application Access

Token Management

Azure AD Tokens

  • Access Token: 1-hour validity
  • Refresh Token: 90-day sliding window
  • ID Token: Contains user claims and groups

Keycloak Tokens

  • Access Token: 1-hour validity
  • Refresh Token: 30-day validity
  • Custom Claims: Customer-specific attributes

Monitoring and Maintenance

Health Monitoring

Azure AD Metrics

  • Authentication success rates
  • MFA adoption rates
  • Failed login attempts
  • Conditional access policy effectiveness

Keycloak Metrics

  • User registration rates
  • Session duration analytics
  • External identity provider usage
  • Custom realm performance

Maintenance Tasks

Regular Activities

  • Monthly: Access reviews and cleanup
  • Quarterly: Policy updates and compliance checks
  • Annually: Architecture review and optimization

Incident Response

  • Breach Detection: Automated alerts for suspicious activity
  • Account Lockdown: Immediate suspension capabilities
  • Recovery Procedures: Documented restoration processes

Next: Learn about the Security Model or start with Azure AD Implementation.