Identity Management Infrastructure

We deploy or configure a centralized identity provider: Okta, Azure AD, Google Workspace, or KeyCloak for self-hosted. The IdP becomes the single source of truth for all user identities. User attributes (department, role, team) drive automatic group membership and access provisioning. Federation connects the IdP to AWS IAM Identity Center, Kubernetes OIDC, GitHub, and SaaS applications. One identity, one login, consistent access controls everywhere.

User provisioning and deprovisioning is automated via SCIM (System for Cross-domain Identity Management). When an employee joins, their IdP account triggers automatic provisioning of: AWS IAM role, Kubernetes namespace access, GitHub team membership, Slack channel membership, and application accounts. When they leave, deprovisioning removes all access within minutes — not days or weeks. No orphaned accounts, no forgotten access, no ex-employee credentials lingering in production.

Access is managed through groups, not individual assignments. Groups map to roles: engineering-backend gets access to backend repos, staging clusters, and development databases. platform-team gets production Kubernetes access with elevated permissions. data-team gets read-only access to analytics databases. Group membership changes in the IdP automatically propagate to all connected systems. Access reviews audit group membership, not individual permissions.

Centralized identity management produces a complete audit trail: who was granted access, when, by whom, and through which group. Access reviews are simplified — review group membership rather than individual permissions across dozens of systems. Offboarding completeness is verifiable — one check confirms all access was revoked. The identity system satisfies SOC 2 access management controls, HIPAA workforce security requirements, and ISO 27001 A.9 access control requirements.