IAM · Identity & Access Management

Enterprise Identity Stack
Interactive Study Guide

Explore a production-grade IAM system — Keycloak, Django, Microsoft Entra ID, Authentik (offline fallback), and eIDAS — all wired together. Simulate auth flows, inspect JWT tokens, watch live traffic, and understand how EU citizen identity works at LoA High.

Keycloak 24 Django 5.1 MS Entra ID Authentik eIDAS / EU OIDC · SAML2 · JWT Quarkus (next)
KM
Kim Monzon kimmonzon.com ↗
Software Engineer · IAM Practitioner · Biometrics Industry · Pamplona, ES
Built this for every developer who has had to wire together an identity stack from scratch. More coming — Keycloak + Quarkus native, SD-JWT VCs, and the EU Digital Identity Wallet are next.
01 System Architecture OIDC · SAML2 · LDAP federation
Keycloak 24
IDENTITY BROKER · HUB
Central token issuer. Manages realms, clients, federation flows, and auth pipelines. All apps trust only Keycloak's JWKS endpoint.
OIDC · SAML2 · LDAP · WebAuthn
Django 5.1
RESOURCE SERVER · API
Validates JWTs from Keycloak, maps realm_access.roles to Django groups via ClaimsMiddleware. Enforces LoA on protected views.
mozilla-oidc · ClaimsBackend
Microsoft Entra
CORPORATE IDP · FEDERATED
Microsoft 365 identity. Federated into Keycloak via OIDC — your app never touches Entra directly. One issuer, one JWKS for all clients.
OIDC Federation · App Reg
Authentik
OFFLINE FALLBACK · OSS
Self-hosted Entra alternative. Synced via SCIM. Identical claim mappings so Keycloak switches transparently when Entra is unreachable.
SCIM · OIDC · Air-gap ready
eIDAS Broker
EU CITIZEN IDENTITY · CEF
Connects Keycloak to notified national IdPs across the EU. BundID (DE), FranceConnect+ (FR), Cl@ve (ES). Enforces LoA Low / Substantial / High.
SAML2 · CEF eDelivery · LoA
Nginx Gateway
EDGE PROXY · TLS TERMINATION
Routes /auth/* to Keycloak, /api/* to Django. Adds X-Forwarded-For, rate-limits auth endpoints, terminates TLS before any service sees traffic.
HTTP/2 · Rate limit · Headers
Request flow topology
CLIENT ZONE Browser Mobile App iOS / Android API Client M2M / Service eIDAS Node EU Citizen Nginx API Gateway Keycloak OIDC · SAML2 · LDAP realm: enterprise Django mozilla-oidc · Claims MW JWT validation · RS256 Entra / Authentik Federated IdP Offline: Authentik OSS PostgreSQL Redis Cache eIDAS Broker (CEF) SAML2 · BundID · Cl@ve · FranceConnect+ Federation Direct call
Component Health
Keycloak 24.x4 clients · realm: enterprise
Django 5.1 + mozilla-oidcClaimsMiddleware active
MS Entra IDOIDC federated · App reg ok
Authentik 2024.xOffline mirror · SCIM sync
eIDAS BrokerNotified IdP · LoA High ready
2,847
Users
4
Realms
12
Clients
99.7%
Uptime
18ms
Avg auth
3
IdP fed.
Token Strategy
Access token TTL5 min (300s)
Refresh token TTL24 h · rotating
AlgorithmRS256 (asymmetric)
Refresh reuse0 — rotation enforced
02 Users & Claims Click a row to inspect JWT claims
Sample Users
UserRealmRolesIdPLoAStatus
Custom Claim Mappers (Keycloak)
TypeClaimValue / AttrToken
Claim Inspector
← Select a user
to inspect their JWT claims
03 Authentication Flows OAuth 2.1 · SAML2 · Device · eIDAS
Simulate Flow
Django Middleware Pipeline
1
SessionMiddleware
Attach session to request
2
OIDCAuthBackend
Verify JWT signature (RS256), validate iss/aud/exp
3
ClaimsMiddleware
Map realm_access.roles → Django groups
4
eIDAS LoA Check
Enforce level of assurance on decorated views
5
View Handler
request.user.is_authenticated → serve response
Flow Console
Select a user and flow type, then click Run Flow →
04 JWT Token Lab Inspect · Inject · Introspect
Token Generator
Header
Payload / Claims
Signature
Custom Claim Injector
Claim Key
Claim Value
Token Scope
Token Validity
Introspection Response
Token Anatomy
issWho issued it (Keycloak realm)
subStable user ID — never email
audWhich clients can use it
azpAuthorized party (client that got it)
acreIDAS Level of Assurance URI
realm_accessKeycloak roles → Django groups
exp / iat5-min TTL — short by design
05 Traffic Monitor Live auth event stream
LIVE STREAM
Auto-refresh
Request Stream
HH:MM:SS METHOD endpoint user@domain STATUS latency
Endpoint Hit Counts
Response Code Distribution
Test User Login
User
Endpoint
06 eIDAS — EU Citizen Identity Regulation (EU) 910/2014 · LoA: Low / Substantial / High
Level of Assurance
Low Self-asserted identity. No verification of physical identity.
Substantial Online KYC. Identity verified remotely, MFA required.
High In-person provisioning. Chip card / biometrics. Legal-grade.
Notified Member State
Mandatory eIDAS Attributes
PersonIdentifier FamilyName FirstName DateOfBirth PlaceOfBirth CurrentAddress Gender 

          

            
            
          

          

        

      

      

        

          
Compliance Standards

          
Regulation (EU) 910/2014eIDAS base regulation

          
eIDAS 2.0 / ARFEU Digital Identity Wallet

          
ETSI EN 319 401Trust service providers

          
SD-JWT VCSelective disclosure (draft)

          
OpenID4VP / OID4VCIVerifiable credentials

        

        

          
Notified IdPs

          
BundID (DE)LoA High

          
FranceConnect+ (FR)LoA High

          
Cl@ve (ES)Substantial

          
BankID (SE)LoA High

          
SPID (IT)Substantial

          
DigiD (NL)Substantial

        

        

          
ACR Claim Mapping

          
Low…/LoA/low

          
Substantial…/LoA/substantial

          
High…/LoA/high

          
PersonIdentifierORIGIN/DEST/ID

          
amr (High)["eid","hwk"]

        

      

    

  

  
  

    

      07
      Facts, Disclaimers & References
      What's accurate · What's simplified · Real sources
    


    
    

      
⚠ Read before you implement

      This tool is an educational simulator, not a production blueprint. Every architecture claim below is fact-checked against official sources — but real deployments vary enormously depending on your org size, compliance regime, and whether you're building for private sector or public sector EU services. Treat the flows as mental models, not copy-paste specs.
    


    

      
      


        

          
✓ Verified Facts


          

            

              
eIDAS Node is a real EC reference implementation

              
The European Commission publishes the CEF eIDAS-Node software (current pre-release: v2.7.0, licensed EUPL 1.2). Member States are not required to use it — they can build their own node compliant with the technical specs — but many do adapt and reuse it. The reference implementation is Java/Tomcat-based, not a Docker-ready microservice. Production deployments require significant hardening.

              
Source: EC Digital Building Blocks, CEF eIDAS-Node Integration Package v2.5+ (2020–2024)

            


            

              
eIDAS Regulation (EU) No 910/2014 is law

              
The base eIDAS regulation is real and in force across all 27 EU Member States. The LoA levels (Low / Substantial / High) are defined in Commission Implementing Regulation (EU) 2015/1502. The notified IdPs listed (BundID, FranceConnect+, Cl@ve, BankID) are real notified schemes as of 2024.

              
Source: EUR-Lex, eIDAS Regulation full text; EC eIDAS notified eID schemes list

            


            

              
eIDAS 2.0 / EU Digital Identity Wallet is enacted

              
Regulation (EU) 2024/1183 (eIDAS 2.0) was adopted. Member States must offer at least one EUDI Wallet. Implementing regulations (CIR 2024/2977, 2024/2981, 2025/846) were published through July 2025. The ARF (Architecture Reference Framework) governs technical interoperability. SD-JWT VC and OpenID4VP are the credential protocols.

              
Source: EC EUDIW portal, OJ 2024/1183, ARF v1.x (eu-digital-identity-wallet.github.io)

            


            

              
Keycloak OIDC + Django mozilla-oidc integration is standard

              
mozilla-django-oidc is a well-maintained library (Mozilla, Apache 2.0). The ClaimsBackend pattern shown is the officially recommended approach. RS256 is the correct algorithm for production — symmetric HS256 is only for testing. The 5-minute access token TTL shown reflects Keycloak defaults, which are sane for production.

              
Source: mozilla-django-oidc docs; Keycloak 24 documentation; RFC 7519 (JWT)

            

          

        


        

          
⚠ Simplifications & Warnings

          


            

              
eIDAS Node is NOT a simple Docker container

              
The simulator shows eIDAS as a clean microservice you plug in. Reality: the CEF reference implementation is a Java EE application requiring Tomcat, complex XML configuration, SAML2 metadata exchange with the EC's MDSL (Metadata Service List), and notified scheme-specific Specific Connector modules. The Sweden Connect mock on GitHub is the closest thing to a testable Docker setup — and it's explicitly marked test/demo only.

            


            

              
Architecture varies wildly by organization size

              
This stack (Keycloak + Django + Nginx) is reasonable for a mid-size team. Larger enterprises often: (a) run Keycloak in HA mode with Infinispan clustering and external DB, (b) put an API gateway like Kong or AWS ALB in front instead of Nginx, (c) use Keycloak Operator on Kubernetes rather than Docker Compose, (d) integrate with Active Directory/LDAP federation instead of Entra OIDC directly.

            


            

              
Authentik is not a full Entra replacement

              
Authentik is excellent for self-hosted SSO and handles OIDC/SAML2/SCIM well, but it does not replicate Entra's Conditional Access risk scoring, Defender for Identity threat signals, or PIM (Privileged Identity Management). For air-gapped environments it's the right choice. For full corporate IAM with compliance requirements, Entra (or Okta/Ping) has features Authentik lacks.

            


            

              
eIDAS LoA High requires legal/procurement process

              
You cannot connect to the live eIDAS network by writing code. Your organisation must be a notified service provider in the Member State(s) you operate in. This involves a national conformity assessment, registration with the national supervisory body, and for public sector services, often a public procurement process. The simulator models the technical protocol — not the governance layer.

            


            

              
Token simulation is illustrative — signatures are fake

              
The JWT payloads in the Token Lab are correctly structured and use realistic claim names from the OIDC Core spec and eIDAS attribute profile. However, the "signature" shown is descriptive text — no actual RSA key pair is used. Do not use these token structures verbatim without validating against your Keycloak realm's actual JWKS endpoint.

            


          

        

      


      
      


        

          
Official References

          

            

              
eIDAS Regulation

              
Regulation (EU) No 910/2014

              
eur-lex.europa.eu/legal-content/EN/ALL/?uri=uriserv:OJ.L_.2014.257

            

            

              
eIDAS 2.0

              
Regulation (EU) 2024/1183 — EUDI Wallet

              
ec.europa.eu/digital-building-blocks/eudiw

            

            

              
CEF eIDAS-Node

              
EC Reference Implementation v2.5+ (EUPL 1.2)

              
ec.europa.eu/cefdigital/wiki → eIDAS Node Integration Package

            

            

              
Keycloak

              
Keycloak 24 Documentation (Red Hat)

              
keycloak.org/documentation

            

            

              
OAuth 2.1 / PKCE

              
OAuth 2.1 draft + RFC 7636 (PKCE)

              
datatracker.ietf.org/doc/html/rfc7636

            

            

              
OIDC Core

              
OpenID Connect Core 1.0 Spec

              
openid.net/specs/openid-connect-core-1_0.html

            

            

              
mozilla-django-oidc

              
Mozilla OIDC library for Django

              
mozilla-django-oidc.readthedocs.io

            

            

              
JWT / JWS

              
RFC 7519 (JWT), RFC 7515 (JWS), RFC 7517 (JWK)

              
datatracker.ietf.org/doc/html/rfc7519

            

            

              
OAuth Threat Model

              
RFC 9700 — OAuth 2.0 Security Best Current Practice

              
datatracker.ietf.org/doc/html/rfc9700

            

          

        


        

          
Alternative Architectures

          
Companies implement IAM differently depending on their stack, scale, and cloud provider. This tool shows one valid path — here are the common variations you'll encounter:

          

            

              
AWS stack

              
Cognito User Pools + Identity Pools → API Gateway → Lambda/ECS. No Keycloak. Federation via SAML2 or OIDC to Cognito. Common in AWS-native orgs but vendor lock-in is high and Cognito's OIDC compliance has quirks.

            

            

              
Okta / Auth0 enterprise

              
Fully managed. Okta Universal Directory handles user store. Auth0 handles the OIDC/SAML flows. Expensive at scale but zero ops burden. Standard for US enterprise, less common in EU public sector due to data residency concerns.

            

            

              
Keycloak + Quarkus (next post)

              
Replace Django with Quarkus microservices. Use the quarkus-oidc extension for zero-config JWT validation. Deploy Keycloak and Quarkus as native images on GraalVM. Dramatically lower memory footprint — relevant for EU public sector cloud deployments.

            

            

              
Spring Security + Keycloak

              
The Java-native path. spring-boot-starter-oauth2-resource-server handles JWT validation. Keycloak's Spring adapter was deprecated — use the resource server approach directly. Common in enterprises already on Spring Boot.

            

            

              
Bare metal Entra-only

              
Skip Keycloak entirely. Apps register directly in Entra, use MSAL for token acquisition. Works if 100% of your users are in M365. Breaks when you add non-Microsoft apps, legacy SAML, or eIDAS — which is why Keycloak as a broker adds value.

            

          

        


      

    

  








  
What's coming next on kimmonzon.com

  

    

      
Part 2 · Deep Dive

      
Keycloak + Quarkus Native

      
Build a Quarkus microservice that consumes Keycloak tokens natively — zero-overhead JWT validation, Panache ORM with role-based data filtering, and GraalVM native image for sub-10ms cold starts.

      Coming soon
    

    

      
Part 3 · Advanced

      
Keycloak SPI & Custom Providers

      
Write your own Keycloak Service Provider Interface — custom authenticators, user federation providers, event listeners, and protocol mappers in Java. When the UI is not enough.

      Coming soon
    

    

      
Part 4 · EU Identity

      
EU Digital Identity Wallet

      
eIDAS 2.0 and the Architecture Reference Framework — SD-JWT Verifiable Credentials, OpenID4VP presentation flows, and how EUDIW changes everything for citizen-facing apps after 2026.

      Coming soon
    

    

      
Part 5 · Zero Trust

      
Token Exchange & Impersonation

      
RFC 8693 token exchange in Keycloak — service-to-service delegation, impersonation flows for admin tooling, and audience restriction for microservice chains. The patterns that enterprise architects care about.

      Coming soon
    

    

      
Part 6 · Ops

      
Keycloak in Production

      
High availability with Infinispan clustering, PostgreSQL connection pooling, Kubernetes operator deployment, JWKS key rotation without downtime, and Grafana dashboards for auth observability.

      Coming soon
    

    

      
Part 7 · Security

      
Threat Modelling IAM Systems

      
OAuth threat model (RFC 9700), PKCE attack prevention, refresh token theft scenarios, token binding, DPoP proof-of-possession, and how to build a brute-force detection pipeline that actually works.

      Coming soon
    

  







  

    
KimMonzon

    
Software Engineer · kimmonzon.com

  

  

    ↗ Blog
    ↗ HITRANK
    ↗ Projects
  





  Built by Kim Monzon · kimmonzon.com · All simulations run client-side — no data leaves your browser · Open for every developer