This article provides an overview of an offline identity management implementation that enables organizations to manage identity information in environments without internet connectivity. The system allows administrators and end users to perform identity-related tasks, such as creating, modifying, and deleting user records, while ensuring secure authentication and authorization.
Designed for organizations requiring a self-contained identity management solution, this system operates entirely offline. All components—including authentication, user management, and workflows—are deployed within a containerized Kubernetes cluster, ensuring reliability and security without reliance on external network connectivity.
System Architecture
The system is structured into key components, each serving a specific function to maintain identity management operations in an isolated, offline environment. Since all components are deployed within the Kubernetes cluster, authentication, directory services, and CRUD operations function without external dependencies.
Core Components
The system is designed around two core user interfaces:
CRUD Designer (Administrative Configuration) – Allows administrators to design structured identity management workflows by configuring pages, forms, and actions.
CRUD Runner (End-User Identity Management) – Provides an interface for users to interact with identity data, perform user management tasks, and execute workflows.
The system also incorporates an authentication provider and a directory service:
Keycloak (Identity Provider) – Handles authentication and authorization, federated with OpenLDAP.
OpenLDAP (Directory Service) – Serves as the authoritative identity store, ensuring that identity information remains available and consistent across all system components.
This architecture ensures that all system components operate as a cohesive unit while functioning independently of external network connectivity.
CRUD Designer (Administrative Configuration)
The CRUD Designer is the administrative interface that enables administrators to configure user interactions with identity data by defining forms, pages, and available actions. While it does not modify identity records directly, it provides the tools to build the UI components used in the CRUD Runner for identity management tasks.
Primary Tools
Form Designer – Enables administrators to create and manage structured data input fields and validation rules for workflow execution. Forms define the fields and data inputs required for user interactions.
Page Designer – Allows for the design of pages that display identity-related data, configure data grids, and define workflow action buttons.
Administrators use these tools to build structured workflows and interfaces tailored to organizational identity management needs. The configurations created in the CRUD Designer are stored locally in the offline environment and can be synchronized with a customer-specific Git repository hosted in Azure by EmpowerID DevOps when network connectivity is restored.
CRUD Runner (End-User Identity Management)
The CRUD Runner serves as the interface for end users performing identity-related actions. It provides a structured interface where users can:
Manage identity records, such as creating, modifying, and deleting accounts and groups
Reset and update user passwords
Assign users to groups
All changes made in the CRUD Runner are synchronized directly with OpenLDAP, ensuring that identity data remains up-to-date across the system. The Runner presents users with the forms and pages configured in the CRUD Designer, creating a consistent experience for managing identity information.
Identity Provider
Keycloak, deployed within the Kubernetes cluster, serves as the identity provider. It handles authentication and access management, ensuring users are securely authenticated and authorized for system interactions. Keycloak is federated with the directory service to maintain user synchronization.
The system is configured with three authentication clients within Keycloak:
Frontend Authentication Client – Controls access to the CRUD Designer
Runner Authentication Client – Manages authentication for the CRUD Runner
Backend Service Client – Enables service-to-service authentication
All authentication and identity verification processes occur within the system, ensuring it remains operational in offline environments.
Directory Service
OpenLDAP, also contained within the system, acts as the authoritative identity store, managing user and group data. It ensures that identity information remains available and consistent across all services.
OpenLDAP maintains the official record of users and groups. Identity updates within the system are immediately reflected across all services, ensuring the authentication system and user interfaces consistently work with accurate identity data.
Authentication and Data Flow
When a user accesses the system, authentication requests are processed entirely by Keycloak. The containerized deployment model ensures that all components operate as a cohesive unit within the offline infrastructure, maintaining full functionality without internet access.
User-Initiated Changes and Data Flow
Users make changes within the application interfaces provided by the system, such as modifying user accounts, resetting passwords, or updating group memberships. These changes flow through the system as follows:
The user performs an action in the CRUD Runner to modify identity data
The system processes the change and updates the relevant identity data in OpenLDAP
Keycloak does not store these changes, but retrieves updated identity data from OpenLDAP whenever authentication occurs
All services that rely on identity information pull data directly from OpenLDAP, ensuring consistency across the platform
This flow ensures that authentication, directory services, and user management remain synchronized while operating offline.
Diagram Placement: Insert a flowchart here to visualize how user actions in CRUD Runner propagate through OpenLDAP.
Keycloak Federation with OpenLDAP
Keycloak is federated with OpenLDAP, allowing it to retrieve and display user records. While user data is managed in OpenLDAP, Keycloak enables administrators to search for and view identity records within its interface. When identity updates occur—such as user creation, attribute modification, or account deletion—these changes are synchronized across OpenLDAP and Keycloak in real time, ensuring consistency across all components.
Deployment Model
Self-Contained Operation
The system is designed to function independently of external network connections. All components, including authentication services and the directory system, operate entirely within the Kubernetes cluster deployed on local infrastructure. This model ensures that identity operations can continue even in restricted environments where internet access is unavailable.
Local Data Management
Identity records and authentication policies are managed entirely within the system. OpenLDAP serves as the authoritative directory, ensuring that user records remain under organizational control. Keycloak handles authentication without external dependencies, reinforcing security and access control in the offline environment.
Version Control and Synchronization
Forms, pages, and workflows are stored locally in the offline environment. Changes to these components are committed to a local file system and, once the system is reconnected to a network, can be pushed to a customer-specific Git repository hosted in Azure by EmpowerID DevOps for versioning and synchronization.
This implementation ensures that organizations can maintain secure, reliable identity management without relying on cloud-based solutions or external network access, making it ideal for environments with limited or restricted connectivity.