> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# IAM solution
> Identity and access management (IAM) framework of processes, policies, and technologies for controlling access to digital identities.
## What is an Identity Provider (IdP)?
The IdP, Identity-as-a-Service (IDaaS), Privileged Identity/Access Management (PIM/PAM), Multi-factor/Two-factor Authentication (MFA/2FA), and numerous other subcategories are included in the IAM category.
IdP is a subset of an IAM solution that is dedicated to handling fundamental user IDs. The IdP serves as the authoritative source for defining and confirming user identities.
The IdP can be considered maybe the most important subcategory of the IAM field because it often lays the foundation of an organization's overall identity management infrastructure. In fact, other IAM categories and solutions, such as [IDaaS](https://jumpcloud.com/blog/identity-as-a-service-idaas), PIM/PAM, MFA/2FA, and others are often layered on top of the core IdP and serve to federate core user identities from the IdP to various endpoints. Therefore, your choice in IdP will have a profound influence on your overall IAM architecture.
We recommend **Keycloak**, a component that allows you to create users and store credentials.
Every communication that comes from a consumer application, goes through a public entry point (API Gateway). To communicate with this component, the consumer application tries to start a process and the public entry point will check for authentication (Keycloak will send you a token) and the entry point validates it.
**Authorization split (5.8.0+):** Keycloak is authoritative for authentication, user attributes (used by [business filters](/5.9/docs/platform-deep-dive/user-roles-management/business-filters)), and federation with external IDPs. End-user roles, end-user groups, and project-scoped role assignment are managed in FlowX. See [Runtime authorization](./runtime-authorization).
Up to 5.7.0, end-user groups were also managed in Keycloak.
For more information on how to add roles and how to configure an IdP solution, check the following section:
## Roles and Keycloak entities reference
Use this section as a quick reference for the named roles, service accounts, and Keycloak realms you will encounter across the FlowX setup guides. Each entry links out to the full configuration page.
### End-user roles
| Name | Where it lives | What it does |
| --------------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **`FLOWX_ROLE`** | Keycloak realm role | Grants permission to start process instances and access active process data from the Designer. Required on the user (or on a mapped end-user group) for any process-start request. The default runtime role assigned when a process is created is the project-level **User** role, managed through [runtime authorization](./runtime-authorization). See [Configuring access roles for processes](../flowx-engine-setup-guide/configuring-access-roles-for-processes). |
| **End-user roles** (5.8.0+) | FlowX | Project-scoped roles assigned in FlowX, not in Keycloak. Used to gate Designer-time and runtime actions against specific projects. See [Runtime authorization](./runtime-authorization). |
| **End-user groups** | FlowX (5.8.0+); Keycloak (≤ 5.7.0) | Group end users for bulk role assignment. Managed in FlowX from 5.8.0 onward; previously held in Keycloak. |
### Backend service accounts
These are Keycloak clients used by FlowX backend services to authenticate against the platform. They live in the **service-accounts realm** (`00000002-0002-4002-8002-000000000002`) and are shared across the installation.
| Client | Used by |
| ----------------------------- | -------------------------------------- |
| **`flowx-admin-sa`** | Admin / config services |
| **`flowx-process-engine-sa`** | Process engine, task-management plugin |
For the full list and the role assignments each one needs, see [Adding service accounts](./configuring-an-iam-solution#adding-service-accounts).
### Keycloak realms
| Realm ID | Purpose |
| --------------------------------------------------------------- | ---------------------------------------------------------------------------------- |
| **`master`** | Keycloak's built-in admin realm. |
| **`flowx`** (default name; configurable) | The realm where end-user identities, groups, and the `FLOWX_ROLE` realm role live. |
| **`service-accounts`** (`00000002-0002-4002-8002-000000000002`) | Backend service-account clients. Shared across the installation. |
End-user **roles** and **groups** are no longer modeled as Keycloak roles or groups starting with 5.8.0. If you are searching for a FlowX role name that you don't see above, it is most likely either an end-user role configured in your own FlowX project (see [Runtime authorization](./runtime-authorization)) or a Keycloak group that was created in your local deployment for token-mapping purposes.
## Using Keycloak with an external IdP
Recommended keycloak version: **22.x**
In all cases, IdP authentication is mandatory but otherwise, all attribute mapping is configurable, including roles and groups or the entire authorization can be performed by keycloak.
### AD or LDAP provider
In Lightweight Directory Access Protocol (LDAP) and Active Directory, Keycloak functionality is called federation or external storage. Keycloak includes an LDAP/AD provider.
More details:
Configuration example:
### SAML, OpenID Connect, OAuth 2.0
Keycloak functionality is called brokering. Synchronization is performed during user login.
More details:
Configuration examples for ADFS: