Identity Platform

The below diagram describes the high level architecture of the Canonical Identity Platform and its dependencies:

The Canonical Identity Platform is an identity broker: it connects identity providers (Microsoft Azure Active Directory, Okta, Google, GitHub, …) with multiple service providers (Grafana, Kafka, and/or other charmed workloads).

The charmed operators that make up Canonical Identity Platform are available as an identity-platform bundle.

It consists of several components:

• Charmed Hydra - an OAuth 2.0 and OpenID Connect server
• Charmed Kratos - an identity and user management system
• Charmed Kratos External IDP Integrator - a helper for integrating Charmed Kratos with external identity providers
• Charmed Identity Platform Login UI - a user interface
• Charmed PostgreSQL - a database provider for Kratos and Hydra
• Charmed Traefik - two instances of ingress operator for public and admin APIs.

The Canonical Identity Platform benefits from charm relation interfaces and juju config to simplify the experience of propagating SSO configuration across multiple applications. There are 2 main integration points:

• oauth relation interface, which allows to integrate OIDC-compatible charms with the OAuth Server. When used, Charmed Ory Hydra registers an OAuth client for your charmed application and manages it throughout its lifecycle. You can also integrate non-charmed, but OIDC-compatible workloads with Charmed Hydra’s actions.

• Charmed Kratos External IDP Integrator, which updates the configuration of the identity server (Charmed Kratos) with the external identity provider setup that is defined via juju config. You can define multiple identity providers by deploying more Integrator charm instances.

Interested in learning how to integrate your application with the Canonical Identity Platform? Check our how-to guides.