ADR-013: Identity Strategy
Status: Proposed Date: 2026-03-16
Context
PowerSeller's three products currently use different identity approaches:
- MBS Access: Odoo as SAML IdP → dataQollab (AWS Cognito) as SP
- PowerSeller X: Keycloak (OIDC) — self-hosted, full control
- SaaS App: Not yet decided
A unified identity strategy would simplify user management, enable SSO across products, and reduce operational complexity. However, the right approach depends on which system should be the source of truth for user identity.
Decision
Not yet decided. This ADR documents the options under consideration:
Option A: Keycloak as Universal IdP
- Keycloak federates with Azure AD (enterprise customers) and Odoo (customer portal users)
- All products authenticate via Keycloak (OIDC)
- PowerSeller controls the identity infrastructure
- Pro: Full control, proven with PowerSeller X, supports complex federation
- Con: Another service to operate and secure
Option B: Azure AD as Primary
- Azure AD handles authentication for SaaS App and PowerSeller X
- Keycloak bridges to Azure AD or is replaced
- Odoo continues as SAML IdP for MBS Access (or federates through Azure AD)
- Pro: Managed service, enterprise SSO built in
- Con: Vendor lock-in, less flexibility for non-Azure scenarios
Option C: Odoo as Universal Customer IdP
- Odoo is already the customer-facing business layer
- Extend Odoo's SAML/OIDC capabilities to all products
- Pro: Single source of truth for customer identity and subscriptions
- Con: Odoo is not designed as a high-scale identity provider, limited OIDC support
Consequences
This decision is blocked until:
- Odoo's OIDC capabilities are evaluated (can it issue OIDC tokens, not just SAML assertions?)
- Keycloak's federation with Azure AD is tested
- The team decides whether customer identity and employee identity should use the same provider
Next step: Architecture spike to evaluate all three options with a working prototype.