Relationship Admin
User-to-agency memberships from seed-data.json and Org API. Identity = email. Authz = inline rules.
Migration Demo
Use the same legacy identity through each stage. Keycloak decides which upstream IdP to use while the app continues to see the same business user.
| Stage | User does | What happens |
|---|---|---|
| 1 | atlasAlice@legacy.local logs in with Okta password Demo1234! | Keycloak routes to Okta and the app signs in as Alice Smith. |
| 2 | Admin marks the same legacy user for federation, then the user clicks the link action after the Okta login | The app starts Keycloak's supported account-link flow. User signs in once with the Authbeast account and returns to the app. |
| 3 | User enters the same legacy email again | Keycloak sees the Authbeast link and routes straight to Authbeast instead of Okta. |
After the Stage 1 Okta login, use the Launchpad action to start the one-time Authbeast link.
Legacy identity stays the same in the app. Old and new IdPs can run side by side during migration. Okta can be removed later after users are linked.
How authorization works
1. Keycloak → OIDC token (userId=email, agency, subagency).
2. Web app resolves user via Org API using email.
3. Authz service uses Org API + inline rules (role, agency, jurisdiction, product, lifecycle, training).
4. Decision Viewer shows the full trace with rationale.
Design decision: email = user
Identity key is userId (email). 1 email = 1 user globally. Agency and subagency are membership context, not identity.
Active users and memberships
| Role | Agency | Jurisdictions | |
|---|---|---|---|
ann.rivera@gmail.com | agent | Atlas Agency | NY |
brian.cho@gmail.com | underwriter | Atlas Agency | NY, CA |
carla.ng@gmail.com | billing_specialist | Atlas Agency | NY |
dan.lee@outlook.com | agent | Summit Brokerage | NY |
eva.morris@outlook.com | agent | Summit Brokerage | NY |
frank.owen@outlook.com | agent | Summit Brokerage | NY |
atlasalice | agent | Atlas Agency | NY |
atlasbob | underwriter | Atlas Agency | NY, CA |
atlascarla | billing_specialist | Atlas Agency | NY |
summitdan | agent | Summit Brokerage | NY |
summiteva | agent | Summit Brokerage | NY |