🔐 auth.mediagato.com
Keycloak-powered identity fabric for every lab property
The control tower for identity across the MEDiAGATO ecosystem. Built on Keycloak with a Git-driven workflow, it unifies realms, apps, and device login under a single authority—complete with SSO, modern protocols, and disaster-ready automation.
🏢 Multi-Tenant Realms
Realm-per-tenant or shared isolation strategies, preloaded with `first-party` clients and Git-managed configuration so teams can collaborate without stepping on each other.
🔄 SSO & Protocol Stack
OpenID Connect by default with SAML-ready scripts, Authorization Code + PKCE flows, and per-app scopes. Everything stays in sync whether you’re running locally or at the edge.
🧭 Secure Access
MFA across WebAuthn, TOTP, SMS, and email; SCIM bridges for provisioning; policy-tuned authentication trees that keep operators in control while users glide through sign-in.
⚙️ Autopilot Operations
Docker Compose with `restart: unless-stopped`, optional systemd units, tunnel setup scripts, and command packs for backups, realm exports, and post-outage recovery.
Expose authentication anywhere with Cloudflare Tunnel
From lab-only networks to public endpoints, the tunnel scripts align Keycloak hostnames, TLS, and DNS so the federation landing page always stays reachable without sacrificing zero-trust posture.