# Security Model (/docs/runtime/runtime-security-model) Runtime security is built from several cooperating controls rather than a single security product. Security Domains [#security-domains] The Runtime security model is based on four main domains: * **Identity** Keycloak provides authentication and identity federation. * **Authorization** OpenFGA supports fine-grained permission models where needed. * **Secrets and sensitive configuration** OpenBao centralizes secret and key management. * **Transport security** cert-manager, ingress configuration, and TLS certificates protect exposed endpoints. Practical Security Flow [#practical-security-flow] In a typical Runtime flow: 1. a user or client reaches a platform endpoint through ingress or the API gateway 2. authentication is delegated to the platform identity layer 3. authorization is enforced through gateway rules, application logic, or fine-grained policy services 4. workloads consume secrets through controlled platform mechanisms rather than hard-coded credentials SSO Enrollment Model [#sso-enrollment-model] Platform components do not register with Keycloak manually. The Terraform deployment layer generates Argo CD hook jobs that automatically enroll each SSO-enabled component into Keycloak before the component starts: * A **PreSync setup job** creates or updates the component's OIDC client, groups, roles, and group-role mappings. * A **PostDelete cleanup job** removes those resources when the component is deleted. This means SSO integration is declarative: it is defined in the deployment configuration and applied automatically during each Argo CD sync. Components do not need custom login code or manual Keycloak admin steps. Each component can be individually opted in or out of SSO through its `sso_enable` Terraform flag (defaults to `true`). For details, see the [Keycloak component page](/docs/runtime/components/keycloak) and the [Configuration Model](/docs/deployment/configuration-model#sso-scope). What This Enables [#what-this-enables] This model gives BullSequana AI a consistent approach to: * single sign-on for platform services * automatic SSO enrollment and cleanup for every component * secure service exposure * centralized credential handling * auditable access patterns * reusable platform controls across products Security Is Platform-Wide [#security-is-platform-wide] Runtime security is not isolated to Runtime pages. It is the base security model inherited by other platform layers. That is why components such as APISIX, Keycloak, OpenFGA, OpenBao, and cert-manager appear repeatedly across the rest of the stack.