Zipline Identity Management Platform
Architected and deployed a FastAPI-based orchestration platform that automates onboarding, offboarding, and identity synchronization across Active Directory, Azure AD, Exchange Online, and multiple SaaS systems.
Context
Managing employee lifecycle meant touching multiple disconnected systems for every hire and departure — Active Directory, Azure AD/Entra, Exchange Online, Trelica, Keeper password manager. Each offboarding alone required 9+ manual steps across these systems, taking 30-45 minutes per employee and prone to missed steps that left security gaps.
Challenge
The platform had to orchestrate actions across on-premises Active Directory and cloud systems simultaneously, handle partial failures gracefully (one system down shouldn’t block the entire workflow), process long-running operations asynchronously, and provide real-time status visibility. All while maintaining security through API key auth and network controls.
Solution
A distributed system with API, message queue, and worker architecture:
FastAPI API Layer: REST endpoints for workflows, user management, password resets, directory sync, and health monitoring. Pydantic models validate all inputs.
RabbitMQ Message Queue: Decouples API request handling from job execution. Ensures persistence and delivery guarantees, enabling horizontal scaling of worker processes.
Dramatiq Task Workers: Background job execution with custom middleware for status tracking (enqueued → in-progress → completed/failed). Results stored in Redis with configurable TTL.
Service Integration Layer: Dedicated service classes for Microsoft Graph, Exchange Online, Local AD, Entra Connect, Trelica webhooks, and Keeper password manager. Each with health checks and error handling.
Zipline GUI: A Flask + HTMX web dashboard providing step-by-step wizard interface for IT admins to execute and monitor workflows.
┌─────────────┐ ┌──────────────┐ ┌──────────────┐
│ Zipline │────▶│ FastAPI │────▶│ RabbitMQ │
│ GUI (HTMX) │ │ (API) │ │ (Queue) │
└─────────────┘ └──────────────┘ └──────┬───────┘
│
┌───────▼───────┐
│ Dramatiq │
│ (Workers) │
└───────┬───────┘
┌─────────────────────┼─────────────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Azure AD │ │ Exchange │ │ Local AD │
│ / Graph │ │ Online │ │ (On-Prem)│
└──────────┘ └──────────┘ └──────────┘
Deployment
Containerized deployment with separate API and worker containers sharing the same Python base image. RabbitMQ and Redis run as infrastructure services via Docker Compose. The system integrates with on-premises Active Directory through dedicated API services (Local AD API in .NET, Exchange Online API via PowerShell/FastAPI bridge) while reaching cloud services directly.
Impact
- Reduced offboarding from 30-45 min to under 5 min per employee
- Eliminated missed deprovisioning steps that created security gaps
- Automated identity sync across hybrid on-prem and cloud environments