Does Cerbos recommend or integrate especially well with any particular source of truth on users and their accesses? I know part of the strength of Cerbos is the flexibility to integrate with pretty much any source of truth, but I'm curious if there are any recommendations out there.

The principal object in the request only requires an ID and a list of roles - beyond that the attributes block is free for you to define and isn't opinionated where the identity comes from. Common sources of user context we see are Okta/Auth0, AWS Cognito, KeyCloak, Entra ID, Radiant Logic. One often overlooked feature is the ability to send a JWT along with the request which Cerbos will then parse and make the context available inside of a policy for inspection. Additionally you an configure the PDP with a keyset and Cerbos will verify the JWT also acting as another layer of protection to your application.