Identity Fabric is a working name for this product.
A federation layer that sits between your applications and your identity providers. It aggregates authentication from multiple upstream IdPs (Okta, Azure AD, Google Workspace, or your own) into a single, consistent interface. Your applications connect to Identity Fabric; Identity Fabric handles the complexity of the identity sources behind it.
This simplifies cross-organizational work. Different teams, partners, or subsidiaries can use their own identity providers while your applications see a unified view. Identity Fabric handles the translation, enforces consistent policies, and maintains clear organizational boundaries.
Why Identity Fabric
Simplify multi-IdP environments. Connect multiple identity providers without modifying your applications. Add or remove IdPs, change routing rules, or migrate providers. Your downstream applications remain unchanged.
Enforce organizational boundaries. Multi-tenant architecture with complete isolation at the database level. Each organization operates in its own secure environment with row-level security. Cross-tenant access is architecturally impossible.
Make identity robust. A consistent layer between your applications and identity sources. Centralized audit logging, unified MFA policies, and reliable user lifecycle management regardless of which IdP a user authenticates through.
Deploy where you need it. On-premises, in your cloud, or hybrid. No vendor lock-in, no external dependencies. API-first architecture with OpenAPI specification.
Core Capabilities
Authentication
SAML 2.0 Single Sign-On. Connect to any SAML identity provider including Okta, Azure AD, Google Workspace, or your own. Full support for SP-initiated flows, signature validation, and assertion parsing.
OAuth2 / OpenID Connect. Authorization code flow with token refresh. Configurable access and refresh token lifetimes. Client credentials flow for service-to-service authentication.
Password authentication. Secure password hashing with bcrypt. Password reset flows and initial setup via email invitation.
Email possession verification. Anti-enumeration protection that verifies email ownership before login, preventing attackers from discovering which accounts exist.
Multi-Factor Authentication
TOTP authenticators. Support for Google Authenticator, Authy, Microsoft Authenticator, and any TOTP-compatible app. Standard 6-digit codes with 30-second windows.
Email one-time passwords. 6-digit codes sent via email for users who prefer not to use authenticator apps.
Backup codes. Recovery codes for account access when primary MFA is unavailable.
Configurable enforcement. Tenant-level setting to make MFA mandatory or optional. Per-user MFA status tracking.
User Lifecycle Management
Provisioning. Create users directly through the admin interface or via API. Email invitations with secure password setup links.
Just-in-time provisioning. Automatic user creation on first SAML login. Configurable attribute mapping for email, name, and other fields.
Activity tracking. Last activity timestamps with rolling windows. Identify dormant accounts before they become security risks.
Automatic inactivation. Configurable thresholds (14, 30, or 90 days) for automatically inactivating dormant users.
GDPR-compliant anonymization. Irreversible PII removal for right-to-be-forgotten requests. Audit trail preserved through anonymized records.
Reactivation workflows. Inactivated users can request reactivation. Admins review, approve, or deny with email notifications at each step.
Enterprise Features
Multi-tenant architecture. Complete tenant isolation with subdomain-based routing. Row-level security enforced at the database layer.
Role-based access control. Three-tier model: Member, Admin, Super Admin. Granular permissions for user management, settings, and audit access.
Audit logging. Every write operation logged with actor, timestamp, artifact type, and custom context. Request metadata includes IP address, user agent, and session information.
Background jobs. Asynchronous processing for exports, maintenance tasks, and scheduled operations. Job status tracking with completion notifications.
Event export. Full audit trail export as JSON with automatic file cleanup. Useful for compliance reporting and external analysis.
Roadmap
Coming Soon
- Provider-specific helpers. Attribute mapping presets for Okta, Azure AD, and Google Workspace to simplify SAML configuration.
- Single Logout (SLO). Coordinated logout across all connected applications when users sign out.
- SP certificate rotation. Certificate management with grace periods for seamless key rotation.
- Integration management UI. Web interface for managing OAuth2 clients and B2B service accounts.
Planned
- Organizational structure. Hierarchical org units and ad-hoc groups for complex organizational modeling.
- Internationalization. Multi-language support with user language preferences and localized date/time formatting.
- Multi-region routing. Geographic data residency with intelligent tenant routing.