Pillar two
Authentication, group membership, lifecycle, and offboarding stay where your auditors expect them — in your identity provider. The platform consumes the signal and enforces the consequence on every session.
A user who leaves your directory leaves your network the same minute.
In depth
No second directory. No duplicate accounts. The platform reads from your authoritative source and binds every session to a current identity record.
Microsoft Entra ID, Okta, Google Workspace, Ping Identity, and any standards-compliant SAML or OpenID Connect provider.
Passkeys and authenticator apps enrolled through the platform. Backup codes generated and rotated.
Users and groups arrive and depart by directory event. A leaver loses access on the deprovisioning event, not on the next access review.
Built-in roles for the common shapes — administrator, operator, viewer — plus fully bespoke roles where the organisation has a specific need.
Single-use invitation links for contractors, counsel, and external collaborators. Links expire on schedule with no admin action required.
Privileged actions request access, log the request, and time out automatically. There is no standing administrator access.
Each tenant binds its own identity provider. A multi-organisation deployment does not commingle authentication paths.
Group membership and entitlement changes propagate to live sessions immediately, not at the next token refresh.