Identity & SSO
TapPass federates human login with any OIDC or SAML IdP, and issues workload identities via SPIFFE/SPIRE for agent-to-agent trust.
Shipped identity integrations
Section titled “Shipped identity integrations”| Provider | Protocols | Go to |
|---|---|---|
| Azure AD (Entra ID) | OIDC + SAML | Azure AD |
| Okta | OIDC + SAML | Okta |
| Google Workspace | OIDC | Google Workspace |
| OneLogin, JumpCloud, generic IdPs | SAML 2.0 | SAML 2.0 |
| Workloads (agents, services) | SPIFFE / SPIRE | SPIFFE / SPIRE |
Two distinct flows
Section titled “Two distinct flows”Human login (SSO)
Section titled “Human login (SSO)”Users sign in via SSO → TapPass issues a session → session is used to administer the platform (manage agents, view audit trail, set policy).
User → TapPass → IdP → TapPass → dashboard sessionWorkload identity (SPIFFE)
Section titled “Workload identity (SPIFFE)”Agents / services authenticate via mTLS using SPIFFE SVIDs — no human credentials, no long-lived API keys.
Agent (SVID) → mTLS → TapPass → verifies trust domain → issues scoped tokenWhy federate
Section titled “Why federate”- Domain allowlist — only users with corporate email can log in.
- Group / role mapping — IdP groups map to TapPass RBAC roles.
- Session hygiene — session lifetime follows IdP policy (MFA, re-auth).
- Offboarding — deactivate in IdP, user loses access within 60 seconds (sessions expire).
Not yet supported
Section titled “Not yet supported”- LDAP / Active Directory (direct bind) — use an IdP (Azure AD, Okta) in front of LDAP instead.
- Generic OAuth 2.0 for user login — only the named OIDC providers above.