Identity & access
SSO, SCIM provisioning, and passwordless unlock.
OIDC sign-in to your IdP, SCIM 2.0 to auto-provision users and groups, and WebAuthn-PRF passkeys that unlock your E2EE vault without typing a passphrase. IdP group claims map automatically to your teams and roles.
IdP
Okta / Entra / Google
OIDC + SCIM
login + provisioning
Synaptyx
teams · roles · passkey unlock
How it works
1
User clicks "Log in with SSO"
Standard OIDC discovery from work email domain.
2
OIDC redirect
Off to your IdP - Okta, Entra, Google, anything OIDC.
3
SCIM syncs & JIT-provisions
User created on first login. Group claims map to your teams and roles.
4
Passkey unlocks E2EE
WebAuthn-PRF derives the wrap key. No passphrase typed. Your master key never leaves the device.
Deep dives
SCIM 2.0 provisioning
Off-boarding in your IdP propagates within seconds. No orphaned access. Standard /scim/v2/Users and /Groups endpoints.
Group → team/role mapping
IdP group claims map automatically to your Synaptyx teams and roles - configured per company and applied on every SSO sign-in, for both new (JIT) and returning users.
WebAuthn-PRF auto-unlock
Passkey produces a deterministic PRF output. HKDF derives the wrap key for your E2EE vault. We see neither the passkey nor the derived key.
SCIM mapping example
config · scim_mapping.yaml
oidc_claims:
user_id: sub
email: email
display: name
groups: groups
group_mapping:
# IdP group → team role
acme-platform-eng → platform admin
acme-backend-eng → backend member
acme-design → design member
acme-security-team → [platform, backend] viewer
defaults:
role: viewer
team: unassigned
Offboarding in your IdP = instant revoke here.
Disable a user in Okta on Friday afternoon - their access is gone before they close the laptop. No "did anyone remember to remove…" check on Monday.
Compare
| Synaptyx | Manual user mgmt | SSO without SCIM | |
|---|---|---|---|
| JIT provisioning | on first login | create by hand | login works · no profile |
| Auto-deprovision | SCIM push | manual | stale until manual |
| Group → role mapping | IdP group claims auto-map to roles and teams | assign by hand | default role only |
| Passwordless unlock | WebAuthn-PRF | password only | password fallback |
| E2EE compatibility | preserves zero-knowledge | N/A | often breaks E2EE |
FAQ
Any OIDC IdP with SCIM 2.0. Tested: Okta, Microsoft Entra ID (Azure AD), Google Workspace, JumpCloud, OneLogin, Auth0. Other OIDC providers should work - open an issue if not.
No - OIDC alone works, with JIT-provisioning on first login. But without SCIM you lose auto-deprovision and group sync. Most enterprise customers turn SCIM on.
Your IdP handles MFA - we delegate. If your IdP enforces MFA-on-login or step-up for sensitive actions, those policies carry through.
WebAuthn-PRF returns a deterministic secret derived inside the authenticator. We use HKDF to expand it into your vault's wrap key - entirely client-side. We see only the encrypted vault blob.
Ready to govern your AI infrastructure?
Request access in minutes - or talk to us about your air-gap deployment.