Skip to content
Synaptyx
Identity & access

SSO, SCIM provisioning, and passwordless unlock.

OIDC sign-in to your IdP, SCIM 2.0 to auto-provision users and groups, and WebAuthn-PRF passkeys that unlock your E2EE vault without typing a passphrase. IdP group claims map automatically to your teams and roles.

IdP
Okta / Entra / Google
OIDC + SCIM
login + provisioning
Synaptyx
teams · roles · passkey unlock

How it works

1
User clicks "Log in with SSO"
Standard OIDC discovery from work email domain.
2
OIDC redirect
Off to your IdP - Okta, Entra, Google, anything OIDC.
3
SCIM syncs & JIT-provisions
User created on first login. Group claims map to your teams and roles.
4
Passkey unlocks E2EE
WebAuthn-PRF derives the wrap key. No passphrase typed. Your master key never leaves the device.

Deep dives

SCIM 2.0 provisioning
Off-boarding in your IdP propagates within seconds. No orphaned access. Standard /scim/v2/Users and /Groups endpoints.
Group → team/role mapping
IdP group claims map automatically to your Synaptyx teams and roles - configured per company and applied on every SSO sign-in, for both new (JIT) and returning users.
WebAuthn-PRF auto-unlock
Passkey produces a deterministic PRF output. HKDF derives the wrap key for your E2EE vault. We see neither the passkey nor the derived key.

SCIM mapping example

config · scim_mapping.yaml
oidc_claims: user_id: sub email: email display: name groups: groups group_mapping: # IdP group → team role acme-platform-eng platform admin acme-backend-eng backend member acme-design design member acme-security-team [platform, backend] viewer defaults: role: viewer team: unassigned

Offboarding in your IdP = instant revoke here.

Disable a user in Okta on Friday afternoon - their access is gone before they close the laptop. No "did anyone remember to remove…" check on Monday.

Compare

SynaptyxManual user mgmtSSO without SCIM
JIT provisioningon first logincreate by handlogin works · no profile
Auto-deprovisionSCIM pushmanualstale until manual
Group → role mappingIdP group claims auto-map to roles and teamsassign by handdefault role only
Passwordless unlockWebAuthn-PRFpassword onlypassword fallback
E2EE compatibilitypreserves zero-knowledgeN/Aoften breaks E2EE

FAQ

Any OIDC IdP with SCIM 2.0. Tested: Okta, Microsoft Entra ID (Azure AD), Google Workspace, JumpCloud, OneLogin, Auth0. Other OIDC providers should work - open an issue if not.
No - OIDC alone works, with JIT-provisioning on first login. But without SCIM you lose auto-deprovision and group sync. Most enterprise customers turn SCIM on.
Your IdP handles MFA - we delegate. If your IdP enforces MFA-on-login or step-up for sensitive actions, those policies carry through.
WebAuthn-PRF returns a deterministic secret derived inside the authenticator. We use HKDF to expand it into your vault's wrap key - entirely client-side. We see only the encrypted vault blob.

Ready to govern your AI infrastructure?

Request access in minutes - or talk to us about your air-gap deployment.

Get started