Identity & Access Management Platform

Authifi Identity Broker
Feature Overview

A dynamically configurable, multi-tenant authentication and authorization platform built for enterprise, research, and government applications.

Why Authifi

Built for Enterprise. Ready for Government.

Authifi delivers a comprehensive identity platform combining standards compliance, deep security controls, and a user-friendly management experience.

FedRAMP High Authorized

Authorized as a supporting service within the Palantir Federal Cloud Service (PFCS-SS) — FedRAMP High, Class D, Rev5 (FR2315464863).

Advanced Security Features

FIDO2/WebAuthn passkeys, TOTP MFA, fail-closed trusted IdP enforcement, JWE-encrypted secrets, TOCTOU mitigations, SAST code scanning, antivirus file scanning, and rate limiting.

User-Friendly Management Console

A full-featured Angular admin UI covers tenant, user, group, client, IdP, RBAC, secrets, jobs, templates, and audit logs — all without touching the API.

Extensive Customization & Extension Support

Custom JavaScript scripting for IdP claims mapping and access control, Handlebars templates for login pages and emails, tenant branding uploads, and pluggable secret backends.

User Self-Service

Users can reset passwords, verify email, enroll TOTP and WebAuthn credentials, manage trusted devices, and permanently delete their accounts per GDPR Art. 17.

Streamlined Access Management Workflows

Self-service access requests and approvals, group membership extensions, expiry warnings, and automated inactive-user removal reduce admin burden and speed up provisioning.

Comprehensive Audit & Compliance

Immutable chained audit logs, CLI usage reporting and login analytics, GDPR-compliant account erasure with preserved legal records, and NHE token audit trail for AI agent activity.

Broad Protocol Support

OIDC, OAuth 2.0, SAML 2.0, WS-Federation, LDAP, and GA4GH Passport in a single platform — enabling federation with any enterprise, academic, or government identity provider.

AI Agent & Machine Identity Ready

First-class Non-Human Entity (NHE) delegation tokens let LLM agents and automated pipelines act on behalf of users with short-lived, narrowly scoped tokens and a full audit trail.

Standards Compliant

OAuth 2.0, OIDC, SAML 2.0, WS-Federation, FIDO2/WebAuthn, GA4GH Passport v1, RFC 8693 Token Exchange, DPoP, and OWASP C10 — built on open, auditable standards.

At a Glance

Feature Summary

All major capability areas at a glance.

CategoryKey Capabilities
Authentication ProtocolsOIDCSAML 2.0WS-FederationLDAPLocal
OAuth 2.0 / OIDC FlowsAuthorization CodeClient CredentialsToken ExchangeRefresh TokenPKCE
Multi-Factor AuthenticationTOTP / RFC 6238WebAuthn / FIDO2Recovery CodesTrusted DevicesStep-Up Auth
Multi-TenancyIsolated CollectionsShared WorkspacesTrusted TenantsPer-Tenant Config
Authorization & RBAC4-Tier Admin ModelDelegated ScopesStep-Up AuthPrivileged Entity Protection
Custom Attribute MappingSAML mapClaimsOIDC Claim TransformNameID FormatsSecondary Unique Attrs
Secret ManagementHashiCorp VaultPassboltLocal JWEKey Rotation
Machine Identity & DelegationNHE TokensRFC 8693 Token ExchangeScope DownscopingShort-Lived TokensAudit Trail
Research IdentityGA4GH Passport v1Visa IssuanceORCID IntegrationLinked Identities
User Self-ServicePassword ResetMFA EnrollmentSession ManagementGDPR Erasure
Access Workflows & LifecycleSelf-Service RequestsApproval FlowsInactive User RemovalMembership Expiration
Reporting & AuditCLI Usage ReportsLogin AnalyticsChained Audit LogsCSV/JSON Export
Customization & BrandingLogin Page TemplatesEmail TemplatesTenant BrandingFedRAMP Upload Controls
Security & ComplianceFedRAMP High (PFCS-SS)GDPR Art. 17OWASP C10AntivirusTOCTOU Fixes
Developer IntegrationsOpenAPI / SwaggerAngular SDKReact SDKCLIGrafana Proxy
Platform & InfrastructureHigh AvailabilityRedis ClusteringDockerOpenTelemetryPrometheus
Standards ComplianceOAuth 2.0OIDCSAML 2.0FIDO2GA4GH PassportFedRAMP High
Feature Details

Detailed Capabilities

A comprehensive breakdown of every feature area.

Authentication Protocols — 5 protocols

OpenID ConnectSAML 2.0WS-FederationLDAPLocal Login (testing only)
OpenID Connect / OAuth 2.0
  • Full OIDC provider (node-oidc-provider)
  • Authorization Code, Client Credentials, Refresh Token
  • Token Exchange (RFC 8693) for NHE delegation
  • PKCE for public clients
  • JWT and opaque access token modes
  • Per-tenant .well-known discovery
  • private_key_jwt, client_secret_post, client_secret_basic
  • Custom claims via scripting hooks
SAML 2.0
  • IdP and SP modes
  • Single Logout (SLO) with multiple bindings
  • Configurable attribute mapping and NameID format
  • Per-tenant SAML metadata endpoints
WS-Federation & LDAP
  • ADFS / Azure AD WS-Fed support
  • SharePoint relying party integration
  • LDAP / Active Directory authentication
  • Credential lookup via secret manager
Local Login — Testing & Development Only

Local username/password accounts are not recommended for production. All production deployments should authenticate through a federated identity provider.

  • Username and password authentication
  • Minimum password length enforcement
  • Account lockout for local login is not yet implemented

Multi-Factor Authentication — TOTP · WebAuthn · Recovery Codes

  • TOTP — RFC 6238 (Google Authenticator, Authy, etc.)
  • WebAuthn / FIDO2 — hardware keys & biometrics (passkeys)
  • Recovery Codes — NIST-compliant, PBKDF2-hashed
  • Trusted Device Management — configurable lifetime (default 30 days)
  • MFA Enforcement — via identity provider settings (mfaSettings, aal_override) set on tenant- and app-level IdPs; also user level and per-client step-up
  • Step-Up Authentication — re-prompt for sensitive operations
  • Account Lockout — dual-strike suspension then permanent lockout
  • Admin MFA Reset — via admin::mfa:reset scope
  • Emergency MFA Disable — disables the enrolled factor, clears trusted devices, and security-locks the account pending support
  • MFA Selector UI — user-friendly method selection
  • Configurable TOTP clock drift tolerance
  • HTTP-only, secure cookie device tokens

Multi-Tenancy & Organizational Hierarchy

Collection Isolated tenant tree · delegated admin boundary
Workspace / Tenant Per-tenant IdPs, clients, session config, endpoints
Team / Group Carries permissions · expiry dates · membership roles
User / Person Global identity or per-collection isolated account
  • Unlimited tenant creation
  • Isolated collections — fully separate user pools
  • Shared mode — single global identity
  • Cross-tenant trust (Trusted Tenants)
  • Per-tenant MFA enforcement settings
  • Per-tenant session lifetime configuration
  • Delegated collection administration
  • Restrict tenant creation to Super Admins (optional)

Authorization & RBAC — 4-Tier Model

Super AdministratorPlatform-wide access · only tier that can create/assign privileged entities · bypasses most checks
Tenant AdministratorFull admin within one tenant · cannot manage privileged entities or exceed own authority
Delegated AdminTargeted elevated permissions via granular ADMIN_SCOPE.* scopes assigned by Super Admins
Regular UserAccess controlled by group membership, roles, and permissions
Step-Up Authentication
  • Per-client step-up MFA configuration (stepUpAuth.mfaOptions: TOTP, WebAuthn, or either)
  • Honors acr_values requested in the authorization request to trigger re-authentication
  • Force re-authentication for sensitive operations via the prompt parameter
Groups, Roles & Permissions
  • Membership roles: Member, Manager, Owner
  • Membership expiration and warning dates
  • Member-initiated extension requests
  • AD Group support (Azure AD group claims)
  • Client Roles (OAuth Client + Tenant)
  • Access Roles (Resource Server + Tenant)
  • Fine-grained permission model
  • Privileged entity protection (isPrivileged flag; enforcement boundary under review — LSA-9042)
Delegated Admin Scopes
ScopePurpose
admin::mfa:resetReset any user's MFA
admin::access-scripts:editModify client authorization scripts
admin::provider-scripts:editModify IdP claims mapping scripts
admin::view:idp-secretsView unmasked IdP secrets
admin::global-secrets:editModify global/system-wide secrets
admin::trusted-provider:editModify trusted identity providers
admin::system-templates:editModify system HTML/email templates
admin::jobs:editCreate/modify scheduled jobs
admin::sendmail:useSend emails via Authifi API
admin::user-ssh-secret:editManage user SSH key operations
admin::admin-permissions:editModify non-privileged RBAC entities

Endpoint enforcement for admin::mfa:reset, admin::sendmail:use, admin::global-secrets:edit, admin::jobs:edit, and admin::view:idp-secrets is being reconciled (tracked in LSA-9041).

Custom Attribute Mapping & Claims Scripting

  • SAML assertion claim remapping via mapClaims scripts
  • OIDC claim transformation and enrichment
  • WSFed claim output configuration
  • Secondary unique attributes (username, UPN, display name)
  • NameID format configuration per IdP
  • Claim priority and fallback rules
  • Per-IdP JavaScript profile mapping scripts
  • Extra token claims injection hooks at issuance

Per-Application Access Restrictions

Restrictions are evaluated sequentially — a user must pass all configured restrictions to gain access.

TypeDescription
Group RestrictionsRequire membership in Authifi User Groups or Active Directory Groups
Custom Authorization ScriptsJavaScript with access to user, groups, connection, and IP address — return true/false
Email Whitelist / BlacklistAllow or deny specific email addresses; global or per-identity-provider
Domain Whitelist / BlacklistAllow or deny email domains with automatic subdomain matching; per-identity-provider
  • Tenant Admin bypass for system clients
  • Subdomain matching is automatic (e.g., example.com also matches sub.example.com)
  • Script context: ctx.secrets.user, ctx.secrets.groups, ctx.secrets.ipAddress, ctx.secrets.connection

Secret Management — Vault · Passbolt · Local

BackendDescription
HashiCorp VaultEnterprise secret storage with transit encryption and key rotation
PassboltCollaborative password manager with team secret sharing
Local (JWE)Database-backed storage with JWE encryption and per-tenant/per-user keys
  • User, Tenant, and System ownership levels
  • Encryption key rotation per user or tenant
  • Secret sharing across tenants (system tenant only)
  • Sensitive vs. non-sensitive classification
  • Optional expiration dates on secrets
  • Fine-grained REST API permission scopes
  • SSH key storage and management
  • Secrets masked in UI by default
  • PEM format certificate management
  • Certificate expiration tracking

Machine Identity & NHE Delegation Tokens — AI & Automation Ready

Non-Human Entities (NHEs) are registered automated actors — LLM agents, pipelines, and daemons — that receive short-lived tokens delegated from a user session.

  • Register NHEs with identifiers and delegation policies
  • OAuth 2.0 Token Exchange (RFC 8693) delegation
  • act claim for delegation traceability
  • IETF AAP draft agent structured claim
  • Scope downscoping — cannot exceed user's permissions
  • Configurable short lifetimes (default 5 minutes)
  • Full audit trail under delegating user's identity
  • Per-tenant and per-client enable/disable controls
  • Dedicated NHE audit log API

GA4GH Passport & Research Identity

Full implementation of GA4GH Passport v1 and the AAI OpenID Connect Profile for biomedical research identity. Enables controlled-access data authorization across institutions.

  • Visa signing with tenant RSA keys
  • Passport assembly in OIDC token exchange
  • Linked Identities visas from federated logins
  • ORCID researcher identity integration
  • External visa ingestion from Passport Brokers
  • Visa policy enforcement (allOf / anyOf)
  • Trusted Issuer Registry with JWKS URIs
  • TTL-based JWKS caching
  • by claim filtering (dac, system, self, peer)
  • Automatic expiry and revocation enforcement

User Self-Service & GDPR Compliance

  • Secure email-based password reset
  • Email verification for new accounts, MFA sign-in, and tenant creation
  • TOTP self-enrollment and management
  • WebAuthn credential self-registration
  • Trusted device management and removal
  • Profile and linked identity management
  • Current session details (remaining lifetimes; session termination is an admin operation)
GDPR Art. 17 Account Erasure
  • Requires authenticated session + recent MFA verification + email confirmation
  • Immediately revokes all sessions, tokens, and trusted devices
  • Background job purges all personal data — idempotent, 5 retries with exponential backoff
  • Audit logs and sign-in events preserved for legal compliance (Art. 17(3)(e))
  • CI-enforced coverage: every user-referencing column must declare purge / preserve / anonymize / cascade

Access Request Workflows

  • Self-service access request submission
  • Approval workflows with email notifications
  • Handlebars-based email and HTML templates
  • Audit history per request
  • REST API for submission and approval
  • Configurable approver groups, approval count, email confirmation, and templates
  • Developer extension point (override ACCESS_REQUEST_SERVICE) for custom approval logic

Access Lifecycle Management

  • Automated Inactive User Removal — configurable inactivity thresholds trigger group removal via scheduled jobs
  • Group Membership Expiration — memberships carry expiration dates with configurable warning periods
  • Warning Periods — notify users before access is removed; configurable warning lead time
  • Configurable Activity Thresholds — job-level options (maxDaysSinceLastLogin, maxDaysNeverLoggedIn, warningPeriod) per tenant
  • Email Notifications — automated alerts for expiring group memberships and upcoming removals
  • Scheduled Lifecycle Jobs — QuickJS job scripts for periodic access hygiene

Audit Logging & Compliance

  • Comprehensive audit trail for all auth & authz events
  • Database-backed audit log with chaining
  • Audit chain integrity verification & signing-key rotation (Super Admin only)
  • Email notification log
  • Login event history
  • NHE token audit log
  • Upload operation audit logs
  • OWASP C10-compliant error handling
  • GDPR Art. 17 preserved legal records
  • FedRAMP High security controls
  • Configurable NHE token audit retention; audit-log archival jobs
  • OpenTelemetry metrics integration (Prometheus)

Usage Reporting

  • Login event tracking — success/failure metrics per user, client, and IdP
  • CLI usage reports (auth-cli report usage) — console output or emailed HTML
  • Daily unique user counts and activity summaries
  • Client-specific usage analytics
  • Identity provider usage tracking
  • Custom report templates via QuickJS job scripts
  • Login analytics REST API for programmatic access
  • Visual analytics dashboard in Admin UI

Customization, Templating & Branding

  • Login Page Templates — per-tenant and per-client branded pages
  • Error Page Templates — custom error page rendering
  • Email Templates — Handlebars HTML with variable substitution
  • HTML Templates — general templating with version history
  • Landing Page Templates — configurable landing pages
  • Tenant Branding — upload logos and background images per tenant
  • Image Caching — ETag-based caching for performance
  • FedRAMP Upload Controls — centralized upload authorization (enabled/disabled, admin-only modes)
  • System Template Management (Super Admin or delegated)
  • Template version history

Security Controls

Input Validation

AJV schema validation with custom validators and URI format checks on URL fields.

OWASP C10 Error Handling

Generic user-facing messages with unique error IDs. No stack traces to clients.

Secrets Encryption at Rest

All secrets encrypted with JWE. Key rotation per user and per tenant.

Fail-Closed Trusted IdP

Super Admin authorization requires a trusted IdP claim. Tokens without the claim are denied — no issuer-based fallback.

Rate Limiting

Configurable per-endpoint rate limiting to mitigate brute-force and credential stuffing.

CORS & CSP

Configurable allowed origins per tenant (global and tenant-scoped). Helmet-based CSP with a violation report endpoint. Anti-caching headers on sensitive pages.

SAST & Antivirus

CodeQL static analysis in CI/CD. ClamAV for file upload scanning with graceful degradation and TLS proxy support.

TOCTOU Mitigations

Race condition vulnerability tracking and systematic fixes across authentication-critical code paths.

TLS Everywhere

SSL/TLS for database (including RDS profiles), Redis, and antivirus daemon connections.

Developer Experience & Integrations

APIs & Documentation
  • Full OpenAPI / Swagger documentation at /docs
  • REST APIs for all management operations
  • Public API endpoint catalog
Client Libraries
  • Angular — OIDC client, RBAC directives, advanced search, generated API client
  • React — generated TypeScript API client
  • Node.js — middleware package for protecting backend API services
Command-Line Interface (CLI)
  • Tenant, client, and identity provider import/export
  • User create, update, delete, and list operations
  • Secret management (create, view, update, delete)
  • Session listing and revocation
  • SSH key management
  • Usage report generation
  • Email sending via CLI
  • Health checks and diagnostics
  • PKCE challenge generation for OAuth flows
  • Scripted administrative tasks and CI/CD integration
Third-Party Integrations
  • Azure Active Directory (OIDC + SAML + WSFed)
  • Google / GSuite (with account-switch flow)
  • ORCID researcher identity
  • HashiCorp Vault
  • Passbolt password manager
  • Grafana (built-in reverse proxy + Authifi auth)
  • UMRS account state synchronization
  • ClamAV antivirus

Deployment & Infrastructure

High Availability
  • Redis-based session clustering with mutex operations for multi-instance deployments
  • Concurrent session management with cluster-safe mutex
Infrastructure
  • Docker containerized deployment
  • MariaDB / MySQL with connection pooling and SSL
  • Redis session and cache storage
  • Amazon RDS built-in SSL profiles
  • Liquibase-based migrations (Flyway also supported)
  • CI-enforced migration integrity testing
  • Multi-environment JSON + env var configuration
  • OpenTelemetry metrics export (Prometheus)
  • Prometheus metrics scrape endpoint
  • Live and protected health check endpoints
  • License management & enforcement
  • Per-tenant certificate management API

Standards Compliance

OAuth 2.0
RFC 6749

Authorization Code, Client Credentials, Refresh Token, Implicit flows

Token Exchange
RFC 8693

Delegation tokens for NHE / AI agent use cases

DPoP
RFC 9449

Proof-of-possession token binding for enhanced client security

OIDC
OpenID Connect 1.0

OIDC Core, OIDC Discovery; per-tenant .well-known endpoints

SAML 2.0
OASIS SAML 2.0

SP and IdP modes; HTTP-POST and HTTP-Redirect bindings; Single Logout (SLO)

WS-Federation
WS-Fed 1.2

Passive requestor profile; ADFS and SharePoint integration

FIDO2
W3C WebAuthn Level 2

Hardware security keys and biometric authenticators; CTAP2

TOTP
RFC 6238

Time-based One-Time Password standard (authenticator apps)

GA4GH
GA4GH Passport v1

AAI OpenID Connect Profile; visa issuance and validation for biomedical research

GDPR
GDPR Art. 17

Right to erasure with CI-enforced data coverage across all user-referencing tables

OWASP
OWASP C10

Secure error handling — generic messages, unique error IDs, detailed internal logs

FedRAMP
FedRAMP High (PFCS-SS)

Authorized as a supporting service within the Palantir Federal Cloud Service (FR2315464863) — Class D, Rev5