Federation & SSO

Tetrapus ships a complete enterprise identity surface: SAML 2.0 service provider, OpenID Connect relying party and OpenID Provider, SCIM 2.0 directory sync, WebAuthn passkeys, and PIV/CAC smart card binding. Pre-tested against Okta, Azure AD, ADFS, Keycloak, Ping Identity, and Google Workspace.

SAML 2.0

Tetrapus as SP. SP-initiated flow, ACS, signed assertions, attribute mapping.

SAML Admin & API

REST CRUD for IdPs, metadata, ACS, SLO, and the GUI admin tab walkthrough.

OIDC Consumer

Tetrapus as RP. PKCE, per-Org IdP config, link-by-verified-email.

OIDC Provider

Tetrapus as the OP. Discovery, JWKS, authorize, token, userinfo.

SCIM 2.0

Auto-provision Users + Groups from Okta or Azure AD. Filter parser.

WebAuthn / Passkeys

FIDO2 register and authenticate ceremonies. CBOR-encoded credentials.

Smart Cards (PIV/CAC)

DoD/USG-grade hardware tokens via PKCS#11. Subject DN binding.

Where each surface fits

Three roles in the federation taxonomy: Tetrapus as service-consumer (SAML SP, OIDC RP), Tetrapus as the identity-issuer (OIDC OP), and Tetrapus as the policy-enforcer (SCIM target, WebAuthn challenger, smart card binder). All three coexist per Org.

graph LR IDP["Enterprise IdP\n(Okta / Azure AD / ADFS)"] -->|SAML AuthnResponse| DM_SAML["Tetrapus SAML SP"] IDP -->|OIDC id_token| DM_RP["Tetrapus OIDC RP"] IDP -->|SCIM /Users /Groups| DM_SCIM["Tetrapus SCIM Server"] DM_SAML --> SESSION["Tetrapus Session"] DM_RP --> SESSION DM_SCIM --> DIR["User + Group Directory"] SESSION --> APP["Tetrapus UI / API"] PARTNER["Partner App\n(third-party)"] -->|OIDC authorize| DM_OP["Tetrapus OIDC OP"] DM_OP -->|id_token| PARTNER HW["YubiKey / CAC / TPM"] -->|WebAuthn ceremony| SESSION HW -->|PKCS#11 mTLS| GW["tetrapus-gateway"] GW -->|subject DN POST| SESSION

Supported Identity Providers

OktaMicrosoft Entra ID (Azure AD)Active Directory Federation Services (ADFS)KeycloakPing IdentityGoogle Workspace

Any standards-compliant SAML 2.0 IdP or OIDC provider will work — the list above is the matrix we test against in CI. For custom or self-hosted IdPs, see the SAML or OIDC consumer pages.

Multi-tenant scoping

Every federation primitive is scoped to an Org. A single Tetrapus cluster hosts unrelated tenants whose IdPs, SCIM bearer tokens, OIDC OP clients, smart card bindings, and WebAuthn credentials never cross. Tables enforce this with a non-null org_id foreign key and unique-by-Org indices on logical names.

Questions?

Reach out for help with integration, deployment, or custom domain codecs.

Get Started Request a Demo