Skip to main content

Core Features

Identity Broker is built to enable secure, scalable, multi-tenant authentication for modern SaaS platforms.
It abstracts identity provider complexity while remaining fully standards-compliant and enterprise-ready.

The following sections outline the core capabilities of Identity Broker.

1. OpenID Connect (OIDC) Broker

Identity Broker functions as a standards-compliant OpenID Connect (OIDC) Provider, federating authentication to one or more upstream identity providers.

Key capabilities include:

  • Dynamic Provider Selection
    Automatically routes users to the correct identity provider based on configuration and context.

  • Token Translation
    Converts upstream IdP tokens into a consistent token format consumed by your applications.

  • Claims Mapping
    Flexible, configurable attribute mapping from upstream identity providers into application claims.

This allows applications to integrate once with Identity Broker while supporting many identity providers transparently.

2. Account Linking & Identity Consolidation

Identity Broker provides a powerful Account Linking system that enables users to access a single unified account using multiple identity provider identities.

Features include:

  • Canonical User Identities
    Every user is assigned a unique, persistent internal subject identifier (usr_xxxx) that remains constant across all linked IDPs.
  • Auto-Linking Rules
    Administrators can define rules (Exact Email, Domain Match, Regex) to automatically link new IDP identities to existing accounts.
  • Manual Linking
    Admins can manually merge and link identities when automatic rules don't apply.
  • Primary Identity Management
    Users and admins can designate a primary identity for profile information and communications.
  • Identity Unlinking
    Securely remove linked identities with built-in safety checks.

This feature solves the "duplicate account" problem common in multi-IDP environments.

3. Home Realm Discovery (HRD)

Identity Broker implements intelligent Home Realm Discovery (HRD) to provide a seamless user experience.

Features include:

  • Email-Based Routing
    Users enter their email address once and are automatically redirected to the correct identity provider.

  • Multi-Domain Support
    A single identity provider can serve multiple email domains.

  • Domain Hint Support
    Optional domain_hint parameters allow applications to bypass discovery and route users directly.

  • Custom Branding
    Fully white-labeled login experience aligned with your product’s branding.

HRD eliminates manual tenant selection and reduces friction during sign-in.

4. OAuth 2.0 On-Behalf-Of (OBO) Delegation

Identity Broker supports the RFC 8693 Token Exchange protocol, specifically optimized for On-Behalf-Of (OBO) scenarios.

Capabilities include:

  • Middle-Tier Delegation
    Enables services (like API Gateways) to exchange a user's access token for a downstream service token.
  • Delegation Relationships
    Fine-grained control over which source clients can request tokens for which target audiences.
  • Scope Downscoping
    Ensures delegated tokens have equal or fewer permissions than the original user token.
  • Token Replay Prevention
    Built-in cache and JTI tracking to prevent assertion token reuse.
  • Actor (act) Claim Support
    Maintains a clear audit trail of the delegation chain within the issued JWT.

5. SAML 2.0 Identity Provider (IdP) Support

In addition to OIDC, Identity Broker can act as a SAML 2.0 Identity Provider, enabling authentication for legacy enterprise applications.

Features include:

  • SAML Assertions
    Generate secure SAML 2.0 assertions for Relying Parties.
  • Metadata Management
    Easy exchange of IdP and SP metadata.
  • Configurable NameID
    Support for persistent, email, and transient NameID formats.
  • Protocol Translation
    Authenticate users via OIDC upstream and issue SAML assertions downstream (and vice versa).

6. Multi-Tenant Microsoft Entra ID Federation

Identity Broker enables the multi-tenant Entra ID scenario that Microsoft does not natively support.

Capabilities include:

  • Federation with multiple Microsoft Entra ID tenants (Tenant A, B, C, etc.)
  • Each tenant configured as an independent OIDC connection
  • Domain-based tenant routing, for example:
    • user@companya.com → Tenant A
    • user@companyb.com → Tenant B
  • Seamless user experience with automatic tenant detection

This enables true SaaS-scale B2B authentication without Microsoft’s native limitations.

7. Unified Integration System

Identity Broker features a modular, pluggable integration system for third-party services.

Supported Integration Categories:

  • Messaging: Twilio (SMS/WhatsApp), AWS SNS, SMTP, SendGrid.
  • Security: reCAPTCHA, Cloudflare Turnstile, Arkose Labs.
  • Identity: Face Verification, Threat Intelligence, NVD CVE lookups.
  • Operations: Webhooks, Ticketing systems (Jira, ServiceNow), Custom logging.

Administrators can configure these "Providers" once and use them across different user journeys and security policies.

8. Universal Identity Provider Support

Identity Broker supports integration with any standards-compliant OIDC or OAuth 2.0 provider, including:

  • Microsoft: Entra ID, Azure AD B2C
  • Google: Google Workspace, Gmail
  • Enterprise IAM: Okta, Auth0, Ping Identity, ForgeRock
  • Developer & Social: GitHub, GitLab, Facebook
  • Custom Providers: Any OIDC-compliant identity provider

This flexibility ensures Identity Broker fits seamlessly into heterogeneous enterprise environments.

9. Enterprise Secret Management

Client secrets and credentials are handled with enterprise-grade security controls.

Supported secret backends include:

  • Local Encryption
    AES-256 encrypted secrets with a configurable master key.

  • HashiCorp Vault
    Integration using the Transit engine for encryption-as-a-service.

  • AWS Secrets Manager
    Native support for AWS-managed secrets.

  • Azure Key Vault
    Secure secret storage within Azure environments.

  • Secret Rotation Support
    Update credentials without downtime or service interruption.

10. Comprehensive Audit & Monitoring

Identity Broker provides deep visibility into authentication and administrative activity.

Key features:

  • Sign-In Logs
    Track every authentication attempt with full contextual information.
  • Account Linking Audit
    Detailed records of identity linking, unlinking, and matching events.
  • OBO Exchange History
    Monitor token delegation activities between services.
  • Admin Activity Logs
    Record all configuration changes and administrative actions.
  • SIEM Integration
    File-based logs compatible with standard log shippers and SIEM platforms.

11. Admin Console & User Portal

Modern, React 19-based interfaces for administrators and end-users.

  • Admin Console: Guided wizards for IdP/RP setup, branding, and security policies.
  • User Portal: Self-service profile management, MFA setup, and linked identity overview.
  • Live Preview: Real-time branding and UI customization with instant feedback.
  • Interactive Flow Designer: (Beta) Visually configure authentication and registration journeys.

12. Production-Ready Architecture

Identity Broker is designed for reliability, scalability, and operational simplicity.

Key architectural features:

  • SQLite, PostgreSQL, MySQL Support
    Flexible persistence options for different deployment scales.
  • Optional Redis Integration
    External session storage for horizontal scaling.
  • JWT Signing
    RSA key pairs with a standard JWKS endpoint.
  • Health & Readiness Checks
    Actuator endpoints for monitoring and orchestration platforms.

Identity Broker is ready for local development, containerized workloads, and cloud-native production deployments.