Identity & SSO
EUnifyer ships with a built-in enterprise identity provider. Every service in the platform (Drive, Mail, Chat, Calendar, Contacts, Office, Meet, Sites) authenticates through the same identity layer, so a user signs in once and reaches everything.
You do not need to install or license a separate identity product to run EUnifyer in production.
Capability matrix
We split capabilities into two columns so you can see at a glance what’s available as a protocol versus what’s currently exposed in the admin UI.
| Capability | Engine | Admin UI |
|---|---|---|
| OpenID Connect 1.0 (as a provider) | ✓ | ✓: register downstream apps under Identity → Applications |
| SAML 2.0 (as a provider and consumer) | ✓ | ✓ |
| OAuth 2.0 authorisation server | ✓ | ✓: via Applications |
| Inbound federation to Entra ID / Okta / Google / generic OIDC / SAML | ✓ | ✓: Identity → Single Sign-On |
| Inbound SCIM 2.0 provisioning (Users + Groups, PATCH, Bulk, filter grammar) | ✓ | ✓: Identity → SCIM provisioning + SCIM groups |
| Multi-factor authentication (TOTP) | ✓ | ✓: per-organisation toggle |
| Multi-factor authentication (passkeys / FIDO2 / WebAuthn) | ✓ | ○ Not yet surfaced in the admin UI; tracked in our parity roadmap |
| Manual user invitation | ✓ | ✓: Admin → Users → Invite User |
| Bulk user invitation (CSV) | ✓ | ✓: Admin → Users → Bulk import |
| Role-based access control (RBAC) | ✓ | ✓: Admin → Roles |
| SCIM-managed roles (admin-attached permissions, IdP-driven membership) | ✓ | ✓: Roles table shows a “SCIM” badge |
| User self-service (profile, password, sessions) | ✓ | ✓: Account settings |
| Admin user lifecycle (provision, suspend, reactivate, delete) | ✓ | ✓: row actions on the Users page |
| Force sign-out of all sessions | ✓ | ✓: row action |
| Last sign-in / last activity visibility | ✓ | ✓: Edit User dialog |
| Effective-permissions preview | ✓ | ✓: Edit User dialog |
| Per-token rate limiting on SCIM | ✓ | (operational, not user-facing) |
| Audit logging of authentication events | ✓ | ✓: Admin → Audit Log, with a “SCIM activity” quick-filter |
| Branded login pages (logo, colours, custom domain) | ✓ | ✓: Admin → Settings → Branding |
| Organisation isolation (multi-tenant) | ✓ | ✓: every operation is org-scoped |
Two integration directions, two roster strategies
EUnifyer’s identity layer works in two directions:
- EUnifyer as identity provider: your other applications (education portals, BI tools, line-of-business apps) authenticate against EUnifyer. One login, one user database, one MFA policy. Register apps under Identity → Applications (Outbound).
- EUnifyer as identity broker: your existing Entra ID or Google Workspace stays the source of truth. Users sign in with the credentials they already have. Configure under Identity → Single Sign-On (Inbound).
And two ways to manage the user roster:
- Federation only (SSO): users land in EUnifyer the first time they sign in. Simple, but offboarding takes effect at next token refresh (~minutes for federated users) and group/department changes lag until next sign-in.
- SCIM provisioning: your IdP pushes user lifecycle changes (create, update, suspend, delete) continuously, independent of sign-in. Offboarded users lose access within minutes of HR closing the record. Org chart and group membership stay in sync. Configure under Identity → SCIM provisioning (Inbound). See SCIM 2.0 provisioning.
Most enterprises use federation + SCIM together: federation for sign-in convenience, SCIM for roster correctness and offboarding speed.
What this means for buyers
| Question we hear | Short answer |
|---|---|
| ”Can it integrate with our existing Active Directory / Entra ID?” | Yes, federate as an OIDC or SAML provider, and optionally push the roster via SCIM. See Microsoft Entra ID and SCIM 2.0 provisioning. |
| ”Can it act as the IdP for our other apps?” | Yes. Any OIDC- or SAML-capable application can authenticate against EUnifyer. See Register Downstream Applications. |
| ”Do we get MFA?” | Yes, TOTP is included and admins can enforce it organisation-wide. Phishing-resistant passkeys are on the roadmap for the admin UI. |
| ”Can we bulk-onboard hundreds of users from a spreadsheet?” | Yes. Bulk Import (CSV). |
| ”Procurement requires SCIM 2.0 support, do you pass?” | Yes. Full Users + Groups + PATCH + Bulk + custom-attribute extension URN, plus the admin-side group↔role mapping screen most IdPs require. |
| ”What about audit logs?” | Every authentication, federation, password change, role change, SCIM operation, and admin action is logged and searchable. |
| ”Is the identity component portable?” | The identity engine and your realm configuration export cleanly as open standards (OIDC / SAML / SCIM); your data is not locked in. |
Next steps
- Bringing your team in? Start with Adding Users.
- Already on Entra ID, Okta, or Google? Federate sign-in: Federate Existing Providers → drop down to Microsoft Entra ID.
- Want the roster to stay in sync automatically? Add SCIM 2.0 provisioning on top of federation.
- Letting another app sign in via EUnifyer? See Register Downstream Applications.
- Looking for confidential email? See Secure Mail (NTA 7516).