AIOP ships with a complete identity provider — full OAuth 2.1, OpenID Connect, MFA and passkeys — and federates cleanly with the IdPs you already run. The same scope system governs human users, AI agents and the clients that talk to your APIs. SSO, role-based access and named-human attestation work the same regardless of where authentication actually lives.
AIOP includes a production-grade identity provider with OAuth 2.1, OpenID Connect, SAML 2.0, MFA (TOTP and WebAuthn) and passkey support. Stand up authenticated workloads on day one — no separate IdP procurement, no extra vendor in the contract.
Already running EntraID, Okta, Keycloak or another OIDC- or SAML-capable provider? AIOP federates with it. Group claims map to AIOP roles automatically; SCIM keeps users, attributes and assignments in sync — no shadow directory, no manual provisioning.
The same fine-grained role and permission model that controls what your people can see also controls what your agents can do. Every scope defines exactly which data, which steps and which integrations a session — human or agentic — is allowed to reach.
Desktop apps, mobile devices, portals and micro-frontends sign in through AIOP over OAuth 2.1. The same APIs they consume afterwards are gated by the same identity — internal and external surfaces under one contract, no second authentication system to maintain.
Use AIOP's identity provider as your primary IdP. Self-service onboarding, MFA enforced, passkeys for staff. You ship without procuring a separate identity vendor.
Your existing IdP stays the source of truth. AIOP federates over OIDC or SAML; group claims map to AIOP roles automatically, SCIM keeps everything in sync. No user migration, no shadow directory.
Authenticate every client surface — internal portal, partner portal, mobile app, micro-frontend — through one IDP. OAuth 2.1 across the board; the APIs they reach afterwards inherit the same identity.
When an agent acts on your behalf, it should be governed by the same role and permission system that controls your teams. No second access model, no parallel admin surface — the scopes you define for people apply, unchanged, to every agent that runs inside the platform.
Identity sits at Layer 2 of the eight-layer architecture. Every signal carries the authenticated subject; every consequential action requires an attested identity to proceed. Whether the subject came from AIOP's IDP or a federated provider, the downstream contract is identical.
Identity isn't a standalone solution — it's the spine the rest of the platform leans on.
Layer 2 of the architecture — every signal in every layer above carries the authenticated subject.
/solutions/platformIdentity decides what comes back from a retrieval — same gates for humans and agents.
/solutions/knowledge-managementAgents inherit the role system; what they can touch is defined by the same scopes your people use.
/solutions/process-automationPer-document access controls run on the same identity model — extraction gated by who's asking.
/solutions/document-understandingTell us what you run today — EntraID, Okta, Keycloak, something else, or nothing yet. We'll show the cleanest path to authenticated AIOP, including the client and agent flows.