Your identity provider, your rules
Connect LynxTrac to the directory your company already runs over SAML 2.0 or OpenID Connect, with SCIM provisioning, RBAC, and MFA on top. Available on the Enterprise plan.
Two protocols, no detours
SAML 2.0
Sign in through your existing SAML identity provider. We validate the signed assertion that comes back and guard against replay by tracking the InResponseTo token across load-balanced nodes. AuthnRequests are signed too when you supply a service-provider key.
OpenID Connect
Prefer OIDC? The flow uses PKCE, validates state and nonce on every callback, and lets you set the scopes your provider expects. Duplicate callbacks resolve to the same result rather than erroring.
Email-domain routing
Map one or more email domains to each identity provider. A user lands on the right login automatically, which keeps multi-brand and post-acquisition setups from turning into a support queue.
Provision once, stay in sync
Let your directory be the source of truth. People get access when they join and lose it when they leave, without a side process to remember.
Just-in-time provisioning
Turn it on and a first-time SSO login creates the account for you, with the user type and defaults you configured. No pre-staging a directory before people can sign in.
SCIM 2.0 directory sync
Push the full lifecycle from your IdP: create users, update them when details change, and deactivate them when someone leaves. Authentication uses a bearer token stored only as a hash on our side.
Attribute mapping
Map the claims your provider sends to the fields LynxTrac expects, including email and first and last name. Configure it per IdP so each connection reads its own directory correctly.
Who can do what, and from where
Multi-tenant RBAC
Role-based access with permission templates, scoped to the vendor and customer hierarchy. A customer admin manages their own people without ever seeing another tenant.
MFA that fits your policy
Layer TOTP one-time codes or WebAuthn and FIDO2 security keys on top of SSO, with recovery codes for the day someone loses their phone. Use it as a fallback or require it outright.
Access-request workflow
New people can request access and have an admin approve it, so onboarding goes through a reviewable queue instead of one-off grants.
Tight sessions, logged changes
- Short-lived JWT access tokens with separate refresh tokens, so a leaked token has a small window.
- Configurable inactivity timeout that signs idle sessions out on your schedule.
- Replay protection on the OIDC flow, backed by server-side state validation.
- CIDR IP allowlisting to fence the console and APIs to networks you trust.
- Every SSO configuration change is written to the audit trail.
Part of the enterprise package
SSO sits alongside the rest of the Enterprise controls: on-prem deployment, custom retention, dedicated support, and the same immutable audit trail that records every login configuration change.
- →SAML 2.0 and OpenID Connect
- →SCIM 2.0 and JIT provisioning
- →TOTP, WebAuthn, and FIDO2 MFA
- →Multi-tenant RBAC with templates
Common SSO questions
Which identity providers work with this?
Can accounts be created and removed automatically?
Do we still get MFA with SSO?
Is SSO available on every plan?
Further reading
From the blog, where we go deeper than a feature page can.
SSO and built-in XDR land in LynxTrac
Two things teams kept asking for are now live: single sign-on over SAML and OpenID Connect, and a Wazuh-powered XDR and SIEM suite on the agent you already run.
4 min read
Security trade-offs of browser-based access
Browser-based access removes VPNs and shared keys, but it is not a free lunch. The honest trade-off list is short, and every item on it is mitigatable.
2 min read
Using AWS KMS for secure SSH credential management
Storing SSH credentials safely is harder than it looks. AWS KMS fits into a modern access flow in specific ways, with specific frictions and pitfalls worth naming.
3 min read
Bring your own identity provider
SSO and SCIM ship with the Enterprise plan. Tell us which IdP you run and we will get it connected.