Federation & Access

Identity is federated from the customer's IdP. The platform never owns passwords — it resolves an IdP group to a team and role by convention, with a registered alias as fallback. No silent grants, no auto-created teams.

OIDC

Federation config

How an SSO sign-in becomes a team + role on the platform.

Provider

Microsoft Entra ID

Protocol

OIDC

Group → role convention

rai-<team>-<role> (e.g. rai-cust-ops-builder)

Break-glass Admin

local · IdP-independent · out-of-band handover

admin@vanguard-defense.gov (local Cognito · IdP-independent · credential handed over out-of-band at install)

Survives an IdP outage or misconfiguration so an operator can always recover access.

Group aliases

When a group name doesn't match the convention, a registered alias maps it explicitly.

IdP group	Team	Role
PlatformEng-Agents	Platform Engineering	builder
ContractsLeads	Contracts & Proposals	team-admin

Resolution prefers the convention, then falls back to a registered alias. An alias to a non-existent team is rejected — the platform never auto-creates a team to satisfy a claim.

Pending arrivals

Users whose IdP group claim didn't resolve. They wait here — read-only, no access — until an admin decides.

2 held

j.okafor@vanguard-defense.govread-only holding state

claimed group rai-custops-builder · 7d ago

Typo in group name (custops vs cust-ops) — no matching team. Held in read-only state, no silent grant.

contractor-22@vendor.exampleread-only holding state

claimed group Vendor-Readonly · 6d ago

Unrecognised group, no alias registered. Awaiting admin mapping decision.

No silent grant, no auto-created team. An unresolved arrival has zero access until an admin maps it to an existing team and role.