Enterprise

Enterprise SSO

OIDC, bounded SAML, and a bounded SCIM enterprise baseline ship today. They are internal baselines — useful, documented, tested — but they are not officially certified for any specific identity vendor.

OIDC

OIDC callback proxy with HMAC-signed state shipped
Postgres-backed session store shipped
Reason taxonomy (28 codes, bilingual en/tr) shipped

SAML 2.0

Signed AuthnRequest (RSA-SHA256/384/512 + RSA-PSS) bounded
HTTP-POST and HTTP-Redirect bindings bounded
Encrypted assertions (RSA-OAEP + AES-GCM/CBC allowlist) bounded
SP-initiated SLO (signed LogoutRequest + verified LogoutResponse) bounded
IdP-initiated SLO (with master switch, default-off) bounded
InMemory + Postgres session-meta + replay store shipped
Sha1 signature refused as a hard error shipped
Vendor-cert (Okta / Entra / Google) not-claimed

SCIM 2.0

Users + Groups + filters + PATCH (add/replace/remove) bounded
ServiceProviderConfig + ResourceTypes + Schemas endpoints shipped
Conformance audit suite (45 tests / 53 checks) shipped
Cross-org isolation verified shipped
Official SCIM 2.0 conformance certification not-claimed

Admin surface

Writable /settings/sso dashboard form shipped
Persistent SSO config store with hashed secrets/PEMs shipped
/v1/admin/sso/{oidc,saml,test-connection,diagnostics} routes shipped

Operator credentials

Enterprise pilot configurations require operator-supplied credentials for the external lanes:

Funded testnet wallet + USDC for x402 settle.
GCP service-account key for live GCS export.
Alertmanager URL + tenant token for live alert routing.
External signed-webhook URL + HMAC secret for SIEM delivery.

Until those credentials run, the corresponding capabilities stay in operator-gated state. The gateway itself is unchanged; only the external verification lane is incomplete.

Boundaries

SAML / SCIM are not officially certified for any vendor.
Session and CSRF are server-managed; cookies are HttpOnly + SameSite-strict.
RBAC roles + scopes are documented in the security model.