Identity & SSO

SAML or OIDC for humans, SCIM for groups, short-lived tokens for workloads, audit to SIEM. Configured at install time.

One access surface across every Wordcab service. SAML or OIDC for humans, SCIM for groups, service tokens for workloads, and audit events piped to your SIEM. All of it configured at install time; no separate IdP for the control plane vs. the dashboard.

SSO (SAML / OIDC)

Either protocol works. Pick whichever your IdP emits for everything else.

OIDC (Keycloak, Auth0, Okta, Azure AD, Google Workspace)

yaml

auth:
  oidc:
    enabled: true
    issuerURL: https://login.example.com/realms/prod
    clientIDRef:     { name: wordcab-oidc, key: client_id }
    clientSecretRef: { name: wordcab-oidc, key: client_secret }
    scopes: [openid, email, profile, groups]
    claimMappings:
      username: preferred_username
      email:    email
      groups:   groups

SAML (Okta, Azure AD, ADFS, Ping)

yaml

auth:
  saml:
    enabled: true
    metadataURL: https://idp.example.com/FederationMetadata.xml
    # or metadataXMLRef: { name: wordcab-saml-meta, key: metadata.xml }
    attributeMappings:
      username: NameID
      email:    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
      groups:   http://schemas.xmlsoap.org/claims/Group

SCIM provisioning

SCIM 2.0 is exposed at /scim/v2 on the control plane. Pair with any IdP that speaks SCIM (Okta, Azure AD, OneLogin, Rippling). Users and groups — including group-based RBAC — flow in automatically.

yaml

auth:
  scim:
    enabled: true
    tokenRef: { name: wordcab-scim, key: token }   # bearer token the IdP uses
    groupPrefix: wordcab-                            # only sync groups with this prefix

RBAC

Four built-in roles plus custom roles.

Role	Scope
`owner`	Full control incl. billing and key management.
`admin`	Manage deployments, agents, keys, SSO config.
`developer`	Read/write agents, calls, test suites.
`viewer`	Read-only across the tenant.
custom	Any combination of the API-key scope list.

Role assignment is group-based. Map your IdP groups to roles in auth.roleBindings once; SCIM keeps it synced.

Service tokens for workloads

Don't ship long-lived API keys into workloads. Prefer:

Kubernetes ServiceAccount tokens — mounted via projected-volume, exchanged at the control plane for a short-lived Wordcab token.
Any OIDC-issued JWT — configure an auth.workloadIdentity.issuer list and accept tokens signed by your service mesh or IdP.
Cloud workload identity — IAM Roles for Service Accounts (EKS), Workload Identity (GKE), AAD Pod Identity (AKS) all work the same way.

Audit log

Every auth event (login, consent, key create/use/revoke, role change, SCIM op) is emitted as a structured line and as a deployment.audit webhook / Kafka event. Schema is stable and documented — wire it into your SIEM.

json

{"ts":"2026-04-16T12:34:56Z","event":"api_key.created","actor":"user:alice@example.com","target":"key_01HZ...","attrs":{"scopes":["transcripts:write"]},"request_id":"req_01HZ..."}

Break-glass

Keep one offline, IdP-independent owner account. SSO outages happen; if SAML is the only way in and the IdP is down, you can't log in to fix the IdP.

← Previous

Observability

Telephony & SIP