Support Center

Enterprise Security & Identity Management

As your Organization scales on the Ngwenya network, centralizing authentication and membership lifecycle management becomes critical. The Platform provides zero-trust identity integrations tailored for Malet Owners and Platform Administrators, allowing you to connect corporate directories like Okta, Azure Active Directory, and JumpCloud directly to your dashboard.

This manual explains how to configure Single Sign-On (SSO) and Directory Synchronization.

CAUTION

Enterprise Identity features are currently restricted to Organizations on the Enterprise Tier. Misconfiguring these settings can immediately lock all users out of your Organization resources. Please test thoroughly using the integrated connection tester before enabling.

Single Sign-On (SAML 2.0)

Security Assertion Markup Language (SAML) allows your team members to authenticate into the platform using your company's existing identity provider (IdP). Once active, members navigating to your Organization's login portal will be redirected to your corporate portal to sign in.

Configuring Your IdP

To set up the connection, you must provide your IdP details in the Security & SAML tab of your Organization management dashboard.

  1. IdP Entity ID (Issuer): The unique URI identifying your corporate directory.
  2. IdP SSO URL: The HTTP-POST endpoint where the platform should send authentication requests.
  3. X.509 Certificate: The public signing certificate used to verify the cryptographic trust of login assertions. Paste the entire PEM block, including the BEGIN and END headers.

NOTE

For security purposes, once your X.509 Certificate is saved, it is masked in the dashboard. You will not see the complete raw string again. If you need to rotate the certificate, simply paste the new one into the blank form field.

Attribute Mapping

When users authenticate via SAML for the first time, their account is initialized automatically. You can map specific traits from your corporate directory to their platform profile:

  • Email Attribute: Required. The exact SAML assertion attribute representing the user's email address (e.g., email or mail).
  • Display Name Attribute: Optional. Can pull the user's full name (e.g., displayName).
  • Role Hint Attribute: Optional. If your IdP sends a role attribute (e.g., role), the platform will attempt to match it. If no match is found, the Default Provisioned Role selected in your dashboard (e.g., MEMBER or VIEWER) is applied.

Directory Synchronization (SCIM 2.0)

System for Cross-domain Identity Management (SCIM) automates the onboarding and offboarding process. When a user is added to or removed from a group in your IdP, their access to your platform featuresβ€”including administrative access to your owned Maletsβ€”is immediately updated or revoked without manual intervention.

Generating a Bearer Token

Your SCIM integration requires a Long-Lived Bearer Token to securely execute API commands against the directory synchronization endpoints.

  1. Navigate to the Security & SAML tab.
  2. Under "Directory Sync (SCIM)", click Generate New Token.
  3. Provide a recognizable label, like "Azure AD Sync 2026".

IMPORTANT

The raw token string is displayed only once. Immediately copy it and insert it into your IdP's provisioning configuration interface. The platform only stores a hashed representation of the token and cannot retrieve it for you later.

Token Revocation

Should a token become compromised, or if you are migrating identity providers, you can instantly revoke active SCIM tokens.

  1. Locate the active token in the "Active & Historical Tokens" list.
  2. Click Revoke.
  3. All operations utilizing that token will immediately fail with a 401 Unauthorized response.

TIP

The token list displays a Last Used timestamp. This allows you to verify that your IdP is actively synchronizing with the platform, providing confidence in your identity automation pipelines.