Bring Your Own IAM
Federate BizFirstGO with your existing enterprise identity provider — Okta, Azure AD / Entra ID, Auth0, or Keycloak — without migrating users to Passport.
Federation vs. Replacement
Bring Your Own IAM (BYOIAM) is a federation model, not a full replacement. Your external IdP handles authentication and issues tokens. BizFirstGO accepts and validates those tokens. BizFirstGO's own permission system, resource policies, and node capability policies remain fully active — they operate on the mapped identity.
External IdP Provides
- User authentication (login)
- MFA enforcement
- Session management
- Group/role memberships
- JWT tokens with claims
BizFirstGO Keeps
- Permission string evaluation
- Resource-level policies
- Node capability policies
- Workflow execution authorization
- Audit logging
IExternalTokenProvider
namespace BizFirst.Essentials.Passport.Federation;
public interface IExternalTokenProvider
{
/// <summary>
/// The issuer URI this provider handles. Matched against the "iss" claim in incoming tokens.
/// </summary>
string Issuer { get; }
/// <summary>
/// Validate the token and return identity claims.
/// Returns null if the token is invalid.
/// </summary>
Task<ExternalIdentityClaims?> ValidateTokenAsync(
string token,
CancellationToken ct = default);
}
public class ExternalIdentityClaims
{
public required string UserId { get; init; }
public required string TenantId { get; init; }
public required string Email { get; init; }
public string? DisplayName { get; init; }
public IReadOnlyList<string> Groups{ get; init; } = []; // external groups/roles
public IReadOnlyDictionary<string, string> RawClaims { get; init; } = new Dictionary<string, string>();
}How Token Validation Works with External IdPs
Token Arrives at BizFirstGO API
A BizFirstGO API receives a request with a Bearer token in the Authorization header. The token was issued by an external IdP (e.g., Okta, Azure AD).
Identify the Provider
Passport extracts the iss (issuer) claim from the token header. The issuer is matched against registered IExternalTokenProvider instances to find the correct validator.
Validate the Token
The matched provider validates the token signature against the IdP's JWKS endpoint, checks expiry, issuer, and audience. Returns ExternalIdentityClaims on success.
Map Claims to IDInfo
ExternalClaimsMapper translates external claims (sub, groups, etc.) to BizFirstGO's IDInfo and role names. Group names from the external IdP are mapped to BizFirstGO role names.
Normal BizFirstGO Authorization
With IDInfo populated, normal BizFirstGO permission evaluation runs — resource policies, node capability policies, and all IAM checks work identically whether the token came from Passport or an external IdP.
Supported Providers
| Provider | Protocol | Group/Role Source | Guide Page |
|---|---|---|---|
| Okta | OIDC | groups claim in JWT | Okta Integration |
| Azure AD / Entra ID | OIDC | groups claim (GUIDs) or Microsoft Graph | Azure AD Integration |
| Auth0 | OIDC | Custom namespace claim | Auth0 Integration |
| Keycloak | OIDC | Realm roles in JWT | Keycloak Integration |
| Custom | OIDC/JWT | Configurable | Implement IExternalTokenProvider |