Multi-IDP Support
Multi-IDP Support for Every Scope
Connect multiple identity providers across tenants and workspaces for seamless, flexible access control. Secrato gives you centralised visibility and per-scope configuration, so you can enable SSO and manage identities securely at every level.
Connect Multiple Identity Providers Seamlessly
Secrato Multi-IDP Support lets you mix and match Okta, Azure AD, Google, and OneLogin using SAML, tailored per tenant or workspace. Each layer can inherit or override its parent configuration for precise access management.
Manage Complex Account Models
Secrato supports multiple verified domains or a single email identity that can hold roles across several tenants or workspaces. Each identity binding is fully isolated to maintain least privilege and a clear separation of duties.
Secure, Auditable, and Automated by Design
Secrato applies least privilege by default, with auditable access at every stage. Role-based access control and IdP group mapping prevent privilege drift and shadow admin creation.
How it maps to SECRATO
Tenant Level
Primary SSO per tenant.
Optional secondary IDP for failover.
Domain verification and trust policies.
Workspace level
Override IdP or inherit tenant SSO.
Map IdP groups to workspace roles.
Local accounts with policy gates.
Sub-workspace level
Fine-grained role bindings for site teams.
Evidence of access reviews per site.
Automatic de-provisioning on events.
Email & Account Models
Multi-domain
A multi-domain model allows multiple verified email domains to operate securely within one unified SaaS environment.
Single email, many scopes
A single email identity with multiple scopes enables unified login and secure, role-based access across multiple workspaces or tenants.
Local accounts
A local account is a platform-managed user identity authenticated directly via email and password, offering flexible and secure access without requiring external SSO or directory integration.
Security & Compliance
RBAC & Group Mapping
RBAC and group mapping enable automated, policy-based access control ,ensuring users inherit the right permissions through identity integrations and predefined roles.
Provisioning & Lifecycle
Establish secure onboarding, continuous compliance enforcement, and controlled offboarding ,ensuring every account remains compliant and tightly governed from creation to removal.
Audit & Visibility
Audit and visibility provide full traceability and real-time insight into platform activities, enabling continuous oversight, compliance validation, and rapid incident response.
FAQ
Yes. Configure primary and secondary IdPs per tenant, override at workspace or sub-workspace if required. Routing rules decide which IdP handles a login based on email domain or explicit selection.
Local accounts are optional and policy-gated (MFA required, time-boxed). They are intended for break-glass and service access. Every action is logged for audit.
Yes. A single email can be bound to roles across multiple tenants and (sub)workspaces. Role bindings and approvals remain isolated per tenant.
Explore What Secrato Can Do
Enable SSO Anywhere
Activate single sign-on per tenant or workspace with full inheritance and override options.
Combine Identity Providers
Use Okta, Azure AD, Google, or OneLogin together, configured per scope for operational flexibility.
Support Multi-Domain Logins
Verify multiple email domains and enforce per-domain MFA, session, and trust policies.
Manage One Identity
Assign one user email to multiple roles across tenants and workspaces in isolation.
Control Local Accounts
Enable tightly governed, MFA-enforced local accounts for exceptions — every action tracked and justified.
Automate Access Reviews
Sync users and groups via SCIM and capture evidence of access reviews.