User management

Authentication, group sync, and persona binding. Colrows treats identity as a graph node - a user resolves to one or more personas, and the persona is what shapes the allowed semantic subgraph at compile time.

Identity model

  • User - a unique principal authenticated by your IdP. Has zero or more group memberships and persona bindings.
  • Group - a collection of users mirrored from your IdP (Okta, Entra ID, Google Workspace, JumpCloud, AD).
  • Persona - a graph node with scope and policy bindings. A user's effective persona is resolved at request time from group membership and explicit assignment.
  • Session - an authenticated context. Carries the persona, audit identifiers, and a request-scoped trace.

Authentication options

Native authentication

Email + password with mandatory MFA (TOTP or hardware key). Use it for early evaluation or for break-glass admin accounts. Not recommended as the primary auth method for production.

  • Argon2id password hashing, configurable cost factors.
  • Mandatory MFA after first sign-in. Backup codes generated on enrollment.
  • Forced rotation on compromise - admins can invalidate all sessions for a user instantly.

OAuth / OIDC

Recommended for most deployments. Colrows is a standard OIDC relying party - bring an Identity Provider that supports the Authorization Code flow with PKCE.

idp:
  type: oidc
  issuer:           https://acme.okta.com
  client_id:        colrows-prod
  client_secret:    ${ENV}
  scopes:           [openid, profile, email, groups]
  group_claim:      groups
  username_claim:   email

Tested integrations: Okta, Microsoft Entra ID (Azure AD), Google Workspace, Auth0, Keycloak, Ping. Custom IdPs work as long as they're spec-compliant.

SAML 2.0

For enterprises with a SAML-only IdP (some on-prem ADFS deployments). Colrows acts as the Service Provider; upload the IdP metadata XML and provision claim mappings.

idp:
  type: saml
  metadata_url:     https://idp.acme.com/saml/metadata
  attribute_username: NameID
  attribute_groups:   memberOf
  signed_assertions:  required
  signed_responses:   required

Just-in-Time provisioning is supported - users created on first sign-in inherit personas based on group membership.

Group → persona mapping

The contract between identity and the semantic graph is the group-to-persona map.

persona_bindings:
  - group: "data-platform-engineers"
    persona: engineer
  - group: "regional-analysts-emea"
    persona: regional_analyst
    scope:
      region: EMEA       # ABAC predicate
  - group: "executive-readers"
    persona: viewer

Bindings are evaluated at session start. A user in multiple matching groups receives the union of allowed scopes and the most restrictive policy for any conflict.

SCIM provisioning

Colrows exposes a SCIM 2.0 endpoint for automated user / group lifecycle. Most IdPs can drive create / update / delete and group membership sync over SCIM. Combined with OIDC, this gives you a fully automated identity loop.

Session & audit

  • Sessions are bound to the resolved persona; persona changes (role swap, scope change) take effect on next session.
  • Idle and absolute timeouts are configurable per workspace; defaults are 12h idle, 24h absolute.
  • Every authenticated action writes an audit row keyed by user, persona, request ID, and trace ID - searchable from the admin console and exportable to your SIEM.
Best practice.

Use OIDC + SCIM for production. Reserve native auth for break-glass administrators only. Bind every group to exactly one persona to keep the policy graph readable.