Identity & Authentication

Struktural centralizes authentication using standard Single Sign-On (SSO) protocols. Global identity configuration applies to all tenants running on the server, while role-mapping is handled locally per tenant.

Global Provider Configuration

Authentication is defined in the appsettings.json (or Azure App Configuration) under the StrukturalSecurity:Providers section.

"StrukturalSecurity": {
  "Providers": [
    {
      "Provider": "EntraID",
      "ClientId": "your-client-id",
      "TenantId": "your-tenant-id",
      "ClientSecretEncrypted": "..." 
    }
  ],
  "SuperAdmins": [
    "admin@yourdomain.com"
  ]
}

Supported Providers:

Super Administrators

Users listed in the SuperAdmins array bypass standard tenant-level Role-Based Access Control (RBAC) and possess absolute control over the platform, including the ability to provision new tenants, access the Studio, and delete applications.

Just-In-Time (JIT) Role Provisioning

When a user logs in via SSO, Struktural issues a JWT/Cookie containing their email and their Identity Provider groups (e.g., Entra ID Object IDs).

When the user attempts to access a specific Tenant application, the platform intercepts the request and inspects the tenant's Struktural_Sys_Role table.

  1. If the user's incoming EntraIdGroup claim matches the EntraIdGroup field on a local Role, they are granted those permissions.
  2. If the user does not exist in the tenant's Struktural_Sys_User table, a profile is automatically created (Just-In-Time) linking them to the matched Role.
  3. If no groups match, the user is assigned the default Guest role (or rejected entirely based on tenant configuration).