Identity & Authentication
Struktural centralizes authentication using standard Single Sign-On (SSO) protocols. Global identity configuration applies to all tenants running on the server, while role-mapping is handled locally per tenant.
Global Provider Configuration
Authentication is defined in the appsettings.json (or Azure App Configuration) under the StrukturalSecurity:Providers section.
"StrukturalSecurity": {
"Providers": [
{
"Provider": "EntraID",
"ClientId": "your-client-id",
"TenantId": "your-tenant-id",
"ClientSecretEncrypted": "..."
}
],
"SuperAdmins": [
"admin@yourdomain.com"
]
}
Supported Providers:
EntraID(Microsoft Azure AD)PingOneGoogle
Super Administrators
Users listed in the SuperAdmins array bypass standard tenant-level Role-Based Access Control (RBAC) and possess absolute control over the platform, including the ability to provision new tenants, access the Studio, and delete applications.
Just-In-Time (JIT) Role Provisioning
When a user logs in via SSO, Struktural issues a JWT/Cookie containing their email and their Identity Provider groups (e.g., Entra ID Object IDs).
When the user attempts to access a specific Tenant application, the platform intercepts the request and inspects the tenant's Struktural_Sys_Role table.
- If the user's incoming
EntraIdGroupclaim matches theEntraIdGroupfield on a local Role, they are granted those permissions. - If the user does not exist in the tenant's
Struktural_Sys_Usertable, a profile is automatically created (Just-In-Time) linking them to the matched Role. - If no groups match, the user is assigned the default
Guestrole (or rejected entirely based on tenant configuration).