One login.
Every internal app.
simpliSSO is a centralized identity portal built on Authentik and federated with your Microsoft 365 / Azure AD tenant. Staff sign in once with their existing company email — and reach every internal application: web apps over OIDC, legacy ERPs over SAML2, hardware over LDAP.
The passport-control model
Azure AD is the government that issued the passport — it owns the identity. Authentik is the border officer that checks it and grants access to each specific room (application). Same passport, every door.
Identity Provider
The system that knows who you are. In simpliSSO, Authentik is the IdP, backed by Azure AD as the upstream source.
Service Provider
Any app that trusts the IdP to verify users. ERPs, A/R aging, document control, every internal tool.
OpenID Connect
Modern token-based login protocol. Used by all Tier 1 web apps. Tokens are JSON (JWT), signed by Authentik.
SAML 2.0
Older XML-based SSO protocol. Required for legacy ERPs like Infor M3 — Authentik speaks both at the same time.
LDAP outpost
A proxy Authentik deploys for systems that can't speak OIDC or SAML2 natively — printers, label hardware, legacy boxes.
Flow & Stage
A flow is a sequence of stages Authentik runs on login: enter password, verify OTP, link WhatsApp. Each step is configurable.
Policy
A Python rule that allows, denies, or modifies access. "Only Finance group can reach A/R Aging." Evaluated inside flows.
Property Mapping
A Python expression that shapes the token. Used to embed ERP claims — M3 company, division, roles — directly into the JWT.
Works with whatever IdP you already have
Azure AD is shown in the architecture below — but Authentik federates with any standards-compliant identity source. Swap or stack providers without changing your apps.
Microsoft 365 / Azure AD
The setup shown in this architecture. Staff use existing MS365 credentials and MFA flows from Conditional Access pass straight through.
Google Workspace
Same pattern, swap the upstream. Staff sign in with their workspace.google.com account and Authentik issues the downstream tokens.
Okta
Common when consolidating off another SSO. Authentik can ride on top while you migrate apps one at a time — no big-bang cutover.
On-prem LDAP / Active Directory
For air-gapped or strictly on-prem sites. Authentik binds to your existing AD or OpenLDAP directory — no cloud trip required.
Generic OIDC
Any provider that publishes a .well-known/openid-configuration URL — Keycloak, Auth0, Cognito, GitLab, your own.
Generic SAML 2.0
Any IdP that publishes a SAML metadata XML — ADFS, Shibboleth, OneLogin, internal IdPs. Authentik consumes the metadata and federates.
Same pattern for all of them — Authentik handles the federation, your apps never see the upstream change. You can also stack multiple sources in one flow (e.g., MS365 for staff + LDAP for contractors).
One IdP, every protocol, every tier
Azure AD is the source of truth. Authentik is the single SSO hub. Every internal app — modern, legacy, or hardware — connects through one of three protocols.
Authentik
IdP · Open-sourceThe single SSO gatekeeper. Self-hosted on your infrastructure, never stores passwords — it federates upstream to Azure AD and issues tokens downstream to every app.
- OIDC, SAML2, and LDAP providers in one stack
- Custom Python policies, stages, and mappings
- Blueprint YAML — full config-as-code
- Docker Compose deployment, 4 vCPU / 8 GB
Microsoft 365 / Azure AD
Source of truthYour existing Microsoft tenant remains the authoritative directory. Staff sign in with the same company email and password they already use for Office 365 — no new accounts to manage.
- Federation via Azure Enterprise App registration
- MFA pass-through from Conditional Access
- SCIM push — instant provisioning & deprovisioning
- UPN, groups, department, display name mapping
Custom Python layer
Yours · IP-ownedAll custom logic runs inside Authentik as expression policies, property mappings, and Django stages. No external services. All Python code becomes your IP on final payment.
- JWT claim shaping for ERP roles (M3, A/R)
- Step-up MFA expression policy
- WhatsApp & 3CX linking stages
- FastAPI tile launcher for the app portal
Web apps · OIDC / SAML2
All modern internal apps over OIDC. Legacy ERPs over SAML2. Tokens carry custom claims so apps read roles directly — no separate permission database.
Comms · Custom linking
Per-user account linking stages bind each staff member's WhatsApp number and 3CX extension to their Azure AD account on first login. Portal tiles deep-link to the right conversation.
Hardware · LDAP
Printers, label hardware, and legacy boxes that cannot speak OIDC or SAML2 authenticate against the LDAP outpost. Robot systems connect via portal deep link only.
What talks to what
Staff hit the portal · Authentik checks session and federates to Azure AD · tokens flow downstream to every tier via the right protocol.
(JWT claims)"]:::ak MFA["Step-up MFA policy"]:::ak end subgraph AZ["Microsoft 365"] AAD["Azure AD"]:::azure M365["Office 365"]:::azure end T1["Tier 1 — Web apps
OIDC + SAML2"]:::tier1 T2["Tier 2 — Comms
WhatsApp · 3CX"]:::tier2 T3["Tier 3 — Hardware
Kyocera · Print Label"]:::tier3 STAFF -->|browse| PORTAL PORTAL -->|redirect| FLOW FLOW <-->|federate| AAD FLOW --> MFA FLOW --> OIDC FLOW --> SAML OIDC --> MAP MAP -->|JWT + claims| T1 SAML -->|assertion| T1 LDAP -->|bind| T3 PORTAL -->|deep link| T2 AAD --- M365
What staff actually experience
Three flows cover 99% of daily use: the first login of the day, returning to another app, and the additional MFA challenge on sensitive systems.
Scenario A — first login of the day. Staff opens the portal, signs in once via Azure AD, and the portal personalizes the app tile grid based on their group memberships.
(group check, step-up MFA?) Authentik-->>Staff: Set session cookie Authentik-->>Portal: User profile + tile list Portal-->>Staff: Personalized app portal Staff->>App: Click tile App->>Authentik: /authorize (session found) Authentik->>App: OIDC token + claims App-->>Staff: Grant access ✓
Scenario B — returning user. Same staff member, same browser, different app. The session cookie carries them straight through — zero prompts, zero passwords re-entered.
No login needed Authentik->>App: OIDC token + claims App-->>Staff: Grant access ✓ (zero prompts)
Scenario C — step-up MFA. When the same user opens a sensitive system (IT Services admin, finance apps), Authentik triggers an extra MFA challenge if the last verification was more than 30 minutes ago.
Policy: SENSITIVE_APPS + last_mfa > 30 min Authentik-->>Staff: MFA challenge Staff->>MFA: Open authenticator MFA-->>Staff: One-time code Staff->>Authentik: Submit OTP Note over Authentik: OTP valid
Update last_mfa_time Authentik->>App: Token + elevated claims App-->>Staff: Grant access ✓
Scenario D — SCIM provisioning. IT creates or deactivates a staff account once in Azure AD. SCIM pushes the change to Authentik and every connected app reflects it instantly — no per-app setup, no manual cleanup on resignation.
Set app access policies Authentik-->>Apps: Visible in all authorized apps Note over Admin: No manual per-app setup Admin->>AzureAD: Deactivate (resignation) AzureAD->>Authentik: SCIM push → deactivate Note over Authentik: Invalidate active sessions Authentik-->>Apps: Access revoked instantly
12 independently scoped modules
Each module is priced and delivered independently. Add or remove before signing with proportional price adjustment. Infrastructure (F-01, F-02) and Core SSO (F-03) are mandatory — the rest can be phased.
MS365 / Azure AD federation
Azure as upstream IdP. All 24 services inherit MS365 login, MFA, and conditional access. Staff use existing company credentials.
Authentik install & hardening
Self-hosted Docker Compose production stack: PostgreSQL, Redis, Nginx SSL, backups, admin portal, branding.
24-service application config
Register all 24 services as OIDC or SAML2 Applications. Group-based access policies. Blueprint YAML config-as-code.
JWT claims — ERP role mapping
Python property mappings embed company code, division, and M3 roles into the token. Apps read roles directly — no separate permission DB.
Step-up MFA policy
Expression policy enforces an extra MFA challenge when accessing designated sensitive systems. ~20 lines of Python.
App portal — tile launcher API
FastAPI endpoint renders only the apps each user is authorized to see. Tile icons + Thai/English labels + deep links.
WhatsApp account linking
Custom Django stage links each staff member's WhatsApp number to their AD account on first login. Portal tile deep-links to the right conversation.
3CX extension linking
Maps each staff member's 3CX extension to their AD account. Portal tile launches the web client pre-authenticated to the right extension.
Infor M3 SAML2 workaround
Custom property mappings bridge Authentik's modern SAML2 output to M3's non-standard attribute names and NameID requirements.
Thai language UI customization
CSS + JS injection localizes login, MFA prompts, error messages, and password reset into Thai. Includes branding on every auth screen.
Testing, QA & user acceptance
End-to-end testing across all 24 services. Edge cases: token expiry, MFA failures, session conflicts, SAML mismatches, LDAP connectivity. 2-hour UAT.
Documentation & knowledge transfer
Architecture diagrams, admin runbook, onboarding/offboarding guides, troubleshooting — Thai and English. 2-hour live handover session.
Hardware (Kyocera Print, Print Label, WCS Robot) is client-provided and excluded from scope. Portal deep links to hardware systems are included where technically possible.
Drop SSO into your existing apps
Every app needs three things: redirect to Authentik, handle the callback, validate the session. The pattern is identical across frameworks — only the library differs. Four env vars per app, no homegrown auth code.
Every Authentik OIDC provider auto-publishes a discovery document. New apps only need a client_id and client_secret — URLs, signing algorithms, and supported scopes are fetched from this single endpoint.
GET https://sso.example.com/application/o/<app-slug>/.well-known/openid-configuration
# pip install authlib fastapi itsdangerous
from fastapi import FastAPI, Request, Depends, HTTPException
from fastapi.responses import RedirectResponse
from authlib.integrations.starlette_client import OAuth
from starlette.middleware.sessions import SessionMiddleware
import os
app = FastAPI()
app.add_middleware(SessionMiddleware, secret_key=os.environ["SESSION_SECRET"])
oauth = OAuth()
oauth.register(
name="authentik",
client_id=os.environ["OIDC_CLIENT_ID"],
client_secret=os.environ["OIDC_CLIENT_SECRET"],
server_metadata_url=os.environ["OIDC_ISSUER_URL"] + ".well-known/openid-configuration",
client_kwargs={"scope": "openid email profile groups"},
)
@app.get("/login")
async def login(request: Request):
return await oauth.authentik.authorize_redirect(
request, request.url_for("auth_callback"))
@app.get("/auth/callback")
async def auth_callback(request: Request):
token = await oauth.authentik.authorize_access_token(request)
user = token["userinfo"]
request.session["user"] = {
"sub": user["sub"],
"email": user["email"],
"groups": user.get("groups", []),
# Custom ERP claims from F-05
"m3_roles": user.get("m3_roles", []),
"ar_access_level": user.get("ar_access_level", "none"),
}
return RedirectResponse(url="/")
async def require_auth(request: Request) -> dict:
user = request.session.get("user")
if not user:
raise HTTPException(status_code=401)
return user
@app.get("/dashboard")
async def dashboard(user: dict = Depends(require_auth)):
return {"hello": user["email"], "groups": user["groups"]}
# pip install mozilla-django-oidc
# settings.py
INSTALLED_APPS += ["mozilla_django_oidc"]
AUTHENTICATION_BACKENDS = ["myapp.auth.AuthtikBackend"]
OIDC_RP_CLIENT_ID = os.environ["OIDC_CLIENT_ID"]
OIDC_RP_CLIENT_SECRET = os.environ["OIDC_CLIENT_SECRET"]
OIDC_RP_SIGN_ALGO = "RS256"
OIDC_OP_JWKS_ENDPOINT = ISSUER + "jwks/"
OIDC_OP_AUTHORIZATION_ENDPOINT = ISSUER + "authorize/"
OIDC_OP_TOKEN_ENDPOINT = ISSUER + "token/"
OIDC_OP_USER_ENDPOINT = ISSUER + "userinfo/"
OIDC_RP_SCOPES = "openid email profile groups"
LOGIN_URL = "/oidc/authenticate/"
LOGIN_REDIRECT_URL = "/"
# urls.py
urlpatterns = [path("oidc/", include("mozilla_django_oidc.urls")), ...]
# auth.py — sync AD groups + custom ERP claims to local user
from mozilla_django_oidc.auth import OIDCAuthenticationBackend
from django.contrib.auth.models import Group
class AuthtikBackend(OIDCAuthenticationBackend):
def update_user(self, user, claims):
user.groups.clear()
for name in claims.get("groups", []):
group, _ = Group.objects.get_or_create(name=name)
user.groups.add(group)
profile = user.profile
profile.m3_roles = claims.get("m3_roles", [])
profile.ar_access_level = claims.get("ar_access_level", "none")
profile.save()
return super().update_user(user, claims)
# views.py
from django.contrib.auth.decorators import login_required
@login_required
def dashboard(request):
return render(request, "dashboard.html", {"user": request.user})
// npm install openid-client express-session
const { Issuer, generators } = require("openid-client");
const session = require("express-session");
let client;
async function initOIDC() {
const issuer = await Issuer.discover(process.env.OIDC_ISSUER_URL);
client = new issuer.Client({
client_id: process.env.OIDC_CLIENT_ID,
client_secret: process.env.OIDC_CLIENT_SECRET,
redirect_uris: ["https://yourapp.example.com/auth/callback"],
response_types: ["code"],
});
}
function requireAuth(req, res, next) {
if (!req.session.user) return res.redirect("/login");
next();
}
app.get("/login", (req, res) => {
req.session.state = generators.state();
req.session.nonce = generators.nonce();
res.redirect(client.authorizationUrl({
scope: "openid email profile groups",
state: req.session.state,
nonce: req.session.nonce,
}));
});
app.get("/auth/callback", async (req, res) => {
const params = client.callbackParams(req);
const tokenSet = await client.callback(
"https://yourapp.example.com/auth/callback", params,
{ state: req.session.state, nonce: req.session.nonce }
);
const claims = tokenSet.claims();
req.session.user = {
sub: claims.sub,
email: claims.email,
groups: claims.groups || [],
// Custom ERP claims from F-05
m3Roles: claims.m3_roles || [],
arAccessLevel: claims.ar_access_level || "none",
};
res.redirect("/");
});
app.get("/dashboard", requireAuth, (req, res) => res.json(req.session.user));
// composer require league/oauth2-client
<?php
use League\OAuth2\Client\Provider\GenericProvider;
session_start();
$issuer = getenv("OIDC_ISSUER_URL");
$provider = new GenericProvider([
"clientId" => getenv("OIDC_CLIENT_ID"),
"clientSecret" => getenv("OIDC_CLIENT_SECRET"),
"redirectUri" => "https://yourapp.example.com/callback.php",
"urlAuthorize" => $issuer . "authorize/",
"urlAccessToken" => $issuer . "token/",
"urlResourceOwnerDetails" => $issuer . "userinfo/",
"scopes" => "openid email profile groups",
]);
// login.php — start the dance
if (!isset($_GET["code"])) {
$_SESSION["oauth2state"] = $provider->getState();
header("Location: " . $provider->getAuthorizationUrl());
exit;
}
// callback.php — exchange code for token
if ($_GET["state"] !== $_SESSION["oauth2state"]) exit("CSRF");
$token = $provider->getAccessToken("authorization_code", ["code" => $_GET["code"]]);
$user = $provider->getResourceOwner($token)->toArray();
$_SESSION["user"] = [
"sub" => $user["sub"],
"email" => $user["email"],
"groups" => $user["groups"] ?? [],
// Custom ERP claims from F-05
"m3_roles" => $user["m3_roles"] ?? [],
"ar_access_level" => $user["ar_access_level"] ?? "none",
];
header("Location: /index.php");
That's the whole contract between your app and simpliSSO. Vendor provides the client_id / client_secret pair after Authentik setup; you generate a random session secret; the issuer URL stays constant across all apps.
# .env — never commit to source control
OIDC_CLIENT_ID = "your-app-client-id"
OIDC_CLIENT_SECRET = "your-app-client-secret"
SESSION_SECRET = "random-256-bit-string"
OIDC_ISSUER_URL = "https://sso.example.com/application/o/<app-slug>/"
Scope the full 24-service stack
12 independently scoped modules. Add or remove any before signing for a proportional adjustment. Mandatory baseline is Infrastructure + Core SSO (F-01 · F-02 · F-03). Pricing is quoted per deployment — talk to us for a fixed-price proposal.
Payment is tied to verified deliverables, not calendar dates.
10 weeks from kickoff to go-live
Phased rollout — federation and core SSO first, then custom integrations, with testing and handover compressed at the end.
Infrastructure
Authentik install, MS365 federation, SSL termination, admin portal configuration.
Core SSO
All 24 apps configured as OIDC or SAML2 Applications in Authentik. Group-based access policies.
ERP & security
Custom JWT claims, step-up MFA policy, Infor M3 SAML2 workaround.
UI
Thai language CSS, company branding on all auth screens, mobile responsive verification.
Custom integrations
App portal tile API, WhatsApp account linking, 3CX extension linking.
Testing & handover
End-to-end QA, user acceptance session, documentation, go-live.
Monthly support — month-to-month, no lock-in
Optional after go-live. 30-day written notice to cancel. Pick the tier that matches your operational tempo.
- Bug fixes
- User provisioning support
- Minor config changes
- Everything in Basic
- Minor feature additions
- Monthly health check
- Everything in Standard
- New integrations (up to 2 / month)
- Priority escalation
Why we built simpliSSO
The identity debt, audit pain, and access-sprawl risks that drove this product — written up on Simplico's blog.
The Security Risk Sitting Quietly in Your Engineering Org
Most engineering orgs lack centralized identity management, leaving them exposed to access sprawl and audit failures. A platform-grade SSO layer kills this identity debt — and lifts security posture, dev productivity, and enterprise sales velocity along with it.
Your Staff Have 24 Passwords. Your Business Has 24 Attack Surfaces.
Authentication scattered across dozens of fragmented systems means ghost accounts, offboarding gaps, and silent breach paths. SSO with a centralized IdP collapses 24 attack surfaces into one — and gives you a single switch to flip when someone leaves.
Ready to consolidate your logins?
Tell us how many apps, which protocols, and whether you're on MS365 or another upstream IdP. We'll scope a fixed-price proposal in a single call.