Authentication¶
MazeVault Authentication Methods and SSO Integration
Document Version: 1.0.0
Last Updated: 2026-02-10
1. Supported Authentication Methods¶
MazeVault supports multiple authentication methods to integrate with enterprise identity infrastructure:
| Method | Protocol | Use Case | License Tier |
|---|---|---|---|
| Local Authentication | SRP (Secure Remote Password) | Standalone deployments | All |
| LDAP / Active Directory | LDAP v3 | On-premise directory integration | Enterprise+ |
| Azure Entra ID | OpenID Connect | Azure/Microsoft 365 environments | Enterprise+ |
| GitHub SSO | OAuth 2.0 | Development teams | Enterprise+ |
| GitLab SSO | OAuth 2.0 | Development teams | Enterprise+ |
| SAML 2.0 | SAML | Enterprise identity federations | Custom |
| OAuth 2.0 Client Credentials | OAuth 2.0 | Service-to-service (API) | All |
| Universal Auth | API Key | CLI tools, automation scripts | All |
| MazeVault Agent Auth | mTLS + Bootstrap Token | Agent-to-server communication | All |
| API Token | Bearer Token | Programmatic API access | All |
2. Local Authentication (SRP)¶
MazeVault uses the Secure Remote Password (SRP) protocol for local authentication, providing zero-knowledge password proof:
- The server never receives or stores the user's plaintext password
- Authentication is performed through a cryptographic challenge-response exchange
- Resistant to eavesdropping, MITM, and server compromise attacks
Authentication Flow¶
sequenceDiagram
participant U as 🧑💻 User
participant C as 🌐 Client (Browser)
participant S as 🖥️ MazeVault API
rect rgb(235, 245, 251)
Note over U,C: Credential Entry
U->>C: Enter credentials
end
rect rgb(232, 245, 233)
Note over C,S: SRP Key Exchange
C->>S: POST /auth/srp/init (username)
S-->>C: Salt + Server Public Key (B)
C->>C: Compute Client Public Key (A) + Proof (M1)
C->>S: POST /auth/srp/verify (A, M1)
end
rect rgb(255, 248, 225)
Note over C,S: Mutual Verification
S->>S: Verify M1, compute M2
S-->>C: Server Proof (M2) + JWT Token
C->>C: Verify M2
end
Note over C,S: ✅ Mutual authentication complete3. SSO Integration¶
Azure Entra ID (OpenID Connect)¶
Configuration parameters required from your Azure tenant:
| Parameter | Description |
|---|---|
| Tenant ID | Azure AD tenant identifier |
| Client ID | Application registration client ID |
| Client Secret | Application registration secret |
| Redirect URI | Callback URL configured in MazeVault |
Supported features:
- Single Sign-On and Single Log-Out
- Automatic user provisioning on first login
- Group-to-role mapping
- Conditional access policy compatibility
LDAP / Active Directory¶
| Parameter | Description |
|---|---|
| Server URL | LDAP server address (ldaps:// recommended) |
| Bind DN | Service account distinguished name |
| Search Base | User search base DN |
| User Filter | LDAP filter for user lookup |
| Group Search Base | Group search base DN (optional) |
| TLS | Required for production (LDAPS or StartTLS) |
4. Multi-Factor Authentication (MFA)¶
MazeVault supports TOTP-based multi-factor authentication:
- Compatible with Google Authenticator, Microsoft Authenticator, Authy, and other TOTP applications
- QR code-based enrollment
- Recovery codes for backup access
- MFA can be enforced at the organization level (all users) or per-role
MFA Enforcement Matrix¶
| Configuration | Description |
|---|---|
| Disabled | MFA optional for all users |
| Optional | Users can self-enable MFA |
| Required for Admins | Mandatory for administrator roles |
| Required for All | Mandatory for all users |
5. Session Management¶
| Parameter | Default | Configurable |
|---|---|---|
| Session Duration | 24 hours | ✅ |
| Idle Timeout | 30 minutes | ✅ |
| Max Concurrent Sessions | Unlimited | ✅ |
| Session Storage | Redis (encrypted) | — |
| Cookie Security | Secure; HttpOnly; SameSite=Strict |
— |
Token Structure¶
MazeVault uses JWT (JSON Web Tokens) for authenticated session management:
- Algorithm: RS256 (RSA with SHA-256)
- Token Lifetime: Configurable (default 24 hours)
- Refresh: Automatic token refresh before expiration
- Revocation: Immediate revocation via Redis-backed blocklist
- Claims: User ID, organization, roles, permissions, project access
6. API Authentication¶
OAuth 2.0 Client Credentials¶
For service-to-service integrations:
POST /api/v1/auth/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<your-client-id>
&client_secret=<your-client-secret>
Universal Auth (API Key)¶
For CLI tools and automation:
POST /api/v1/auth/universal
Content-Type: application/json
{
"client_id": "<your-client-id>",
"client_secret": "<your-client-secret>"
}
Bearer Token Usage¶
All authenticated API requests use the obtained token:
7. Agent Authentication¶
MazeVault Agents use a bootstrap-then-certificate authentication flow:
sequenceDiagram
participant A as 🤖 Agent
participant S as 🖥️ MazeVault API
rect rgb(235, 245, 251)
Note over A,S: 🔑 Initial Registration
A->>S: POST /agents/register (bootstrap_token)
S-->>A: Agent ID + Client Certificate
end
rect rgb(232, 245, 233)
Note over A,S: 🔒 Ongoing Communication (mTLS)
A->>S: mTLS connection (client cert)
S->>S: Validate cert + extract agent ID
S-->>A: Authorized response
endRelated¶
- Security Overview — Security architecture
- Encryption — Cryptographic standards
- API Getting Started — API authentication examples