Skip to main content
Identity is the gate between Phase 1 (anonymous observation) and Phase 2 (identity-aware shadow mode) on the maturity model. Without a verified user_id on every tool call, policy cannot run. Inviolet supports Okta, Azure AD (Entra ID), and Auth0 via OIDC.

Why it matters

Once an IdP is connected, every intent event carries a verified user_id. Per-user intent profiles can be built, anomaly detection can fire on identity-based outliers, and policies can match on group membership instead of static rules.

1. Pick your IdP path

# Okta admin console → Applications → Create OIDC web app
# Set login redirect URI: https://app.inviolet.ai/api/auth/callback/okta
# Note: Client ID, Client Secret, Issuer URL

2. Wire it up in Inviolet

App dashboard → Settings → Identity Provider. Pick the provider and paste the credentials from step 1. Inviolet performs a discovery round-trip, lists the available scopes, and asks you to confirm openid email profile groups.

3. Map groups to roles (optional)

If your IdP has groups (engineering, support-tier-1, etc.), map them to Inviolet roles. Group claims flow into the user_groups field on every intent event and become available to policy match rules covered in Define your purpose policies.

4. Verify

Sign out, sign back in via the IdP. The decision feed at app.inviolet.ai/decision-feed should now show a user_id on every event instead of anonymous.