Skip to content

Federated Auth#

LIT Platform supports enterprise identity through Keycloak — an open-source identity and access management platform with support for SAML, OpenID Connect, LDAP, and Active Directory.

Keycloak Integration#

Self-hosted LIT deployments can connect to an existing Keycloak instance or run the bundled Keycloak configuration. Once connected, LIT delegates all authentication to Keycloak — users log in with their existing corporate identity, and LIT respects the roles and permissions defined there.

Supported Identity Providers#

Through Keycloak, LIT supports federation with:

  • Active Directory / LDAP — existing corporate directories
  • SAML 2.0 — enterprise SSO providers (Okta, OneLogin, Ping Identity, etc.)
  • OpenID Connect — modern identity providers (Google Workspace, Azure AD, etc.)
  • Social providers — GitHub, Google, Microsoft (for smaller teams)

Role Mapping#

Keycloak roles map to LIT permissions. A user's role in your identity provider determines what they can access in LIT — which channels they can join, which data they can reach, whether they can create team-wide skills or apps.

Why This Matters#

For organizations with security and compliance requirements, federated auth means:

  • No separate credential management — users log in once with corporate credentials
  • Role changes propagate automatically — offboard a user in AD, they lose LIT access immediately
  • Audit logs tie agent actions to verified corporate identities
  • Meets SOC 2, HIPAA, and enterprise procurement requirements

Deployment#

Federated auth is available on self-hosted deployments. See Security for the full self-hosted security configuration.