Teams & Workspaces

Identity & Access Management

riogentix includes a built-in Identity & Access Management (IAM) system that handles authentication, authorisation, and user provisioning for every workspace. No external IAM tooling is required — everything is configured directly from the riogentix admin UI.

Architecture

riogentix.com
    │
    ├── Workspace A (company-a.riogentix.com)
    │     ├── Users & Groups
    │     ├── Roles & Permissions
    │     └── Identity Providers (SAML, OIDC, LDAP)
    │
    ├── Workspace B (company-b.riogentix.com)
    │     └── ...
    │
    └── Organisation Admin (manages all workspaces)

Authentication Methods

MethodDescription
Email + PasswordDefault credential-based login
MFA (TOTP)Time-based one-time password via authenticator app
MFA (WebAuthn)Hardware security key or biometric (Touch ID, Face ID)
SSO (OIDC)Sign in with Okta, Microsoft Entra ID, Google Workspace, Auth0
SSO (SAML 2.0)Enterprise SAML federation with any compatible IdP
LDAP / Active DirectorySync users from on-premise directory

User Provisioning

Manual Invite

Admins invite users via email from Settings → Members → Invite Member.

SCIM Provisioning

Connect your identity provider (Okta, Azure AD, etc.) via SCIM to automatically provision and deprovision users:

  1. Settings → Identity Providers → SCIM
  2. Copy the SCIM Endpoint URL and Bearer Token
  3. Paste into your IdP's SCIM configuration
  4. Map IdP groups to riogentix roles

Once enabled, users created in your IdP appear in riogentix automatically, and deactivated IdP users are immediately blocked.

Just-In-Time (JIT) Provisioning

When SSO is configured, users who authenticate for the first time are auto-created in riogentix with a default role. Configure the default role at Settings → Identity Providers → [Provider] → Default Role for New Users.

Token & Session Management

SettingDefaultWhere to Configure
Access token lifetime15 minutesSettings → Security → Session
Refresh token lifetime7 daysSettings → Security → Session
Max concurrent sessionsUnlimitedSettings → Security → Session
Idle session timeout2 hoursSettings → Security → Session

Enable Force Re-authentication to require users to log in again before performing sensitive actions (credential changes, workflow deletion).

Audit Logging

Every authentication event is captured in Settings → Audit Log:

Audit logs are retained for 12 months and can be exported as CSV or streamed to a SIEM (Splunk, Datadog, AWS CloudWatch).

Security Policies

Configure workspace-wide security settings at Settings → Security: