Teams & Workspaces
Identity & Access Management
riogentix includes a built-in Identity & Access Management (IAM) system that handles authentication, authorisation, and user provisioning for every workspace. No external IAM tooling is required — everything is configured directly from the riogentix admin UI.
Architecture
riogentix.com
│
├── Workspace A (company-a.riogentix.com)
│ ├── Users & Groups
│ ├── Roles & Permissions
│ └── Identity Providers (SAML, OIDC, LDAP)
│
├── Workspace B (company-b.riogentix.com)
│ └── ...
│
└── Organisation Admin (manages all workspaces)
Authentication Methods
| Method | Description |
|---|---|
| Email + Password | Default credential-based login |
| MFA (TOTP) | Time-based one-time password via authenticator app |
| MFA (WebAuthn) | Hardware security key or biometric (Touch ID, Face ID) |
| SSO (OIDC) | Sign in with Okta, Microsoft Entra ID, Google Workspace, Auth0 |
| SSO (SAML 2.0) | Enterprise SAML federation with any compatible IdP |
| LDAP / Active Directory | Sync users from on-premise directory |
User Provisioning
Manual Invite
Admins invite users via email from Settings → Members → Invite Member.
SCIM Provisioning
Connect your identity provider (Okta, Azure AD, etc.) via SCIM to automatically provision and deprovision users:
- Settings → Identity Providers → SCIM
- Copy the SCIM Endpoint URL and Bearer Token
- Paste into your IdP's SCIM configuration
- Map IdP groups to riogentix roles
Once enabled, users created in your IdP appear in riogentix automatically, and deactivated IdP users are immediately blocked.
Just-In-Time (JIT) Provisioning
When SSO is configured, users who authenticate for the first time are auto-created in riogentix with a default role. Configure the default role at Settings → Identity Providers → [Provider] → Default Role for New Users.
Token & Session Management
| Setting | Default | Where to Configure |
|---|---|---|
| Access token lifetime | 15 minutes | Settings → Security → Session |
| Refresh token lifetime | 7 days | Settings → Security → Session |
| Max concurrent sessions | Unlimited | Settings → Security → Session |
| Idle session timeout | 2 hours | Settings → Security → Session |
Enable Force Re-authentication to require users to log in again before performing sensitive actions (credential changes, workflow deletion).
Audit Logging
Every authentication event is captured in Settings → Audit Log:
- Login success / failure (with IP address and device)
- Password reset requests
- MFA enrolment and device changes
- Role assignments and removals
- SSO configuration changes
Audit logs are retained for 12 months and can be exported as CSV or streamed to a SIEM (Splunk, Datadog, AWS CloudWatch).
Security Policies
Configure workspace-wide security settings at Settings → Security:
- Password Policy — minimum length, complexity, expiry, and history
- MFA Requirement — enforce MFA for all users or specific roles
- SSO Requirement — disable password login; require SSO only
- IP Allowlist — restrict login to approved CIDR ranges
- Session Binding — bind sessions to IP address to prevent token theft