Identity Providers. The keys to the kingdom — secured at the supply chain.
IDaaS, IAM, and SSO vendors carry blast radius like no other category. One breach cascades to every customer tenant. Safeguard ships the per-tenant isolation, signed library SBOMs, MCP-governed support tools, and 24-hour breach evidence pipeline the modern bar requires.
Industry pressures.
The keys-to-the-kingdom blast radius
An IdP breach is not a contained incident — it cascades to every customer tenant. Okta-class events made the threat visible to every CISO.
SAML/OIDC library KEV chains
A KEV CVE in a SAML or OIDC library affects every customer simultaneously. Patch latency is a customer-trust catastrophe in waiting.
Customer-trust pressure
Every enterprise customer expects SOC 2 Type II + 24-hour breach notification + transparent disclosure. The bar moved.
Support-tool credential surface
Support engineers with cross-tenant access are the highest-value lateral-movement target. Capability scoping is non-negotiable.
How Safeguard fits.
Per-tenant audit log isolation
Cross-tenant data spill is the existential risk. Architectural isolation, per-tenant signed audit logs, no shared model weights or training data.
Signed SAML/OIDC library SBOMs
Every release ships with a signed CycloneDX SBOM. Customer can verify the libraries in the binary they consume.
MCP-server governance for AI-SSO
If you ship AI-SSO assistants or admin copilots, the MCP-server inspects every tool call and Lion on the egress path catches sensitive-data leaks.
Sovereign + air-gapped option
Customers in regulated jurisdictions can run a dedicated Safeguard instance inside their own boundary — no cross-tenant exposure to your other customers.
Compliance alignment.
Reference architecture.
Per-tenant Postgres schema
Strong tenant isolation at the data layer. No shared schemas, no cross-tenant queries permitted.
Signed audit log per tenant
Every action emits a sigstore-signed event scoped to the tenant. Streamed to customer SIEM in real time.
Capability-scoped support tools
Support engineers operate through an MCP-server boundary. Every cross-tenant action requires explicit approval and is logged.
Customer trust packet on demand
Per-tenant signed SBOM + provenance + recent audit log excerpt. One-click export for customer security teams.
Where the risk lives today.
SSO-token library compromise
A library that signs or validates SSO tokens is the highest-value supply-chain target. KEV CVEs ripple across every customer tenant.
Support-tool cross-tenant spill
An engineer with overly-broad support access becomes a single-point-of-compromise pattern. Capability scoping cuts blast radius.
Session-cookie theft via dep vuln
Vulnerabilities in adjacent libraries (logging, telemetry, framework) can leak session material. The reachability path matters.
eIDAS 2.0 wallet integration vulns
EU's eIDAS 2.0 wallet integrations open a new attack surface. Vendor SBOM scrutiny becomes critical.
Current threat landscape.
Okta-class support-tool compromise
Engineer-account or HAR-file exposure with cross-tenant impact.
We address this throughSAML/OIDC library KEV chain
Critical CVE in saml2 / passport / openssl-saml-style lib affecting all tenants.
We address this throughSession-cookie theft via dep vuln
Reachability into session-handling code via a transitive dep.
We address this througheIDAS 2.0 wallet integration vuln
Wallet-protocol library compromise pattern under emerging regulation.
We address this throughFIDO2 server-library tampering
Auth-library trojanisation pattern reaching customer-trust catastrophe.
We address this throughQuantified benefits for IdPs.
| Metric | Before Safeguard | With Safeguard |
|---|---|---|
| Per-tenant trust packet generation | 2 weeks | 1 hour |
| SSO library patch cycle | 14 days | 24 hours |
| SOC 2 continuous evidence | 8w per audit | Continuous |
| Tools across the stack | 8 vendors | 1 |
| Cross-tenant audit isolation | Manual review | Automated |
| Alert noise reduction | Baseline | ↓ 80% |
| Customer breach-notification | Ad hoc | 24h automated |