Skip to main content

Integration - Bring Your Own Identity (BYOID) [Early Access]

BYOID Enables organizations to allow account member access to their Trust Center using their own identity systems.

Written by Matt Szczurek

Enterprise customers are eligible for BYOID. Please contact your customer success manager to discuss implementing this feature.

Interested in participating in the BYOID Early Access? Please submit this short form and a member of our team will be in touch.

Overview

Submitting/reviewing access requests and assigning permission profiles adds friction to the security review process. We know you have invested in your login/permission systems and would prefer that customers use them to access Trust Center content.

Our goal is to enable organizations to allow account member access to their Trust Center using their identity systems, known as Bring Your Own Identity (BYOID)

BYOID allows users who currently authenticate with your product to access your Trust Center without re-authenticating.

Notes: Organizations will be required to undertake a small amount of development to setup BYOID

This feature is meant for account members, not an organization's internal users.

High-level access flow

BYOID allows account members to log in to the Trust Center in two new ways.

  1. From the org’s application, where they are already logged in

    1. Use case: embedding a "Go to Trust Center" button in your app for logged-in users, which takes them directly to SafeBase as logged-in account members

  2. From the public Trust Center

    1. Use case: visitors are redirected to a dedicated endpoint (in your app) that redirects them back to SafeBase with a signed JWT

    2. This flow is still under development and will be available soon

If access via BYOID fails, the user will be directed to the SafeBase access request flow

Included Features:

Account Creation: BYOID checks if an account already exists, if not, it creates it. If a new account member tries to access the Trust Center but an account already exists, it adds them to the account.

Permission Profiles: The default permission profile will be assigned to all new accounts created via this method


Expired Accounts: BYOID checks if the account is expired. If it is, it will send the account member through the extended access flow.

Implementation Guide

Your Customer Success Manager will introduce you to SafeBase support. SafeBase support will enable the feature and work with your team to configure and test it.

SafeBase will provide an asymmetric RSA private encryption key to sign JWTs.

Please use RS256 to sign the JWTs - that is the only algorithm that is allowed.

From your app, implement logic that generates a JWT with the following structure:

{
  "sub": email,
  "firstName": firstName,
  "lastName": lastName,
  "companyName": companyName,
  "iat": iat,
  "iss": "https://issuer.safebase.io/organizations/${orgId}",
  "aud": "https://byoid.safebase.io/organizations/${orgId}"
}


Product users will be sent to the following URL:

https://trust.company.com/?byoidJwt={jwt}


This hyperlink can be inserted into dropdowns, inline text, or buttons within your product.

Technical Notes/Caveats

  • BYOID JWTs have a max age of 1 hour. SafeBase will ignore any JWT with an older iat value.

  • For a copy of your orgId navigate to SafeBase > Settings > Organization Settings > Organization ID (located at very bottom of screen)

Related Articles
Trust Center - Organization Member (Legacy) Roles
Integration - Microsoft Teams (Early Access)
Trust Center - Organization Members vs Account Members
Integration - Google Drive Sync (Early Access)
Trust Center - Organization Member Roles
Did this answer your question?