SIS-1.0 BINDER

Standard Binder

Get PDFs Open SIS Binder

SKYE Identity Standard (SIS) v1.0

Production requirements for SSO + SCIM across all SKYE deployments. This binder defines the controls, the admin experience, the audit posture, break-glass access, and the go-live gate that prevents identity drift.
Download Binder PDF Open AE Checklist Open Preflight
Core mission

Two controls, one identity loop

SSO and SCIM are separate controls with one combined mission: the customer owns identity, and SKYE enforces it correctly.

SSO answers: “Can this person authenticate right now?”

SCIM answers: “Should this person exist in the app at all, and what access do they get?”

When both are enabled, they form the “zero-drift identity loop.”

1) Core Principles
  1. SKYE never stores customer passwords when SSO is enabled.
  2. Identity is tenant-bound. Every auth decision is evaluated inside an org/tenant boundary.
  3. Deprovisioning must be fast. If a user is removed in the customer’s IdP, SKYE access dies quickly.
  4. No silent failures. Every auth/provisioning event is auditable and visible to admins.
  5. Secure by default. Correct signature checks, correct validation, and correct rotation behavior.
2) Terminology
  • Org / Tenant: Customer environment with its own policies, IdP config, SCIM token(s), and role mappings.
  • IdP: Identity Provider (Okta, Entra ID, Google Workspace, Ping, etc.).
  • SSO Protocols: OIDC (preferred) and SAML 2.0 (must support).
  • SCIM: SCIM 2.0 provisioning and group sync.
3) SKYE SSO Standard

3.1 Supported protocols

  • MUST support OIDC (Authorization Code + PKCE).
  • MUST support SAML 2.0 for enterprise compatibility.
  • MAY support both simultaneously per tenant, with one enforced as primary.

3.2 Tenant configuration and routing

  • MUST support per-tenant IdP configuration (issuer/entity, callbacks/ACS, certs, JWKS).
  • MUST support routing by domain hint, org slug, or email discovery.

3.3 Token/assertion validation

OIDC: validate signature via JWKS, issuer, audience, exp/nbf, nonce/state; reject missing claims.

SAML: validate XML signature against pinned cert(s); enforce audience/destination; prevent replay.

3.4 Account linking rules

  • MUST link via stable identifiers (OIDC: sub+issuer; SAML: NameID/attribute + issuer).
  • MUST tolerate email changes without identity breakage.
  • MUST block takeover by email collision.

3.5 MFA and enforcement

  • MUST allow tenant enforcement: “SSO required; disable password login.”
  • MUST allow IdP MFA enforcement (record indicator when available).
  • SHOULD support step-up auth for sensitive actions.

3.6 Session security

  • MUST revoke sessions on deprovision/disable and role downgrade.
  • MUST use short-lived tokens or rotating sessions.
  • MUST set cookies securely (HttpOnly, Secure, SameSite).
4) SKYE SCIM Standard

4.1 SCIM compatibility

  • MUST implement SCIM 2.0 endpoints: /scim/v2/Users and /scim/v2/Groups.
  • MUST support create, update (PATCH), deactivate/disable, and optional delete.
  • MUST support filtering and pagination as expected.

4.2 Provisioning lifecycle rules

  • MUST support active=false disable semantics.
  • MUST deprovision within SLA: target < 2 minutes (Enterprise), max < 15 minutes (Core).
  • MUST ensure disable triggers session revocation.

4.3 Group sync → roles/permissions

  • MUST support group-to-role mapping per tenant.
  • MUST map by group ID (not name) to survive renames.
  • MUST have deterministic conflict rules; SKYE default is least privilege.

4.4 Idempotency and retries

  • MUST be idempotent to prevent duplicates.
  • MUST tolerate retries and out-of-order events.
  • MUST surface failures with actionable errors for admins.
5) SKYE Admin Experience

Identity Console

Every tenant enabling SSO/SCIM must have an Identity Console section that exposes status, tools, and last-known errors.

  • SSO status: enabled/disabled, protocol, issuer/entity, last successful login time
  • SCIM status: enabled/disabled, last sync time, last error, token rotation controls
  • Group mappings: IdP groups → SKYE roles
  • Tools: Test SSO, validate JWKS/cert freshness, SCIM test user
  • Security posture summary: SSO required, password disabled, MFA indicator
  • Break-glass controls
6) Break-glass

Emergency admin access

  • MUST support tenant-controlled break-glass for lockout scenarios.
  • MUST require separate method, MFA, tight auditing, and optional IP allowlist.
  • MUST alert and log every break-glass action.
7) Audit logging

WORM-grade mindset

Identity events must generate immutable audit entries across authentication, provisioning, and admin changes.

  • Auth: login success/fail, logout, token refresh, session revoked
  • Provisioning: SCIM user create/update/disable/delete; group membership changes; mapping results
  • Admin: SSO config changes, SCIM token rotation, mapping edits, policy toggles

Retention: default 1 year (Core); 3–7 years (Enterprise option).

8) Security baselines

SKYE Production Gate

A deployment cannot be labeled “SKYE Production Certified” unless it passes:

  • Correct OIDC/SAML validation (signature, issuer/audience, time windows, replay protections)
  • Key/cert rotation tolerance (JWKS refresh; SAML rollover)
  • Deprovision test: removal in IdP → access blocked within SLA
  • Role mapping test: group change → deterministic permissions update
  • Logging test: events present with correct tenant scoping
  • Lockout resilience: break-glass works without unsafe shortcuts
9) Default policy profiles
ProfileDefault postureRequired controls
SIS-Core Standard enterprise identity baseline for most tenants SSO enabled; basic group-to-role mapping; audit logs 1 year; deprovision max < 15 minutes
SIS-Enterprise Regulated / large org production gate SSO required + password disabled; SCIM required; session revocation; audit logs 3+ years; deprovision target < 2 minutes; break-glass
10) Client-facing line

Consistency statement

“SKYE supports enterprise identity the right way: SSO controls authentication, SCIM controls lifecycle and access, and every change is audited.”

SKYE Identity Standard (SIS) is an enforcement system: policies, controls, evidence, and go-live gates. Deployments that do not pass SIS are not labeled “SKYE Production Certified.”