Enterprise
Enterprise Authentication
Built-in SSO authentication with 50+ identity providers, automatic MFA enforcement, and seamless user experience
The .do platform provides enterprise-grade authentication out of the box. Your application automatically supports Single Sign-On (SSO) with all major identity providers, without writing authentication code.
How It Works
When you build on the platform, authentication is handled automatically:
// That's it - authentication is built-in
on($.User.login, async ({ user }) => {
// User is already authenticated
// SSO was handled automatically if configured
// MFA was enforced if required
// Session is created and secure
console.log(`${user.email} logged in via ${user.authMethod}`)
})The platform:
- Detects the user's email domain
- Routes to their company's identity provider (if SSO is configured)
- Handles SAML/OAuth flows automatically
- Enforces MFA and conditional access policies
- Creates a secure session
- Logs the authentication event for audit compliance
Authentication Methods
The platform supports multiple authentication methods automatically:
Single Sign-On (SSO)
Your app automatically works with 50+ enterprise identity providers:
Major Providers:
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- OneLogin
- Auth0
- JumpCloud
- Ping Identity
Protocols:
- SAML 2.0
- OAuth 2.0
- OpenID Connect
// User logs in with their company email
// Platform automatically:
// 1. Looks up email domain (acme.com)
// 2. Finds SSO configuration for Acme Corp
// 3. Redirects to Okta (their IdP)
// 4. User authenticates with company credentials + MFA
// 5. Platform receives validated identity
// 6. User is logged into your app
on($.User.authenticated, async ({ user, authMethod }) => {
if (authMethod === 'sso') {
// User came through SSO
// Their company's security policies were enforced
// MFA was required if configured in their IdP
console.log(`${user.email} authenticated via ${user.organization.name} SSO`)
}
})Magic Links (Passwordless)
For non-enterprise users or development:
// Platform can send magic link emails automatically
await $.User.sendMagicLink({ email: '[email protected]' })
// User clicks link, platform validates token, creates session
// No passwords to manage or resetAPI Keys
For programmatic access:
// Users can generate API keys through the platform
const apiKey = await $.User.generateAPIKey({
name: 'Production API',
scopes: ['db:read', 'db:write'],
expiresIn: '90d'
})
// Platform automatically validates and scopes API key requestsUser Authentication Flow
Initial Login
sequenceDiagram
participant User
participant App as Your App
participant Platform as .do Platform
participant IdP as Company IdP
User->>App: Visit app.yourcompany.com
App->>Platform: Load (platform handles auth)
User->>Platform: Enter email
Platform->>Platform: Check domain (acme.com)
Platform->>Platform: Find SSO config for Acme
Platform->>IdP: Redirect to Okta
IdP->>User: Show login + MFA
User->>IdP: Authenticate
IdP->>Platform: Return validated identity
Platform->>Platform: Create/update user
Platform->>Platform: Create secure session
Platform->>Platform: Log auth event
Platform->>App: User authenticated
App->>User: Show application
Subsequent Logins
// Platform maintains secure sessions
// User returns within session timeout
on($.Request.received, async ({ request }) => {
const user = await $.User.fromRequest(request)
// Platform automatically:
// - Validates session token
// - Checks if still valid
// - Verifies organization membership
// - Returns user context
if (user) {
// User is authenticated
// Proceed with request
} else {
// Session expired or invalid
// Platform redirects to login
}
})Multi-Factor Authentication (MFA)
MFA is enforced automatically based on organization security policies:
// No MFA code to write - it's handled by the IdP
on($.User.authenticated, async ({ user, mfaVerified }) => {
// mfaVerified is true if MFA was required and completed
// The user's IdP (Okta, Entra, etc.) handled MFA
// Your app doesn't need to implement anything
if (mfaVerified) {
console.log(`${user.email} completed MFA`)
}
})MFA methods supported (configured in customer's IdP):
- Authenticator apps (Google Authenticator, Duo, Authy)
- SMS/phone verification
- Hardware tokens (YubiKey, etc.)
- Biometrics (Touch ID, Face ID, Windows Hello)
- Push notifications
Security Policies
Enterprise security policies are enforced automatically:
Conditional Access
Customer IdPs can enforce policies based on:
// All enforced by the IdP - no code needed
// - User location (country, IP range)
// - Device compliance (managed device, updated OS)
// - Risk level (impossible travel, leaked credentials)
// - Time of day (business hours only)
// - Network (corporate network, VPN required)
on($.User.authenticated, async ({ user, context }) => {
// context includes details about the authentication
console.log({
ipAddress: context.ipAddress,
location: context.location,
userAgent: context.userAgent,
riskLevel: context.riskLevel // If provided by IdP
})
})Session Management
The platform manages sessions securely:
// Sessions are automatically:
// - Encrypted with secure cookies
// - Scoped to the appropriate domain
// - Expired after inactivity
// - Invalidated on logout
// - Tracked for audit compliance
// Organization can configure session timeout
await $.Organization.update(orgId, {
settings: {
security: {
sessionTimeout: 3600, // 1 hour
requireMFA: true,
allowedIPs: ['203.0.113.0/24']
}
}
})
// Platform enforces automaticallyJust-In-Time (JIT) Provisioning
Users are created automatically on first login:
on($.User.sso.firstLogin, async ({ profile, organization }) => {
// Platform automatically creates user account
// You can customize what happens
const user = await $.User.create({
email: profile.email,
firstName: profile.firstName,
lastName: profile.lastName,
organizationId: organization.id,
authMethod: 'sso'
})
// Assign default role
await $.User.assign.Role({
userId: user.id,
roleId: 'member'
})
// Send welcome email
await $.Email.send({
to: user.email,
template: 'welcome',
data: { user, organization }
})
return user
})Domain-Based Routing
The platform automatically routes users to their organization's SSO:
// User enters: [email protected]
// Platform automatically:
// 1. Extracts domain: acme.com
// 2. Looks up organization with that domain
// 3. Checks if SSO is configured
// 4. Redirects to Okta (Acme's IdP)
// 5. User authenticates there
// 6. Returns to your app
// No routing code needed - it's automatic
on($.User.loginInitiated, async ({ email }) => {
// Platform has already determined auth method
// If SSO is available, user will be redirected
// If not, falls back to magic link or other method
})Authorization
Authentication tells you who the user is. Authorization determines what they can do:
// Platform provides built-in RBAC
await $.User.assign.Role({
userId: user.id,
roleId: 'admin'
})
// Check permissions
on($.API.request, async ({ user, resource }) => {
const canAccess = await $.User.can(user, 'read', resource)
if (!canAccess) {
throw new Error('Permission denied')
}
})
// Platform can automatically enforce permissions
await $.Project.list() // Automatically scoped to user's permissionsCross-Domain Sessions
The platform supports cross-domain authentication for your .do ecosystem:
// User logs in at app.yourcompany.com
// They also have access to:
// - dashboard.yourcompany.com
// - api.yourcompany.com
// - docs.yourcompany.com
// Platform manages SSO across all your domains automatically
// No need to implement session sharingDevelopment & Testing
Authentication works seamlessly in development:
// Development mode
if (process.env.NODE_ENV === 'development') {
// Platform provides test users automatically
// Or use magic links for quick testing
await $.User.sendMagicLink({ email: 'test@localhost' })
}
// Production mode
// SSO and enterprise auth work automaticallySecurity Best Practices
The platform implements security best practices automatically:
1. Session Security
- HttpOnly, Secure, SameSite cookies
- Encrypted session data
- Automatic expiration
- Logout invalidation
2. Token Security
- Short-lived access tokens (1 hour)
- Refresh tokens for extended sessions
- Secure token storage
- Automatic rotation
3. Password Security
- Not stored (SSO) or hashed with bcrypt (magic links)
- No password resets to manage
- No leaked password concerns
4. Audit Trail
- All authentication events logged
- Failed login attempts tracked
- Suspicious activity detected
- Compliance reporting available
Monitoring
Monitor authentication health through the platform:
// Get authentication metrics
const metrics = await $.Analytics.get({
metric: 'auth.success_rate',
organizationId: orgId,
period: 'last_30_days'
})
// Alert on unusual activity
on($.Auth.failedAttempts, async ({ user, count }) => {
if (count >= 5) {
await $.Alert.send({
type: 'security',
severity: 'high',
message: `${user.email} had ${count} failed login attempts`,
user
})
}
})Troubleshooting
The platform provides tools to diagnose authentication issues:
// Check authentication status
const status = await $.Organization.getAuthStatus(orgId)
console.log({
ssoConfigured: status.sso.configured,
ssoType: status.sso.type, // 'OktaSAML', 'AzureSAML', etc.
domainsVerified: status.domains.filter(d => d.verified),
activeUsers: status.users.active,
authenticationHealth: status.health // 'healthy', 'degraded', 'error'
})
// Test SSO connection
const test = await $.Organization.testSSO(orgId)
// Platform attempts a test authentication and reports resultsMigration
Moving from custom authentication to the platform:
Before (Custom Auth)
// Lots of authentication code to maintain
app.post('/login', async (req, res) => {
const { email, password } = req.body
const user = await db.users.findOne({ email })
if (!user || !await bcrypt.compare(password, user.passwordHash)) {
return res.status(401).json({ error: 'Invalid credentials' })
}
const token = jwt.sign({ userId: user.id }, SECRET, { expiresIn: '1d' })
res.json({ token })
})
// Handle SSO separately with multiple libraries
// Implement MFA yourself
// Manage session security
// Build audit logging
// etc.After (Platform Auth)
// Authentication is automatic
on($.User.authenticated, async ({ user }) => {
// User is already authenticated (SSO, MFA, etc. handled)
// Session is already secure
// Audit log is already recorded
// Just handle your application logic
})Advanced Features
Single Logout (SLO)
// When user logs out, platform can notify IdP
on($.User.logout, async ({ user }) => {
// Platform automatically:
// - Invalidates session
// - Clears cookies
// - Notifies IdP (if SLO configured)
// - Logs logout event
})Token Introspection
// For API requests with tokens
on($.API.request, async ({ token }) => {
const validation = await $.Token.introspect(token)
if (!validation.active) {
throw new Error('Invalid or expired token')
}
const user = await $.User.find(validation.userId)
// Proceed with authenticated request
})Custom Claims
// Add custom data to authentication context
on($.User.authenticated, async ({ user }) => {
// Platform includes standard claims:
// - email, name, organizationId, etc.
// You can add custom claims to the session
return {
...user,
customData: {
department: 'Engineering',
employeeId: 'EMP-12345',
permissions: await getUserPermissions(user.id)
}
}
})Summary
Authentication on the .do platform is:
- Automatic - SSO and MFA work without code
- Secure - Enterprise security standards built-in
- Scalable - Supports unlimited users and organizations
- Compliant - Meets SOC 2, HIPAA, GDPR requirements
- Flexible - Works with any identity provider
- Simple - No authentication libraries to maintain
Focus on your product features. Let the platform handle authentication.
Related Documentation
- User Provisioning - Automatic user sync from directories
- Multi-Tenancy - Organization isolation and management
- Admin Portals - Self-service SSO configuration
- Compliance - Audit logging and reporting
- API Authentication - API-level auth details
Enterprise Features
Built-in enterprise capabilities for authentication, provisioning, multi-tenancy, and compliance - no additional configuration required
RBAC & Fine-Grained Authorization
Built-in role-based access control and fine-grained authorization - define permissions once, enforce everywhere automatically