Bring Your Own IdP (BYOI)

Bring Your Own IdP (BYOI) is an enterprise deployment option where customers authenticate and authorize users directly through their own Identity System, bypassing QuEra's identity infrastructure.

Overview

With BYOI, your organization:

• Maintains full control over user authentication and authorization
• Uses your existing identity provider and policies
• Integrates QLAM directly into your security infrastructure
• Manages user access through your own systems

This is ideal for enterprises with strict security requirements or existing identity investments.

How It Works

In a BYOI deployment, the API Gateway (Kong) is configured to authenticate directly with your identity provider:

1. User initiates request - User makes an API request to QLAM
2. Gateway authenticates - Kong validates the request against your IdP
3. Authorization check - Your configured policies (RBAC, groups) are enforced
4. Request forwarded - Authenticated requests are passed to QLAM services

Setup Process

BYOI tenant registration involves deploying and configuring infrastructure specific to your organization. The setup process requires coordination with QuEra:

OAuth Protocol Setup

1. Create OAuth Application - In your IdP, create a new OAuth Application with the authorization code grant
   • Save the client_id for configuration
2. Authorize users - Configure which users or groups can access the application
3. Define access control - Work with QuEra to determine authorization strategy:
   • Role-Based Access Control (RBAC)
   • Group-based enforcement
   • Custom policies
4. Configure Kong - QuEra configures the Kong OpenID Connect Plugin with your IdP hostname and client configuration
5. Enable access control - Configure the appropriate Kong plugins for your authorization strategy

Other Authentication Protocols

Other authentication protocols (such as LDAP) are supported on a case-by-case basis. Contact QuEra to discuss your specific requirements.

Required Configuration

User Identity Mapping

To support proper data retrieval and audit trails, your IdP must provide an opaque user ID that QLAM can use to identify users. This should be:

• A UUID claim in your OAuth token
• Passed to QLAM backend services via HTTP header (e.g., X-User-Id)

Work with QuEra to configure the appropriate claim mapping for your IdP.

Authentication Flow

With OIDC-based BYOI, the user authentication flow is similar to standard QLAM authentication—users authenticate via Authorization Code or Device Code flows, but are directed to your organization's IdP instead of QuEra's.

QLAM Shell and other clients work with BYOI deployments with appropriate configuration.

Enterprise Feature

BYOI is available for enterprise deployments with dedicated infrastructure. Contact your QuEra account team to discuss your requirements.

Next Steps

• Authentication Guide - Overview of authentication methods
• SSO Integration - Federated SSO with QuEra's identity system
• Authentication Reference - Technical details for each flow