Authentication & Access Control

Understand how SBOM Observer unifies SSO, passkeys, sessions, and workspace roles before configuring tenants.

Why authentication choices matter

Security and platform teams balance convenience for users with the assurance requirements from risk, audit, and compliance. SBOM Observer supports multiple authentication methods because different personas need different entry points:

SSO providers keep onboarding fast and consistent with your existing identity platform.
Passkeys harden accounts with phishing resistant MFA.
OTP fallbacks prevent lockouts during incidents or SSO outages.

This page explains the conceptual model behind authentication, sessions, and roles in SBOM Observer so you can decide which options to enable before following the step by step guidance in the Quickstart or How-to pages.

Authentication providers

SBOM Observer ships with three pre-integrated identity providers:

Google Workspace
Microsoft Entra ID
GitHub

Each user can link one or more providers from User Profile → Account Settings → Security Settings. This lets platform teams mandate a default provider while still allowing users to attach a secondary option for redundancy.

The security settings view shows linked identities with their status and includes an action to link an additional provider.

OTP fallback

If a user signs in without any linked provider or passkey, SBOM Observer sends a time bound magic link or one time code to the account email. This keeps workspace owners from locking themselves out during SSO outages while preserving audit trails for emergency access.

Passkeys

Passkeys (WebAuthn/FIDO2 credentials) let users sign in without passwords by binding authentication to trusted devices or hardware keys. They provide strong MFA with built in phishing resistance because the browser only signs challenges for the SBOM Observer origin.

Within Account Settings → Security Settings, users see a list of registered passkeys with:

Device labels
Last used timestamps
Removal controls

Users can add new passkeys from desktop and mobile browsers that support platform or roaming authenticators.

Sessions and device hygiene

Every login creates a session token scoped to the workspace. The Sessions panel in Security Settings shows active sessions with:

IP address
Device fingerprint
Last activity time

This gives users and administrators a way to spot unusual behavior, such as unexpected devices or locations.

Revoke quickly

Users and administrators with elevated rights can invalidate any session with a single click. SBOM Observer terminates the corresponding refresh token immediately and forces the device to reauthenticate, which provides a lightweight containment control for suspicious logins.

How roles fit into access control

Authentication answers "who is this user". Authorization answers "what is this user allowed to do once they are inside the workspace".

In SBOM Observer:

Authentication can use any supported method (SSO, passkeys, OTP).
Access to data and actions is controlled by workspace roles.
Each member has exactly one role per organization that defines their effective permissions.

The detailed role definitions and permission matrix live in the Roles and permissions reference page.

Navigating security settings

Use these entry points when configuring or reviewing authentication and access control:

Account Settings → Security Settings Link SSO providers, register passkeys, view or revoke sessions, and trigger OTP fallbacks when needed.
Organization → Users Assign roles, suspend accounts, and review audit history for membership changes.

Once the basic model is clear, you can follow the Quickstart to try out SBOM Observer in a pre-configured workspace, or use the CLI reference to generate SBOMs and use in build pipelines.