Feature Reference

Every IAM feature.
Pre-built and tested.

Passport ships 630+ unit tests at 95% pass rate, built on SOLID principles and Clean Architecture. This is a production-grade IAM platform — not a prototype.

Book a Demo Back to Overview

27 packages (22 libraries + 5 apps) · Clean Architecture · React 18 + TypeScript + ASP.NET Core

27 Packages Total
22 Libraries
5 Frontend Apps
630+ Unit Tests
95% Tests Passing
70% Deploy-Ready

Authentication methods.

Every authentication flow your users will need — local, social, federated, and enterprise SSO — all wired through the same provider interface.

Local Credentials

Email / password authentication with bcrypt hashing, configurable password policies, rate limiting, and brute-force lockout protection.

OAuth 2.0 Social

Google, GitHub, and Microsoft social login. Configurable per tenant. OAuth tokens normalised into Passport's identity model — no provider-specific code in your app.

SSO — Discourse Connect

Passport is the identity provider for Discourse communities. Tokens, user sync, group mappings, and session management all handled by Passport. Live and in production.

Federated — AWS Cognito

Delegate to an existing Cognito user pool. Passport handles the UI, RBAC, and audit layer — Cognito handles the identity store and MFA.

Federated — Azure AD

Integrate with Microsoft Entra ID for enterprise customers. RBAC role mappings sync from Azure groups into Passport's permission model.

Federated — Okta

Okta as the identity backend with Passport's white-label screens on top. Fully tested against the Okta provider interface contract.

Admin Dashboard.

A complete administration console for managing users, roles, tenants, and security policy — with full audit visibility.

User Management

  • Create, edit, suspend, and delete users
  • Bulk import via CSV
  • User search and filter by role, status, tenant
  • Password reset and forced re-authentication

Role Management

  • Create hierarchical roles per tenant
  • Assign roles to users individually or in bulk
  • Role inheritance and override rules
  • Default role on registration per tenant

RBAC Configuration

  • Define permissions and assign to roles
  • Permission resolver — resolves at request time
  • 5-minute cache, fail-secure on resolver failure
  • Per-tenant RBAC isolation

Audit Log Viewer

  • Every auth and authz event recorded
  • Filter by user, event type, date range, outcome
  • Export to CSV for compliance review
  • Non-repudiable — logs are append-only

Settings & Policy

  • Password policy configuration per tenant
  • Session timeout and concurrent session limits
  • Allowed OAuth providers per tenant
  • IP allowlist / blocklist rules

Security Dashboard.

Real-time threat detection and compliance reporting. Your security team gets a live view of authentication health across all tenants.

Real-Time Login Monitoring

  • Live stream of authentication events
  • Success / failure rates by tenant
  • Geographic login distribution
  • Anomaly spike detection

Suspicious Activity Alerts

  • Impossible travel detection
  • Failed attempt pattern analysis
  • New device from unfamiliar location
  • Configurable alert thresholds per tenant

Device Fingerprinting

  • Browser fingerprint capture on login
  • Known vs. new device classification
  • Device trust scoring
  • Step-up authentication triggers

IP Reputation

  • VPN, proxy, and datacenter detection
  • Threat intelligence feed integration
  • Configurable response — block, challenge, log
  • IP-level audit history

Compliance Reports

  • GDPR access log exports
  • SOC2 audit trail evidence
  • HIPAA access control evidence
  • Scheduled report delivery

SSO & Provider Architecture.

All four IAM providers implement the same 6 interface contracts. The rest of the codebase never knows which provider is active.

6 Provider Interface Contracts

  • IAuthenticationProvider — sign-in, sign-out
  • IUserProvider — CRUD, search, profile
  • IRoleProvider — roles, assignments
  • ITokenProvider — issue, validate, revoke
  • IAuditProvider — event recording
  • ISSOProvider — external app registration, token exchange

SSO Management Console

  • Register external apps for SSO
  • Configure role mappings from Passport roles to app claims
  • Monitor live SSO request traffic per app
  • Debug Discourse Connect token exchange
  • SAML 2.0 and OIDC configuration screens (roadmap)

Performance Comparison

Native provider benchmarked on local SQL. Cloud providers depend on network latency to the cloud region.

Provider Throughput Latency
Passport Native 2,000 – 3,000 req/s <5ms local
AWS Cognito ~500 req/s 20–80ms
Azure AD ~400 req/s 30–100ms
Okta ~300 req/s 40–120ms

Provider Swap

  • One config line to switch providers
  • No controller changes required
  • No business logic changes required
  • Tested: Cognito → Azure AD → Native in CI
  • Safe for zero-downtime migrations

RBAC & Permissions.

Hierarchical roles, a permission resolver pattern, caching, and fail-secure design — built for production authorisation at scale.

Hierarchical Roles

Roles inherit permissions from parent roles. A SuperAdmin inherits everything. A TenantAdmin inherits tenant-scoped permissions. Custom roles extend the hierarchy without breaking existing assignments.

Permission Resolver

At request time, the resolver walks the role hierarchy for the authenticated user and tenant, materialises the effective permission set, and caches the result for 5 minutes per user session.

Fail-Secure Design

If the permission resolver encounters an error, access is denied — not granted. No silent fail-open vulnerabilities. Every permission decision is logged with the resolver outcome.

Per-Tenant Isolation

Each tenant has its own role and permission namespace. A user who is an admin in Tenant A has zero elevated access in Tenant B. Enforced at the DB query level, not just the API.

Redis Cache (Optional)

The 5-minute permission cache uses in-memory storage by default. Swap to Redis with one config line for distributed deployments where multiple API instances share session state.

Permission Assignment API

Programmatically grant, revoke, and check permissions via the internal API. Automate onboarding flows — assign roles on user creation, update on subscription tier change.

Multi-Tenant architecture.

TenantId is a first-class citizen at every layer. It is not a filter you add later — it is a structural constraint baked into the data model, API contracts, and UI rendering.

Database Layer

  • TenantId on every tenant-scoped table
  • All queries include TenantId filter — enforced via repository base class
  • No raw SQL that bypasses the tenant filter
  • Optional: separate DB per large tenant

API Layer

  • TenantId resolved from JWT claim on every request
  • No API endpoint operates without a resolved tenant context
  • Cross-tenant access returns 403, not 404 — no data leak via timing
  • Tenant resolution tested in unit and integration test suites

UI Layer

  • React context carries TenantId throughout component tree
  • All data fetching hooks pass TenantId as a required parameter
  • White-label theming — each tenant can have its own logo and colour scheme
  • Tenant-scoped feature flags

Tenant Provisioning

  • Tenant creation via Admin Dashboard or API
  • Default roles assigned on creation
  • Invite flow sends tenanted registration links
  • Tenant deactivation suspends all users in that tenant atomically

Quality & Security.

IAM is not a place to cut corners. Passport is built on engineering fundamentals that make security properties provable, not hopeful.

630+ Unit Tests

Tests cover authentication flows, permission resolution, tenant isolation, token lifecycle, and every critical path. 95% pass rate. Remaining 5% are in-progress compliance edge cases.

bcrypt Password Hashing

All passwords are stored as bcrypt hashes with configurable cost factor. Plain-text passwords never touch the database. Password comparison is always timing-safe.

CSRF Protection

Anti-CSRF tokens on all state-mutating endpoints. Token rotation on session elevation. SameSite cookie policy enforced. Tested against standard OWASP CSRF attack patterns.

Rate Limiting

Per-user, per-IP, and per-tenant rate limits on authentication endpoints. Sliding window algorithm. Configurable limits per environment. Redis-backed for distributed deployments.

SOLID Principles

Clean Architecture throughout: presentation, application, domain, and infrastructure layers are strictly separated. Every dependency points inward. Easy to extend, safe to change.

Enterprise Compliance Progress

70% deployment-ready. Enterprise compliance controls (SOC2 Type II, HIPAA BAA support) in active development. GDPR data export and deletion tooling included in current release.

Protocol support.

Open standards coverage for every integration your customers will ask for.

Discourse Connect Live OAuth 2.0 Social Live — Google, GitHub, Microsoft SAML 2.0 In Roadmap OIDC In Roadmap

Technology stack.

Modern, standard, easy to hire for. No exotic dependencies — just well-understood technologies used correctly.

Frontend

  • React 18 with TypeScript
  • Zustand for state management
  • Vite for build tooling
  • 5 independent single-page applications
  • Shared component library across all apps

Backend

  • ASP.NET Core — API and business logic
  • Clean Architecture with CQRS pattern
  • SQL Server (primary data store)
  • Redis (optional session & permission cache)
  • Entity Framework Core — migrations, seeding

Architecture

  • 27 packages — 22 libraries + 5 apps
  • Monorepo with independent deployable units
  • Provider interfaces — no vendor lock-in at code level
  • Multi-tenant by structural constraint
  • Docker-ready deployment

Testing

  • 630+ unit tests (xUnit / Vitest)
  • 95% test pass rate
  • Provider contracts verified in test suite
  • Tenant isolation tested at every boundary
  • CI pipeline runs full suite on every commit

Ready to deploy enterprise IAM?

Talk to us about licensing Passport for your platform. Deploy in 1–2 weeks.

Book a Demo Back to Overview