ZenoAuth - IAM + PIM + Verifiable Credentials

Philosophy

One Binary. Complete Control.

Complexity is the enemy of security. ZenoAuth replaces three separate products — IAM, PIM, and credential management — with a single binary that depends only on PostgreSQL.

16MB

vs 300+ MB (Keycloak)

1

Dependency (PostgreSQL)

<50MB

Memory Footprint

<8ms

Token Validation

New

Verifiable Credentials

Native W3C Verifiable Credentials with SD-JWT selective disclosure. Issue credentials to digital wallets, accept them as login methods, and bridge organizational trust boundaries.

SD-JWT Credential Issuance (OID4VCI)

Issue RFC 9901 SD-JWT credentials that users store in digital wallets like ZenoWallet (zenowallet.eu). Selective disclosure lets holders share only the claims needed — prove employment at Acme Corp without revealing role or salary.

✓ Authorization code & pre-authorized issuance flows
✓ Credential offer delivery via email and QR code
✓ ECDSA P-256 signing (OID4VC HAIP compliant)
✓ Bitstring Status List for privacy-preserving revocation

# Issue a credential offer
POST /api/v1/credentials/offers
{

                                "credential_type": "EmployeeCredential",

                                "subject_id": "usr_abc123",

                                "claims": {

                                "employer": "Acme Corp",

                                "department": "Engineering",

                                "clearance": "confidential"

                                },

                                "delivery": "email"
                            
}

Wallet-Based Authentication (OID4VP)

Accept verifiable credentials from digital wallets like ZenoWallet as a login method. Cryptographic signature validation, status checking, and automatic claims-to-RBAC mapping.

SCIM-to-VC Pipeline

When HR provisions a user via SCIM, a credential offer is automatically generated. The user receives it via email, adds it to their wallet. Zero manual intervention.

Multi-Tenant Issuance

Each organization gets a unique issuer DID (did:web), separate signing keys, credential types, and trust registries. Full isolation in shared deployments.

Credential-Augmented RBAC

Map credential claims to roles via a rules engine. Conditions like clearance_level >= secret can auto-grant roles.

Cross-Org Federation

Invitation-based trust between ZenoAuth instances. Accept credentials from partner organizations without SAML or OIDC federation setup — just trust their DID.

EU Trusted List (eIDAS 2.0)

Syncs with the EU eIDAS Trusted List — 4,658 trust service providers from 31 EU/EEA states. Ready for the EU Digital Identity Wallet mandate (December 2026).

Standards: OID4VCI 1.0 · OID4VP 1.0 · SD-JWT (RFC 9901) · W3C VC Data Model 2.0 · Bitstring Status Lists · did:web · DCQL · Presentation Exchange 2.0 · EU eIDAS 2.0

New

Privileged Identity Management

Zero standing privileges with just-in-time access elevation, approval workflows, and cryptographic proof of every privileged action. CyberArk and BeyondTrust sell PIM starting at $70/user/month — ZenoAuth ships it in the same 16 MB binary.

Just-In-Time Privilege Elevation

No permanent admin access. Users request elevated roles with justification and duration. Access auto-expires — no stale superadmin accounts. Full audit trail with ticket cross-references and NIST assurance gating.

✓ Time-bound elevation with automatic expiry
✓ MFA required before elevation (assurance-gated)
✓ Full audit trail with ticket cross-references
✓ Webhook notifications on request, approval, activation, expiry

# Request privilege elevation
POST /api/v1/pim/elevations
{

                                "role": "database-admin",

                                "justification": "INC-4521 prod fix",

                                "duration_minutes": 30,

                                "ticket_ref": "JIRA-4521"
                            
}
# Response: Pending approval
{

                                "status": "pending_approval",

                                "approvers": ["security-team"],

                                "expires_at": "2026-03-15T14:30:00Z"
                            
}

Approval Workflows

Configurable policies per role: manual review by approvers, conditional auto-approval for trusted patterns (e.g., SRE with linked incident auto-approved for 30 min).

Break-Glass Emergency Access

P1 at 3 AM? On-call engineers get immediate superadmin access with enhanced audit logging, mandatory post-incident review, and automatic security team notifications.

VC Privilege Tokens

Approved elevations produce signed SD-JWT credentials. Resource servers verify locally using the issuer's public key — no ZenoAuth callback needed. Offline-verifiable and legally admissible.

NIST Assurance-Gated Elevation

Privilege level scales with identity assurance. Read-only = password sufficient. Admin = MFA required. Break-glass = hardware token mandatory. Maps to NIST 800-63-4 IAL/AAL.

New

Microsoft Entra ID Connector

Native outbound provisioning to Entra ID via the Microsoft Graph API. ZenoAuth becomes your authoritative identity source while Entra ID stays in sync as a downstream replica. No middleware, no SailPoint, no CyberArk.

One Source of Truth

Manage all identities in ZenoAuth and let the Entra ID connector keep Microsoft 365 in sync. Full, delta, and event-driven sync modes with nested group hierarchy preservation.

✓ Multi-tenant: one ZenoAuth instance provisioning many Entra tenants
✓ Configurable attribute mapping with transforms
✓ Hash-based change detection & conflict resolution
✓ Schema extensions for bidirectional tracing

# Configure Entra ID connector
POST /api/v1/connectors/entra
{

                                "tenant_id": "contoso.onmicrosoft.com",

                                "client_id": "app-registration-id",

                                "sync_mode": "event_driven",

                                "group_sync": true,

                                "attribute_map": {

                                "department": "companyName",

                                "title": "jobTitle"

                                }
                            
}

Standards

Complete Protocol Support

Full implementation of industry-standard authentication, provisioning, and credential protocols.

OIDC Conformance: Passed with Zero Remarks

OpenID Connect certification tests completed with full compliance — no warnings, no errors.

OAuth 2.0 + PAR

Authorization Code with PKCE, Client Credentials, Device Authorization, Dynamic Client Registration (RFC 7591), and Pushed Authorization Requests (RFC 9126).

OpenID Connect

Full OIDC with discovery, UserInfo, token introspection, revocation, JWKS, and Ed25519 JWT signing.

Bidirectional SCIM v2

Inbound from Okta, Azure AD, Google Workspace. Outbound to Slack, ServiceNow, and more. Nested groups with transitive membership resolution.

LDAP/AD Sync

Synchronize from Active Directory and LDAP directories with scheduled sync, custom attribute mapping, and conflict resolution.

Security

Multi-Factor Authentication & Cryptography

Comprehensive MFA options and industry-leading cryptographic standards to secure every access point.

Authentication Methods

TOTP (Google Authenticator, Authy)
WebAuthn / Passkeys (FIDO2)
SMS and Email OTP
Magic Links (passwordless)
Emergency break-glass codes

Cryptographic Standards

Ed25519 JWT signing (~64K sig/sec)
Argon2id password hashing (65 MB memory-hard)
TLS 1.3 (ChaCha20-Poly1305 / AES-256-GCM)
Automatic key rotation with grace periods
Cluster-aware key propagation

External SSO

SAML 2.0 and OpenID Connect federation
Google Workspace, Azure AD, Okta
Attribute mapping & claim transformation
JIT user provisioning from SSO
Federation metadata auto-refresh

Enterprise

Built for Business

Everything enterprises need for identity management, compliance, and operations.

Hierarchical RBAC

Role inheritance, custom resource:action permissions, organization-scoped isolation, and nested group membership with transitive resolution.

GDPR & Compliance

Data export, user deletion with grace periods, consent management, crypto-shredding. SOC 2, HIPAA, CCPA, and GDPR compliant by design.

White-Label & Custom Domains

Serve auth flows from your own domain with automatic TLS provisioning. Full branding customization for a seamless user experience.

Admin Dashboard & Analytics

Real-time metrics, usage analytics, comprehensive audit logging, and compliance reporting in a modern admin interface.

Deployment

Interface-Split Architecture

One binary deployed across four isolated Kubernetes planes with separate Envoy Gateway fleets. Smaller blast radii than multi-service architectures.

Auth

Auth Plane (Public)

/auth/*, /oauth/*, /.well-known/*, /scim/v2/* — 3–20+ replicas with HPA, rate limiting, DDoS protection.

Admin

Admin Plane (Internal)

/api/v1/*, /admin/* — VPN-only access, 2–3 replicas, restricted to internal CIDR ranges.

PIM

PIM Plane (Privileged)

/api/v1/pim/* — Internal mesh only, 2 active-active replicas on hardened nodes with dedicated node pools.

Emergency

Break-Glass Plane

/api/v1/pim/break-glass — Jump host IPs only (2–3 IPs), 1–2 replicas, enhanced audit logging.

Comparison

ZenoAuth vs. The Competition

Feature	ZenoAuth	Keycloak	Auth0	Okta
Binary Size	16 MB	300+ MB	N/A (SaaS)	N/A (SaaS)
Memory Usage	~50 MB	500+ MB	N/A	N/A
Dependencies	PostgreSQL only	JVM, DB, Infinispan	External	External
Self-Hosted	Native	Yes	No	No
Built-in PIM	Yes (native)	No	No	No
Verifiable Credentials	OID4VCI + OID4VP	No	No	No
Entra ID Connector	Native	Via plugin	Yes	Yes
Cost (5K users/year)	From €240	Free (ops cost)	~€30K–90K	~€120K+

Take Control of Identity

Deploy enterprise IAM, privileged access management, and verifiable credentials in minutes. One binary, one dependency, zero per-user fees.

Request Demo Visit ZenoAuth.com