Authentication

Last updated: 2026-04-11 • ← Security program

Backbuild supports enterprise authentication through single sign-on, multi-factor authentication, and configurable session and lockout policies. All authentication events are recorded in a tamper-evident audit log with user attribution.

Single sign-on

• SAML 2.0: supported for enterprise identity providers with signed assertions, audience validation, and replay protection.
• OpenID Connect: supported via standards-compliant OIDC with PKCE for authorization code flows, nonce and state validation, and ID token signature verification.
• Identity providers: any IdP that supports SAML 2.0 or OIDC can be configured. Common providers include Okta, Microsoft Entra ID, Google Workspace, and JumpCloud.
• Just-in-time provisioning: users are provisioned on first successful SSO authentication and mapped to organization-scoped roles per the customer's configuration.
• Identity unlinking: when an IdP link is removed, all active sessions belonging to that identity are revoked immediately.

Multi-factor authentication

• IdP-asserted MFA: Backbuild relies on the customer's identity provider to perform MFA and asserts that MFA was used via the OIDC amr claim or the SAML AuthnContextClassRef element.
• Per-organization policy: each organization can enable a require_mfa policy that rejects any authentication assertion that does not indicate MFA was performed.
• Enforcement point: MFA verification is enforced at login and at step-up moments for sensitive operations where configured.
• Audit: MFA method and assertion context are captured in the authentication audit log for later review.

Session management

• Inactivity timeout: configurable per organization, with a default of 30 minutes of inactivity before the session must be re-authenticated.
• Absolute lifetime: sessions have a configurable absolute maximum lifetime after which re-authentication is required regardless of activity.
• Concurrent session limits: the number of simultaneous active sessions per user can be limited per organization policy.
• Revocation: sessions can be revoked by administrators, by the user, or automatically when the underlying SSO identity is unlinked or disabled.
• Tokens: session tokens are opaque, securely random, transmitted only over TLS, and bound to server-side state so that revocation is immediate.

Account lockout

Ten consecutive failed SSO authentication attempts trigger a 30-minute account lockout for the affected user. This threshold is aligned with PCI DSS v4.0 requirement 8.3.4. Administrators can review lockout events and, where appropriate, unlock accounts through a documented process that is itself audit logged.

Authentication audit logging

• Every successful and failed authentication event is recorded with user identifier, source IP, user agent, timestamp, outcome, and MFA assertion context.
• Session creation, refresh, and revocation events are recorded.
• Administrative actions on authentication (policy changes, lockouts, unlocks, identity unlinks) are recorded with the administrator's identity.
• Authentication logs are written to a tamper-evident, hash-chained audit store.