Security Overview
Flowstate provides enterprise-grade security controls to protect your workforce planning data. This section covers authentication, user provisioning, and security monitoring integrations.
Architecture
Flowstate's security architecture is built on four pillars:
| Pillar | Description |
|---|---|
| Authentication | Passwordless magic links, SAML 2.0, OAuth 2.0, domain routing |
| User Provisioning | SCIM 2.0 automated user and group lifecycle management |
| Authorization | Role-based access control with group-to-role mapping from your IdP |
| Security Monitoring | Real-time event streaming to your SIEM platform |
Authentication Methods
Flowstate supports multiple authentication methods. Each tenant can configure one or more auth providers, and users are routed to the correct provider based on their email domain.
Passwordless (Default)
Every Flowstate tenant ships with passwordless authentication via magic links. Users enter their email, receive a one-time link, and are signed in. No passwords to manage, rotate, or leak.
SAML 2.0
For organizations that require centralized identity management, Flowstate supports SAML 2.0 single sign-on. Configure your identity provider (Okta, Azure AD/Entra ID, OneLogin, Google Workspace, etc.) and bind it to one or more email domains.
See the SAML 2.0 Setup Guide for configuration steps.
OAuth 2.0
Flowstate also supports generic OAuth 2.0 providers. Use this when your identity provider does not support SAML or when you want to integrate with a custom OAuth authorization server.
See the OAuth 2.0 Setup Guide for configuration steps.
Domain-Based Routing
When a user enters their email to sign in, Flowstate checks the email domain (e.g., acme.com) against configured auth providers. If a SAML or OAuth provider is bound to that domain, the user is redirected to the appropriate IdP. If no provider matches, the user falls back to passwordless authentication.
This means you can have different authentication methods for different email domains within the same tenant -- for example, SAML for your corporate domain and passwordless for external consultants.
User Provisioning (SCIM 2.0)
Manually creating and deactivating user accounts is error-prone and does not scale. Flowstate supports the SCIM 2.0 standard so your identity provider can automatically:
- Create user accounts when people join your organization
- Update user attributes (name, email, group membership) when they change
- Deactivate accounts when people leave
See the SCIM 2.0 Provisioning Guide for setup instructions and IdP-specific guides.
Security Monitoring (SIEM)
Flowstate can stream security events to your SIEM platform in real time. Monitor authentication activity, configuration changes, API usage, and data access patterns from your central security console.
Supported platforms include Splunk, Microsoft Sentinel, and Datadog, plus any endpoint that accepts JSON webhooks.
See the SIEM Integration Guide for configuration details and example payloads.
Quick Links
| Page | Description |
|---|---|
| SAML 2.0 Setup | Configure SAML single sign-on with your IdP |
| OAuth 2.0 Setup | Configure OAuth 2.0 authentication |
| SCIM 2.0 Provisioning | Automate user and group lifecycle management |
| SIEM Integration | Stream security events to your monitoring platform |
| API Keys | API key creation, scoping, and management |
| Roles & Permissions | Role-based access control |
| Audit Logs | Activity logging and audit trail |
| API Authentication | API key format, scopes, and best practices |