Enterprise identity infrastructure

Your VPC. Your rules.
No vendor lock-in.

Bastionary runs entirely in your infrastructure. Your user data never leaves your servers. SAML SSO, SCIM provisioning, LDAP, FGA, and audit logs — all self-hosted, all yours.

Schedule a call → Security overview
Enterprise capabilities

Built for security teams, not around them.

🔐

SAML 2.0 SSO + SCIM

Connect to Okta, Azure AD, Google Workspace, PingOne, or any SAML IdP. SCIM 2.0 provisioning syncs groups and attributes automatically. JIT provisioning on first login.

🏢

Self-hosted in your VPC

Docker, Kubernetes, or bare metal. Your data stays on your infrastructure. Air-gapped deployments supported. No outbound calls to our servers required. (Optional HIBP breach-detection makes outbound range-query calls to haveibeenpwned.com; this can be disabled for fully offline or air-gapped deployments.)

🛡️

Fine-grained authorization

ReBAC (Relationship-Based Access Control) built in. Define resource hierarchies, permission relationships, and role inheritance — all managed via API, not hardcoded.

📋

Audit logs with chain integrity

Every auth event logged: IP, device, user agent, risk score, outcome. SHA-256 chained so any log tampering is detectable. SIEM-compatible JSON export.

Compliance readiness

Your security team's checklist. Already done.

SOC 2 Type IIAudit evidence exporter (Q2 2026)
GDPR Article 17Right-to-erasure API endpoint
PBKDF2/bcryptPassword hashing, zero plain-text storage
RS256/ES256/EdDSAAsymmetric JWT signing with JWKS rotation
DPoP tokensRFC 9449 sender-constrained tokens
HIBP integrationBreach database check on every password set (can be disabled for air-gapped deployments)
Fernet encryptionPII field-level encryption at rest
Impossible-travelML-based location anomaly detection
Full enterprise feature set

LDAP / Active Directory

Direct LDAP bind authentication. Map AD groups to Bastionary roles. No SAML setup required for internal deployments.

SSO enforcement policies

Enforce SSO login for entire organizations. Block password auth once SSO is configured. Grace period for migration.

Delegated admin portals

Give enterprise customers a scoped admin panel to manage their own users, groups, and SSO config without accessing your superadmin.

PAR (Pushed Authorization Requests)

RFC 9126 — your authorization requests never touch the browser URL. Required by FAPI and Open Banking standards.

Multi-tenant isolation

Cryptographic tenant isolation. Tenant A cannot see tenant B data by construction, not just by policy.

Custom retention policies

Configure audit log retention per compliance requirement. Automated purge jobs. Legal hold support.

Enterprise sales

Let's talk about your deployment.

We support air-gapped installs, custom SLAs, professional services, and migration assistance. Fill out the form and we'll respond same business day.

Contact sales →