Authentication & SSO
Ouva uses Supabase Auth for sign-in, session management, and access tokens.
Admin Console Authentication
Section titled “Admin Console Authentication”- The current web app supports account sign-in using magic link and password.
- Enterprise SSO supports OIDC and SAML 2.0 identity providers, including Microsoft Entra ID (Azure AD).
- If Entra SSO is not yet enabled in a deployment, it can be implemented as a configuration/integration step.
Tenant-Managed Identity and Security Policies
Section titled “Tenant-Managed Identity and Security Policies”When SSO is configured with a customer-managed identity tenant:
- Authentication can be routed through the customer identity provider.
- Conditional access and MFA policies can be enforced in that tenant.
- Ouva receives authenticated sessions/tokens after IdP policy evaluation.
Roles, Permissions, and Access Scope
Section titled “Roles, Permissions, and Access Scope”Ouva applies role-based access controls at the application and database layers.
- Admin and standard-user access paths are separated.
- Privileged operations are restricted to authorized admin users.
- Row-level security policies are used for least-privilege data access.
- User group management is supported for organizing users and access workflows.
Access can be restricted to specific customer-managed identity groups during SSO integration design (for example Entra group-to-role mapping).
If SSO group-to-role mapping is required (for example IdP group membership driving admin access), that can be implemented in the identity integration design.
Playback URL Authentication
Section titled “Playback URL Authentication”The sensory-room playback URL runs in the same authenticated platform model.
- Playback scene routes require an authenticated user session.
- Session access is token-based and managed by Supabase Auth.
- In deployments with SSO, playback sign-in can follow the SSO flow.
- In deployments without SSO, playback uses standard app account sign-in.
- Anonymous playback access is not enabled by default.
Kiosk and Shared Device Mode
Section titled “Kiosk and Shared Device Mode”Ouva supports shared-device kiosk deployments.
- Typical pattern: sign in once on the device, then run the browser in kiosk mode.
- Ongoing playback can run without repeated interactive sign-in while the authenticated session remains valid.
- Use dedicated device accounts with restricted permissions.
- Keep session scope limited to playback workflows and avoid admin roles on kiosk accounts.
- Device-level controls (such as claim/seat checks where enabled) can be used to limit access to authorized devices.