Skip to content

Authentication & SSO

Ouva uses Supabase Auth for sign-in, session management, and access tokens.

  • The current web app supports account sign-in using magic link and password.
  • Enterprise SSO supports OIDC and SAML 2.0 identity providers, including Microsoft Entra ID (Azure AD).
  • If Entra SSO is not yet enabled in a deployment, it can be implemented as a configuration/integration step.

Tenant-Managed Identity and Security Policies

Section titled “Tenant-Managed Identity and Security Policies”

When SSO is configured with a customer-managed identity tenant:

  • Authentication can be routed through the customer identity provider.
  • Conditional access and MFA policies can be enforced in that tenant.
  • Ouva receives authenticated sessions/tokens after IdP policy evaluation.

Ouva applies role-based access controls at the application and database layers.

  • Admin and standard-user access paths are separated.
  • Privileged operations are restricted to authorized admin users.
  • Row-level security policies are used for least-privilege data access.
  • User group management is supported for organizing users and access workflows.

Access can be restricted to specific customer-managed identity groups during SSO integration design (for example Entra group-to-role mapping).

If SSO group-to-role mapping is required (for example IdP group membership driving admin access), that can be implemented in the identity integration design.

The sensory-room playback URL runs in the same authenticated platform model.

  • Playback scene routes require an authenticated user session.
  • Session access is token-based and managed by Supabase Auth.
  • In deployments with SSO, playback sign-in can follow the SSO flow.
  • In deployments without SSO, playback uses standard app account sign-in.
  • Anonymous playback access is not enabled by default.

Ouva supports shared-device kiosk deployments.

  • Typical pattern: sign in once on the device, then run the browser in kiosk mode.
  • Ongoing playback can run without repeated interactive sign-in while the authenticated session remains valid.
  • Use dedicated device accounts with restricted permissions.
  • Keep session scope limited to playback workflows and avoid admin roles on kiosk accounts.
  • Device-level controls (such as claim/seat checks where enabled) can be used to limit access to authorized devices.