Understand Identity Management
The Identity module is the central security and authentication engine of the GlobalAI platform. Built on the open-source GoAuthentik framework, this module provides a unified backend that allows you to integrate your existing enterprise Single Sign-On (SSO) systems, such as Active Directory, Entra ID, Okta, or Google, directly into the platform.
The Identity module is designed for maximum deployment flexibility. It provides a self-contained authentication engine that gives you full control over your user data, supporting everything from internal private networks to external cloud-based identity providers.
Integrated Identity
GlobalAI uses the Identity module to manage the entire lifecycle of a user. Instead of managing separate credentials for different parts of the platform, this module acts as a single source of truth.
When you define a Group within the Identity module, it automatically syncs with the GlobalAI platform. In the platform interface, these groups are referred to as Roles. This integration allows you to manage users at the directory level while controlling specific feature access (RBAC) at the platform level.
Applications and Providers
To understand how GlobalAI handles access, you must understand the relationship between Applications and Providers. These two entities typically exist in a 1-to-1 relationship.
- Applications: These define the specific software or service being accessed. In this context, GlobalAI itself is the primary Application. The application record acts as the "entry point" and determines which users or groups are allowed to see the platform in their dashboard.
- Providers: These define the technical "handshake" used for authentication. A provider contains the protocol-specific settings, such as SAML, OAuth2, or LDAP, that allow GlobalAI to verify a user's credentials against an identity source.
The Identity Flow
Accessing the platform is not a single event but a process called a Flow. A Flow is a sequence of Stages that a user must complete to be authenticated.
A typical GlobalAI login flow follows these stages:
- Identification Stage: The user enters their username or email.
- Authentication Stage: The user provides a password or completes an SSO handshake.
- Validation Stage: The system checks Policies (such as IP Reputation or GeoIP location) to ensure the login attempt is safe.
- Login Stage: The user is successfully redirected to the GlobalAI dashboard.
Security and Reputation
The Identity module proactively protects the platform using Reputation Scores. The system tracks login attempts based on the user identifier and the client IP address to build a risk profile for every connection.
- Successful Logins: Increment the reputation score (for example, +1).
- Failed Logins: Decrement the reputation score (for example, -1).
Reputation Score Limits
Administrators can configure a Lower Limit and an Upper Limit for these scores within the System Settings. These boundaries act as a security hardening strategy:
- Lower Limit: Defines the minimum possible score (for example, -5). A user's reputation can't decrease below this point, regardless of failed attempts.
- Upper Limit: Defines the maximum possible score (for example, 5). Capping the upper limit ensures that highly trusted accounts don't stand out, making it harder for potential attackers to identify and target high-value accounts.
When a score drops below a specific threshold (such as 0), Policies can be triggered to automatically deny access or require additional verification, such as a CAPTCHA or Multi-Factor Authentication (MFA).
Related articles
Now that you understand the core concepts of Identity Management, you can explore these practical guides.