Identity & SSO

Unified Identity Layer for the Platform — One Secure Authentication Model for Every User and System

A standards-based identity and access management layer for the ProDigital suite: single sign-on across every product, OAuth2 with PKCE for third-party and machine-to-machine access, strong multi-factor authentication and role-based access control enforced consistently platform-wide.

One secure identity layer for the whole platform.

Book a demo All products
SSO
local · LDAP · OIDC
OAuth2
+ PKCE
MFA
TOTP · WebAuthn
RBAC
capability-gated
Why ProIAM

Three things that set it apart

SINGLE SIGN-ON

Local, LDAP/AD and OIDC — one login for everything

Users, dealers, agents and machine accounts all authenticate against one identity model. Local credentials, enterprise directory (LDAP/Active Directory) and external OIDC providers are all first-class — not adapters bolted on.

OAUTH2 PROVIDER

Standards-based M2M and third-party access

ProIAM is a full OAuth2 authorization server with PKCE. External applications, partner portals and microservices obtain scoped tokens without sharing user credentials — aligned to RFC 6749 and RFC 7636.

CAPABILITY-GATED RBAC

Feature access enforced at the platform level

Roles map to capability sets. Every product in the suite checks the same capability model — so granting or revoking access to a feature applies instantly, everywhere, without per-product configuration.

Capabilities

What ProIAM does

Single sign-on (SSO)

Local username/password, LDAP/Active Directory and OIDC provider integration. One login session spans ProCRM, CatalogPro, FlowForge, ResourcePro, ProDocs and the admin portal.

OAuth2 + PKCE authorization server

Full OAuth2 authorization server (RFC 6749) with PKCE extension (RFC 7636) for public clients. Scoped access tokens for third-party integrations and machine-to-machine flows.

Multi-factor authentication

TOTP (time-based one-time passwords), WebAuthn (hardware keys and biometrics) and backup recovery codes. MFA enforced per role, per tenant or per user.

Capability-gated RBAC

Roles define capability sets. Features are gated by capability check — not hard-coded role strings — so permission changes propagate instantly across all products.

Argon2id password hashing

Industry-leading Argon2id hashing with tunable parameters. Resistant to GPU brute-force attacks. Automatic rehash on login when parameters are upgraded.

Account lockout & device trust

Configurable lockout after N failed attempts. Device fingerprinting and trust management reduce MFA friction for recognized devices.

Session management

Configurable session TTL, max concurrent sessions per user (default 5), forced logout by admin and session listing for user self-service.

Per-tenant isolation

Each tenant has isolated user pools, role definitions and MFA policies. One ProIAM deployment secures multiple operators without cross-tenant leakage.

Audit log

Every login, token grant, MFA event, role change and session termination logged with timestamp, IP address, user agent and outcome.

Machine account support

Application party type in ProCRM maps to OAuth2 client credentials. M2M access scoped by capability — automated systems access only what they're authorized for.

In practice

How buyers use it

MVNO with dealer and agent portals

Three portals (customer self-service, dealer portal, agent CRM) backed by one ProIAM instance. Dealers authenticate via LDAP against the parent operator's Active Directory. Agents use TOTP MFA. Customers use local accounts.

One identity store, three portal experiences. Role changes apply instantly across all portals. No per-portal user management.

Enterprise SSO via Azure AD

An enterprise operator connects their existing Azure AD as an OIDC provider. Users log in with corporate credentials. ProIAM maps Azure AD groups to ProDigital capability sets with no code changes.

Zero new passwords for end users. IT manages access through existing AD group membership. ProIAM enforces the capability model across the full suite.

Third-party integration via OAuth2

A partner billing reconciliation system needs read access to order data. ProIAM issues a scoped OAuth2 client-credentials token with only the capabilities required — no user session, no shared password.

Least-privilege M2M access. Token revoked instantly when no longer needed. Full audit log of every API call made with that token.

Head to head

ProIAM vs the legacy approach

Capability Legacy approach ProIAM
SSO providers One auth method, adapters for others Local + LDAP/AD + OIDC, all first-class
Third-party access Shared credentials or API keys OAuth2 + PKCE, scoped tokens
MFA options SMS OTP only, optional TOTP + WebAuthn + recovery codes, enforceable
Feature permissions Hard-coded role checks per product Capability model, enforced platform-wide
Password security bcrypt or weaker Argon2id with tunable parameters
Multi-tenant Separate IAM per tenant Per-tenant isolation, one deployment

See ProIAM on your use case.

A 30-minute walkthrough on your scenario — ProIAM alone, or as part of the full platform.

Book a demo
Ready to launch new services faster? Book a demo →