Advanced IAM · Part of ESSPRO

One identity. Every channel.
Zero accidents.

Advanced IAM brings sovereign messaging into the same identity fabric as the rest of your stack — Active Directory, OIDC, SCIM — so the right people get the right access, and the wrong ones never get in by mistake.

Talk to identity engineering → See capabilities
LDAP / Active Directory OIDC SSO SCIM provisioning MFA & risk-based auth
Centralised authentication

Stop running a parallel directory.

Most secure messaging tools force you to operate identity twice — once in your IdP, once in the tool. That's where leavers stay reachable, joiners wait days for access, and admin rights drift out of sync with HR.

Advanced IAM treats your identity provider as the single source of truth. Authentication, group membership, profile attributes, and admin privileges all flow from your existing infrastructure into AMVLET — with no duplicated state to babysit.

Bind directly to LDAP, Active Directory, or any OIDC-compliant IdP.
Inherit MFA, password policy, and risk signals from your IdP — no parallel rules.
Sync user attributes, group memberships, and admin rights via SCIM.
Authentication flow
IDP User signs in via Entra ID — MFA enforced
OIDC Token exchanged with AMVLET — claims read
SCIM Group memberships synced — rooms updated
Drop Contractor account expired — session revoked
Capabilities

Everything an identity team expects.
Plus what messaging needs.

Built for the controls regulated environments require — and the day-two operations identity teams actually have to run.

Single Sign-On

OIDC SSO against your existing IdP — Entra ID, Okta, Keycloak, ForgeRock, Ping, Auth0, Univention, or any OIDC-compliant provider. Inherit MFA, conditional access, and risk-based policies you've already invested in.

SCIM provisioning

Joiners, movers, and leavers flow from HRIS through your IdP into AMVLET automatically. Accounts are created, attributes updated, and access revoked without a ticket queue or manual sync.

Group access control

Room and Space membership is bound to directory groups. Sensitive channels accept only members carrying the right attribute — and unauthorised invites are withdrawn before the conversation begins.

Attribute sync

Display names, titles, contact details, and team mappings stay current with your directory. Profile drift is no longer a problem you have to maintain on the messaging side.

Admin privilege sync

Operator and supervisor rights are derived from directory attributes — promotion or revocation in your IdP propagates to AMVLET in real time, eliminating standing privilege you forgot to remove.

MFA & conditional access

Step-up authentication, hardware-key enforcement, geo and device posture checks — whatever your IdP enforces for the rest of your stack now applies to AMVLET, with no shadow policy to keep aligned.

Works with

Plug into the identity layer you already run.

Tested against the providers our customers actually deploy — and any other OIDC-compliant IdP works out of the box.

K
Keycloak
OIDC · Open source
M
Microsoft Entra ID
OIDC · Conditional access
U
Univention Nubus
LDAP · OIDC · SCIM
O
Okta
OIDC · Risk-based auth
A
Auth0
OIDC · Adaptive MFA
P
Ping Identity
OIDC · Zero trust
F
ForgeRock
OIDC · Federated
+
Any OIDC IdP
Self-hosted or vendor
AMVLET · Room policy
#
#strike-package-review
Operations · Restricted
E2EE · IAM-bound
Policy Members must hold AD group DEF-OPS-CLEARED
SC
Sara Chen · Lt. Col.
DEF-OPS-CLEARED DEF-COMMS
Joined
JK
Jonas Keller · Operator
DEF-OPS-CLEARED
Joined
RJ
R. Jakobs · Journalist
EXTERNAL · NO-CLEARANCE
Withdrawn
PV
P. Voss · Contractor (left)
DEPROVISIONED
Removed
Logged to audit trail · 2 invites blocked Synced · Entra ID
Accidental invites

The Signalgate problem,
solved at the policy layer.

Consumer messengers let anyone be added to anything by anyone with the link. That's the design — and it's the design that produced a high-profile defence chat with a journalist sitting quietly in the room.

Advanced IAM binds room membership to directory attributes. If a person doesn't carry the required clearance group, an invite is automatically withdrawn — before they ever see a message, and before the room owner gets a chance to make the wrong call manually.

1Room policy declares which directory groups confer membership.
2Every invite is checked against the live directory at issuance time.
3Unauthorised invites are silently withdrawn — and logged for audit.
4If someone loses their group later, they're removed from the room automatically.
Lifecycle

Joiner. Mover. Leaver. Without a ticket queue.

The same identity events that drive your IdP also drive AMVLET — provisioning, role changes, and revocation happen automatically.

Joiner

HRIS event creates the user. SCIM provisions the AMVLET account, assigns Spaces, and applies admin attributes — before day one.

Mover

A team or role change in the directory shifts group memberships. Room access updates instantly to match the new posture.

Leaver

Departure flips the directory flag. Sessions are revoked, the account is disabled, and the user disappears from every room they were in.

Audit

Every join, move, leave, and blocked invite is written to the audit trail. Compliance gets the evidence without anyone exporting CSVs.

Questions

Frequently asked.

The questions identity architects, security leads, and compliance teams ask in the first call.

Do we have to migrate identity to make Advanced IAM work? +
No. Advanced IAM is built to consume the IdP you already operate. LDAP, Active Directory, or any OIDC-compliant provider stays the source of truth — AMVLET defers to it for authentication, claims, and group membership.
Which protocols are supported? +
OIDC for authentication and SSO, LDAP for directory binding, and SCIM 2.0 for provisioning. SAML federation is supported through a configurable bridge for environments that haven't moved off it yet.
How does this prevent a Signalgate-style accidental invite? +
Room membership is policy-bound to directory attributes — typically a clearance or team group. Every invite is checked against the live directory at issuance, and unauthorised invites are withdrawn automatically. The mistake doesn't get a chance to land.
What happens when someone leaves the organisation? +
The leaver event in your IdP triggers session revocation, account disablement, and immediate removal from every room and Space. Their messages remain in the audit trail; their access doesn't.
Does Advanced IAM work in air-gapped deployments? +
Yes. Advanced IAM runs on-cloud, self-hosted, and air-gapped. In air-gapped environments it binds to your internal LDAP/AD or self-hosted OIDC provider — no external network required.
Can we enforce MFA, hardware keys, or device posture? +
Whatever your IdP enforces, AMVLET inherits. Conditional access, hardware-key requirements, geo or device-posture checks — they apply to AMVLET sessions exactly as they apply to the rest of your stack.
Is privilege change visible to compliance? +
Every privilege grant, revocation, room policy change, and blocked invite is written to the immutable audit log. Compliance teams can stream the events to their SIEM and reconstruct any access decision after the fact.
What does deployment look like? +
Typically two to four weeks: connect the IdP, map directory groups to Spaces and rooms, define policies, dry-run with a pilot group, then turn on enforcement. Larger Active Directory estates or air-gapped builds run as a joint engineering exercise.

Bring messaging into your identity perimeter.

Wire AMVLET to your existing IdP, run a pilot Space with policy enforcement, and see the audit trail working in under two weeks.

Talk to identity engineering → Book a 30-min demo