AxiPassAxiPass
Security

The SWA security model must be explainable before it is convenient

AxiPass operates SSO/OIDC, SAML, SCIM, SWA, and audit logs inside a clear tenant boundary.

SWA security model

Auto-login for non-SSO apps is handled as part of the access management workflow, not as a convenience-only feature.

  • SWA credentials are stored as Lockbox-encrypted data on the server side.
  • The extension runs on auto-login target pages, and permission-scope reduction is tracked as a security improvement before production distribution.
  • Credential use, autofill failures, and key activity can connect to audit logs.

Tenant isolation

AxiPass IdP domain models are separated through the Identity namespace and tenant scope.

  • Primary Identity models use acts_as_tenant, while audit logs are queried through tenant_id-based scopes.
  • Audit logs and app settings are queried by tenant boundary.
  • Operator and tenant console authorization boundaries stay separate.

Audit logs

Authentication, authorization, configuration changes, and SWA activity become standard security evidence.

  • Events are stored in UTC and displayed in the user's time zone.
  • CSV exports and ISMS-P PDF reports support security reviews and internal reporting according to plan eligibility.
  • Secrets are not included in logs, flash messages, or redirect parameters.

SCIM provisioning

Joiner, mover, and leaver workflows are managed at the IdP layer to reduce stale accounts.

  • Bearer tokens are treated as encrypted secrets.
  • Users and Groups endpoints rely on token authentication and tenant boundaries.
  • Conflicts and failures leave operator-visible traces.

What we do not claim, and what we must explain

Certification claims stay factual

We do not display external certifications or security audit reports as complete before they are actually complete.

Secrets are never plain-text UI data

OAuth client_secret, SCIM Bearer tokens, TOTP seeds, and SWA credentials are treated as Lockbox-encrypted secrets.

Logs are evidence, not a secret store

Audit logs record who accessed which app or setting and when. Passwords and MFA seeds are not stored in logs.