Stratam for Enterprise

Roll Stratam out to a whole team

OIDC SSO with every major IDP, SCIM 2.0 user lifecycle automation, audit log export, per-org white-label with custom domain — everything compliance and IT need to check the boxes.

SSO
OIDC Single Sign-On
Standards-compliant · PKCE

Sign in through your IDP — Google Workspace, Microsoft Entra (Azure AD), Okta, OneLogin, JumpCloud, Auth0, Keycloak — anything that speaks OIDC discovery.

  • PKCE authorization code flow (RFC 7636)
  • RS256 + ES256 id_token signature verification
  • Email-domain allowlist per provider
  • Auto-provision new users on first login (optional)
SCIM
SCIM 2.0 provisioning
RFC 7644 · Bearer auth

Your IDP pushes user lifecycle events — create, deactivate, group membership — to Stratam over standard SCIM 2.0 endpoints. No CSV uploads, no manual sync.

  • GET/POST/PATCH/PUT/DELETE /scim/v2/Users
  • GET/PATCH /scim/v2/Groups
  • Bearer tokens stored as SHA-256 only
  • Filter support: userName eq "..."
CSV
Audit log export
SOC2 evidence · CSV

Download every authentication, billing, and admin event in your org as a CSV. Window selectable: 7 / 30 / 90 / 365 days. Capped at 50k rows per export.

  • Streaming CSV — no full-file in memory
  • Exports themselves are audit-logged (audit_exports table)
  • Org-scoped — owners see their org, sys admins see all
WL
White-label brand
Per-org · custom domain

Override the product name, accent color, logo, and support email shown to your team. Point a CNAME at stratam.us and serve your org on ops.acme.com.

  • Per-org settings, no separate deployment
  • Hex-validated colors, domain-validated CNAME
  • Logo URL must be public HTTPS
ISO
Data isolation
Per-tenant · row-level

Every query scopes by user_id (or org_id) at the application layer. Cross-tenant access is impossible — not a permission rule, an architectural invariant.

  • Postgres 16 + pgvector for the data layer
  • Anthropic zero-retention LLM calls
  • Argon2id password hashing · TLS everywhere
SLA
Single-droplet today
HA on the roadmap

Stratam runs on a single DigitalOcean droplet with Caddy + auto-Let's Encrypt. Five 9s? Not yet — we're honest about that. Multi-region HA is the next infrastructure investment after enterprise sign-ups justify it.

Tested with

Every IDP that implements standard OIDC discovery and signs id_tokens with RS256 or ES256. The ones we've explicitly validated against:

Google Workspaceaccounts.google.com
Microsoft Entralogin.microsoftonline.com
Oktayour-tenant.okta.com
OneLoginyour-tenant.onelogin.com
JumpCloudoauth.id.jumpcloud.com
Authentikyour-host/application/o
Keycloakyour-host/realms/master
Auth0your-tenant.auth0.com

SAML 2.0 support is on the roadmap for organizations that require it. OIDC covers the modern IDP set.

Setup, end to end

  1. Create the org at stratam.us/workspaces and invite your initial admins.
  2. Configure SSO at /admin/enterprise → paste your IDP's issuer URL, client ID, and client secret. We discover the rest.
  3. Generate a SCIM token on the same page — we show it once, you paste it into your IDP's SCIM provisioner.
  4. Test the login URL we generate — share it with your team.
  5. Optional white-label: set the org's product name + accent color, point a CNAME at stratam.us, register the custom domain.
  6. Export audit logs whenever compliance asks — CSV at /api/admin/audit/export.csv.

Total time end-to-end: 15-20 minutes once you have your IDP open in another tab.

Ready to roll Stratam out?

We're in closed beta. Email sales for an enterprise demo with a sandbox org pre-provisioned.

Email sales → Sign up free first →