# SSO & enterprise deployment

## Deployment models

| Model | Control plane | Ingress |
|-------|---------------|---------|
| SaaS | `app.blekline.com` | MCP stdio + `/api/ingress/v1/*` |
| Private tenant | Customer subdomain or VPC | Same API surface, customer data residency |
| Sidecar | Daytona / k8s pod | `packages/ingress-proxy` Docker image |

## SSO roadmap (SAML/OIDC)

Enterprise workspaces integrate IdP at the **dashboard** layer (NextAuth-compatible OIDC today). Planned SAML attributes:

- `email` → workspace membership mapping
- `groups` → role (`owner` / `admin` / `member`)
- `tenant_id` → workspace isolation

Until SAML ships, use:

1. Google / LinkedIn OAuth for pilot tenants
2. Workspace API tokens for agents (`mask:write`, `events:write`)
3. SCIM-style roster via `/api/workspace/roster` (existing)

## Policy push

Fleet sensors subscribe to `GET /api/workspace/policy-stream` (SSE). On `policy` events, refresh local allow/deny caches for MCP proxy and ingress sidecars.

## Hardening checklist

- [ ] Rotate workspace API tokens quarterly
- [ ] Set MCP tool denylist for destructive tools (`rm`, `drop_database`, etc.)
- [ ] Enable ingress block mode (`BLEKLINE_INGRESS_BLOCK_HIGH_RISK=true`)
- [ ] Export audit logs to SIEM (`/api/integrations/siem`)
- [ ] Run Cursor model matrix QA (`demo/cursor/model-matrix.md`)

## Support

Enterprise leads: `/api/enterprise/lead` or sales@blekline.com.

---

**Next steps:** [AI Enablement Stack](/docs/introduction/ai-enablement-stack) · [Deployment](/docs/enterprise/deployment) · [Architecture](/docs/introduction/architecture) · [Open workspace](https://app.blekline.com) · [Report issue](https://github.com/Blekline/blekline-oss/issues/new?template=bug_report.yml)