Skip to main content

Overview

Enterprise Governance extends Bifrost’s core governance capabilities with advanced security, compliance, and user management features designed for large-scale enterprise deployments. This module provides comprehensive identity management, regulatory compliance, and detailed audit capabilities. Enterprise Extensions:
  • Identity & Access Management - SAML 2.0 and OpenID Connect integration
  • Directory Services - Active Directory and LDAP user synchronization
  • User-Level Governance - Individual user authentication and budget allocation
  • Compliance Framework - SOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance
  • Advanced Auditing - Comprehensive audit reports and compliance dashboards
Builds Upon Core Governance:
  • All standard Virtual Keys, Teams, and Customers functionality
  • Hierarchical budget management and rate limiting
  • Model and provider access controls
  • Usage tracking and cost management

SAML & OpenID Connect Integration

Enterprise Governance provides seamless integration with corporate identity providers through industry-standard authentication protocols.

SAML 2.0 Configuration

Supported Identity Providers:
  • Microsoft Azure AD / Entra ID
  • Okta
  • Google Workspace
  • Ping Identity (Coming soon)
  • Auth0
  • Web UI
  • API
  • config.json
  1. Navigate to Enterprise Settings
    • Open Bifrost UI at http://localhost:8080
    • Go to EnterpriseIdentity Providers
  2. Configure SAML Provider
Required Fields:
  • Provider Name: Identity provider identifier
  • SSO URL: SAML SSO endpoint
  • Entity ID: SAML entity identifier
  • X.509 Certificate: Identity provider signing certificate
Attribute Mapping:
  • Email Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Name Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  • Groups Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups
  • Department Attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/department
User Provisioning:
  • Auto-Create Users: Automatically create users on first login
  • Default Customer: Assign new users to default customer
  • Default Team: Assign new users to default team
  • Default Budget: Initial budget allocation per user
  1. Save Configuration
    • Click Configure SAML Provider
    • Test SSO integration
    • Enable for production use

OpenID Connect Configuration

Supported Providers:
  • Google Workspace
  • Microsoft Azure AD
  • Okta
  • Auth0
  • Keycloak
  • Generic OIDC providers
  • Web UI
  • API
  1. Navigate to Identity Providers
    • Go to EnterpriseIdentity Providers
    • Click Add OpenID Connect Provider
  2. Configure OIDC Provider
Required Fields:
  • Provider Name: OIDC provider identifier
  • Client ID: Application client identifier
  • Client Secret: Application client secret
  • Discovery URL: OIDC discovery endpoint
  • Scopes: Required OAuth scopes
Advanced Settings:
  • Token Validation: JWT signature verification
  • Group Claims: Map OIDC groups to Bifrost teams
  • Role Claims: Map OIDC roles to permissions

Active Directory Integration

Enterprise Governance provides native integration with Microsoft Active Directory and LDAP directories for automated user provisioning and group synchronization.

Active Directory Configuration

Features:
  • User Synchronization - Automatic user import and updates
  • Group Mapping - AD groups to Bifrost teams/customers
  • Attribute Mapping - Custom user attribute synchronization
  • Scheduled Sync - Automated periodic synchronization
  • Web UI
  • API
  1. Navigate to Directory Services
    • Go to EnterpriseDirectory Services
    • Click Configure Active Directory
  2. Connection Settings
Required Fields:
  • Domain Controller: AD server hostname/IP
  • Base DN: Directory search base
  • Bind DN: Service account distinguished name
  • Bind Password: Service account password
  • Port: LDAP port (389 or 636 for SSL)
Sync Settings:
  • User Filter: LDAP filter for user objects
  • Group Filter: LDAP filter for group objects
  • Sync Schedule: Automated sync frequency
  • Sync Scope: Full or incremental synchronization
  1. Attribute Mapping
User Attributes:
  • Email: mail or userPrincipalName
  • Display Name: displayName
  • Department: department
  • Manager: manager
  • Employee ID: employeeID
Group Mapping:
  • Map AD groups to Bifrost teams
  • Set default customer assignments
  • Configure budget inheritance

LDAP Configuration

Supported LDAP Servers:
  • Microsoft Active Directory
  • OpenLDAP
  • Apache Directory Server
  • Oracle Directory Server
  • IBM Security Directory Server
Configuration Example: 
curl -X POST http://localhost:8080/api/enterprise/directory-services \
  -H "Content-Type: application/json" \
  -d '{
    "type": "ldap",
    "name": "OpenLDAP Corporate",
    "config": {
      "connection": {
        "host": "ldap.company.com",
        "port": 636,
        "use_ssl": true,
        "base_dn": "ou=people,dc=company,dc=com",
        "bind_dn": "cn=bifrost,ou=service,dc=company,dc=com",
        "bind_password": "service-password"
      },
      "user_mapping": {
        "email": "mail",
        "name": "cn",
        "department": "ou",
        "groups": "memberOf"
      }
    }
  }'

User-Level Authentication & Budgeting

Enterprise Governance extends the hierarchical governance model to include individual user-level controls, providing granular access management and personalized budget allocation.

User Management

Enhanced Hierarchy: 
Customer (organization-level budget)

Team (department-level budget)

User (individual-level budget + authentication)

Virtual Key (API-level budget + rate limits)
User Features:
  • Individual Authentication - Personal login credentials
  • Personal Budgets - User-specific cost allocation
  • Access Controls - Per-user model and provider restrictions
  • Usage Tracking - Individual consumption monitoring
  • Audit Trails - User-specific activity logging

User Configuration

  • Web UI
  • API
  1. Navigate to Users
    • Go to EnterpriseUsers
    • Click Create User or import from directory
  2. User Details
Basic Information:
  • Email: Primary identifier
  • Display Name: Full name
  • Department: Organizational unit
  • Manager: Reporting structure
  • Employee ID: HR system identifier
Authentication:
  • SSO Integration: Link to identity provider
  • Multi-Factor Auth: Require MFA for access
  • Session Management: Control session duration
Budget Allocation:
  • Personal Budget: Individual spending limit
  • Budget Period: Reset frequency
  • Inheritance: Inherit team/customer budgets
Access Controls:
  • Allowed Models: Restrict model access
  • Allowed Providers: Restrict provider access
  • Team Assignment: Primary team membership
  • Customer Assignment: Organization membership

User Authentication Flow

SSO Authentication: 
# 1. Initiate SSO login
curl -X GET http://localhost:8080/api/enterprise/auth/saml/login?provider=azure-ad

# 2. After SSO callback, get user token
curl -X POST http://localhost:8080/api/enterprise/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "saml_response": "base64-encoded-saml-response"
  }'

# 3. Use token for API requests
curl -X POST http://localhost:8080/v1/chat/completions \
  -H "Authorization: Bearer user-jwt-token" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'
Virtual Key with User Context: 
# Create user-specific virtual key
curl -X POST http://localhost:8080/api/governance/virtual-keys \
  -H "Authorization: Bearer user-jwt-token" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Alice Personal API Key",
    "user_id": "user-alice-001",
    "budget": {
      "max_limit": 10.00,
      "reset_duration": "1w"
    }
  }'

# Use virtual key with user tracking
curl -X POST http://localhost:8080/v1/chat/completions \
  -H "x-bf-vk: vk-alice-personal" \
  -H "x-bf-user-id: user-alice-001" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gpt-4o-mini",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Compliance Framework

Enterprise Governance includes built-in compliance capabilities for major regulatory frameworks including SOC 2 Type II, GDPR, ISO 27001, and HIPAA compliance. These features provide automated compliance monitoring, policy enforcement, and audit trail generation to meet enterprise security and regulatory requirements.

Audit Reports & Compliance Dashboards

Enterprise Governance provides comprehensive audit reporting and compliance dashboards for regulatory requirements and internal governance.

Audit Report Types

1. Access Audit Reports
  • User login/logout activities
  • Failed authentication attempts
  • Privilege escalation events
  • Unusual access patterns
2. Usage Audit Reports
  • API request tracking
  • Model and provider usage
  • Budget consumption patterns
  • Rate limit violations
3. Data Audit Reports
  • Data access and modification
  • Data export activities
  • Data deletion requests
  • Consent management tracking
4. Compliance Reports
  • SOC 2 Type II control evidence
  • GDPR compliance status
  • ISO 27001 risk assessments
  • HIPAA safeguard compliance

Report Generation

  • Web UI
  • API
  1. Navigate to Audit Reports
    • Go to EnterpriseAudit & Compliance
    • Select Generate Report
  2. Report Configuration
Report Type:
  • Access Report: Authentication and authorization events
  • Usage Report: API consumption and cost analysis
  • Compliance Report: Regulatory compliance status
  • Security Report: Security events and incidents
Date Range:
  • Last 24 Hours: Recent activity
  • Last 7 Days: Weekly summary
  • Last 30 Days: Monthly analysis
  • Custom Range: Specific date range
Filters:
  • Users: Specific users or all users
  • Teams: Specific teams or all teams
  • Customers: Specific customers or all customers
  • Event Types: Filter by event categories
Export Options:
  • PDF: Formatted compliance report
  • CSV: Raw data for analysis
  • JSON: Structured data export

Compliance Dashboards

Real-Time Monitoring:
  • Security Posture: Current security status and alerts
  • Compliance Status: Regulatory compliance health check
  • Risk Assessment: Identified risks and mitigation status
  • Audit Trail: Recent audit events and activities
Dashboard Widgets: 
curl -X GET http://localhost:8080/api/enterprise/dashboard/compliance \
  -H "Authorization: Bearer admin-token"

# Response includes:
{
  "security_posture": {
    "overall_score": 95,
    "active_alerts": 2,
    "failed_logins_24h": 5,
    "privilege_escalations": 0
  },
  "compliance_status": {
    "soc2_type2_compliance": "compliant",
    "gdpr_compliance": "compliant",
    "iso27001_compliance": "in_progress",
    "hipaa_compliance": "not_applicable"
  },
  "risk_assessment": {
    "high_risk_items": 0,
    "medium_risk_items": 3,
    "low_risk_items": 12,
    "mitigation_progress": "85%"
  },
  "recent_activities": [
    {
      "timestamp": "2024-01-15T10:30:00Z",
      "type": "user_login",
      "user": "[email protected]",
      "status": "success"
    }
  ]
}

Automated Compliance Monitoring

Continuous Monitoring: 
curl -X POST http://localhost:8080/api/enterprise/compliance/monitoring \
  -H "Content-Type: application/json" \
  -d '{
    "monitoring_rules": [
      {
        "name": "Failed Login Monitoring",
        "type": "security_event",
        "condition": "failed_logins > 10 in 1h",
        "action": "alert_security_team",
        "severity": "high"
      },
      {
        "name": "Data Export Monitoring",
        "type": "data_access",
        "condition": "data_export_size > 1GB",
        "action": "require_approval",
        "severity": "medium"
      },
      {
        "name": "Budget Threshold Alert",
        "type": "budget_usage",
        "condition": "usage > 80% of budget",
        "action": "notify_manager",
        "severity": "low"
      }
    ],
    "notification_channels": {
      "email": ["[email protected]", "[email protected]"],
      "slack": "#security-alerts",
      "webhook": "https://company.com/security-webhook"
    }
  }'

Error Responses

Enterprise Governance extends standard governance errors with additional authentication and compliance-related responses: Authentication Errors: 
{
  "error": {
    "type": "authentication_required",
    "message": "SSO authentication required"
  }
}

{
  "error": {
    "type": "mfa_required", 
    "message": "Multi-factor authentication required"
  }
}
Authorization Errors: 
{
  "error": {
    "type": "user_not_authorized",
    "message": "User does not have permission to access this model"
  }
}
Compliance Errors: 
{
  "error": {
    "type": "compliance_violation",
    "message": "Request violates GDPR data minimization requirements"
  }
}

Next Steps