SC-02: SSO Migration

Andi Lamprecht ·2026-05-11· 2 min read· Draft

Narrative

David opens the organization’s identity integration settings [UERQ-SYS-1996]. He selects “Add Federated Identity Provider” and chooses OIDC. The system presents a guided configuration form: he enters the Azure AD tenant discovery URL, client ID, client secret, and configures claims mapping [UERQ-SYS-1954, UERQ-SYS-1956] — mapping Azure AD’s “preferred_username” to ATOMx identity, Azure AD groups to ATOMx roles, and the “department” claim to an organization attribute.

David enables JIT provisioning [UERQ-SYS-1957] so that users who authenticate through Azure AD for the first time are automatically provisioned with the organization’s default role (Pilot/Operator). He configures SCIM provisioning [UERQ-SYS-1982] for automated lifecycle sync: new Azure AD users in the “ATOMx Operators” group will be provisioned, and deleted or disabled users will be deactivated.

Before activating the federation, David reviews the transition plan displayed by the system: “15 users currently authenticated via local accounts. After federation activation: users will authenticate via Azure AD on next login. Existing active sessions will remain valid until their current session expires. No active flight authorizations will be interrupted.”

He confirms and activates the federation. He then claims the organization’s email domain [UERQ-SYS-1978] so that any future employee registrations with the corporate domain are automatically routed into his organization’s realm.

David sends an internal communication to all users: “Your next ATOMx login will use your corporate credentials. No action required.” He monitors the admin dashboard over the next 48 hours, watching as users’ authentication method transitions from “Local” to “Federated (Azure AD)” upon their next login.

The three pilots with active authorizations complete their flights without interruption — their existing sessions were preserved during the transition.