Provider: WorkOS (with AuthKit for hosted login UI)
Default region: EU (Ireland) — Israel-EU adequacy decision covers cross-border transfers for the majority of Israeli customers under Amendment 13
Protocols: OIDC, SAML 2.0, SCIM 2.0
Enterprise IdP Federation: Customers can bring their own IdP (Okta, Azure AD, Google Workspace, JumpCloud, Cisco Duo, Israeli local IdPs) via WorkOS SSO Connections
Local Users: WorkOS-hosted username/password (Argon2id) for users without an external IdP
WorkOS Organizations: Map 1:1 to S.E.T tenants — each WorkOS Organization corresponds to one Postgres schema (tenant_<id>); each org owns its own IdP connections, member set, MFA policy
SCIM provisioning: User lifecycle (create / update / deactivate) synced from each enterprise customer's IdP automatically
MFA: Enforced via WorkOS policies (configurable per organization — TOTP, WebAuthn, push)
Per-tenant branding: AuthKit hosted login displays each customer's logo and domain claim
Audit: All auth events streamed to S.E.T's audit log + retained in WorkOS for compliance evidence
Phase 2 — Keycloak parallel for Nimbus-aligned customers: when the first Israeli-government / defense / regulated-healthcare / banking customer requires Israeli data residency and Israeli operational control (Amendment 13 + Nimbus Tender), a self-hosted Keycloak instance will be added in AWS Israel (Tel Aviv) alongside WorkOS. Per-tenant routing in NestJS auth middleware will determine which provider handles each login based on the customer's compliance profile.
Sub-processor disclosure: WorkOS appears in every customer DPA; SCCs added where EU adequacy alone is insufficient.