Identity Management overview
Identity Management in Praxis is where organization owners and administrators manage organizations, tenants, users, invitations, API tokens, and single sign-on (SSO). The product is multi-tenant: an organization is the top-level account; tenants subdivide the org for scoping data and access (for example per team or environment).
Where to open it
- In Praxis, open Identity Management from the main navigation. Routes are typically under the
/identityprefix, for example/identity/settingsfor org-level settings. - The org / tenant selector in the shell lets you pick which organization and tenant are active. Many APIs and screens scope data to the current tenant and organization stored in your session and client context.
- Product documentation opens in a new browser tab: use the profile menu at the bottom of the shell sidebar (your avatar), then choose Open documentation.
- Your account page is under Profile in that same menu (route
/identity/profile).
What lives where
| Area | Primary route pattern | What you manage |
|---|---|---|
| Organization | /identity/settings | Tenants, org-wide users, org-wide invitations, SSO connections (org or tenant–scoped) |
| Tenants | /identity/settings (Tenants tab) and /identity/settings/tenants | List, create, edit, and remove tenants |
| Users | Users tab (org) or tenant Users tab | Who has access, with which role |
| Invitations | Invitations tab, Invite user, accept link | Pending invites, email-specific delivery, expiry |
| API tokens | Tenant API Tokens tab | Create tokens with scopes, rotate/revoke as supported |
| SSO | SSO tab, login email flow, /sso/callback | SAML and OIDC IdPs, email domains, Enforce SSO |
Reference
| Topic | Use when |
|---|---|
| Concepts and terminology | You need a quick reminder of what organization, tenant, role, permission, and scope mean here. |
| IdP setup guides | You are configuring SSO with Okta, Microsoft Entra ID, Google Workspace, Auth0, OneLogin, or a generic SAML/OIDC IdP. |
| Using API tokens | You created a token in the UI and now need to call the API with it (curl examples, scopes, rotation, common errors). |
| Troubleshooting | Sign-in, SSO role mapping, invitations, or API tokens are not behaving as expected. |
Related routes (end users)
| Route | Purpose |
|---|---|
/invitation/:token | Accept an invitation (register, sign in, or join org/tenant) |
/login, /register, /recovery/*, /verification | Standard self-service sign-in, registration, and account recovery flows |
/sso/callback | SSO redirect handler after the identity provider |
/identity/profile | User profile (open Profile in the profile menu; separate from org administration) |
Permissions summary
The UI uses coarse checks such as org- and tenant-level roles for Identity Management screens (backed by the idm permission catalog). Pipeline work in Praxis is authorized separately under the praxis catalog (for example pipeline:write, collector:read). That is why advanced tools show two application keys—idm and praxis—in applications or realized permissions APIs: they are not the same as the /identity URL prefix for the embedded identity UI.
Fine-grained API tokens use explicit scope strings (for example pipeline:read, organization:read). See each topic for details.