Identity Bridge
MACAW integrates with your existing enterprise identity providers. JWT tokens from Keycloak, Okta, Azure AD, or any OIDC provider are converted into security contexts that flow through every AI operation.
How It Works
APPLICATION LAYER (Your Code)
│ JWT Token from IDP
▼
ADAPTER LAYER (SecureOpenAI, etc.)
│ JWT Token (unchanged)
▼
MACAW CLIENT (Identity Bridge)
│ JWT → security_context conversion
▼
POLICY ENFORCEMENT
│ User-specific policies applied
▼
AI SERVICE (OpenAI, Claude, etc.)The Identity Bridge extracts claims from your JWT token (organization, department, team, user) and maps them to MACAW's hierarchical policy model. This happens automatically—your application just passes the JWT.
Stateless Design
Each request creates a fresh security context. No identity state is stored between requests, preventing identity bleed in multi-user scenarios.
Multi-User Safety
The same adapter instance can serve Alice, Bob, and Carol concurrently. Each request carries its own identity context, isolated from others.
Supported Providers
| Provider | Protocol | Claims Mapping |
|---|---|---|
| Keycloak | OIDC/JWT | organization, business_unit, team, email |
| Okta | OIDC/JWT | org, department, division, email, groups |
| Azure AD | OIDC/JWT | companyName, department, jobTitle, userPrincipalName |
| Google Workspace | OIDC/JWT | hd, ou, groups, email |
Claims mapping is configured in Console → Settings → Identity Bridge. Any OIDC/JWT provider can be integrated by configuring the claim mappings through the Claims Mapper interface.
Delegated Authentication
When an agent needs to act on behalf of a user (customer support, scheduled jobs, microservice chains), MACAW provides cryptographically secure delegation tokens with full audit trails.
Delegator (User)
│
│ grants delegation token
▼
Delegate (Agent) ────────────► Resource
│ │
└── Audit trail shows both ────┘
user AND agent identityScoped Delegation
Delegation tokens specify exactly what operations are allowed, with time limits and purpose tracking.
Multi-Hop Chains
Identity flows through service chains. Each hop can only restrict scope, never expand. Full delegation chain recorded in audit.