Enterprise Security¶
SSO, SAML, mTLS, secret management, and security hardening for StrataRouter Enterprise.
Authentication¶
SSO / SAML¶
# config.yaml
auth:
provider: saml
saml:
idp_metadata_url: "https://your-idp.com/metadata.xml"
sp_entity_id: "stratarouter"
assertion_consumer_service_url: "https://api.stratarouter.dev/auth/saml/callback"
name_id_format: "email"
attribute_mapping:
email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
Supported identity providers: Okta, Azure AD, Google Workspace, PingFederate, OneLogin.
OAuth 2.0 / OIDC¶
auth:
provider: oidc
oidc:
issuer: "https://accounts.google.com"
client_id: "your-client-id"
client_secret: "${OIDC_CLIENT_SECRET}"
scopes: ["openid", "email", "profile"]
API Key Authentication¶
from stratarouter_enterprise import APIKeyManager
key_manager = APIKeyManager()
api_key = await key_manager.create(
name="production-app",
scopes=["route:execute", "cache:read"],
expires_at=datetime(2027, 1, 1),
rate_limit=1000, # requests/minute
)
Transport Security¶
mTLS (Mutual TLS)¶
tls:
mode: mutual
cert_file: /etc/certs/server.crt
key_file: /etc/certs/server.key
ca_file: /etc/certs/ca.crt
min_version: TLSv1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
Network Policies (Kubernetes)¶
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: stratarouter-ingress
spec:
podSelector:
matchLabels:
app: stratarouter
policyTypes: [Ingress]
ingress:
- from:
- podSelector:
matchLabels:
role: api-gateway
ports:
- port: 8000
Secret Management¶
HashiCorp Vault Integration¶
from stratarouter_enterprise import VaultSecretProvider
secrets = VaultSecretProvider(
vault_addr="https://vault.example.com",
auth_method="kubernetes",
role="stratarouter",
)
openai_key = await secrets.get("secret/stratarouter/openai_api_key")
AWS Secrets Manager¶
secrets:
provider: aws_secrets_manager
region: us-east-1
secret_ids:
openai_api_key: "prod/stratarouter/openai"
anthropic_api_key: "prod/stratarouter/anthropic"
Input Validation¶
All inputs are validated before processing:
security_config = SecurityConfig(
# Content filters
max_query_length=4096, # Characters
strip_html=True,
detect_prompt_injection=True,
# PII protection
pii_detection_enabled=True,
pii_action="redact", # "redact" | "block" | "log"
# Rate limiting
rate_limit_per_ip=100, # req/minute
rate_limit_per_user=500, # req/minute
rate_limit_burst=50, # Burst allowance
)
Security Hardening Checklist¶
- Enable mTLS for all service-to-service communication
- Rotate API keys every 90 days using the key management API
- Store all secrets in Vault or a cloud secrets manager — never in environment variables or config files
- Enable PII detection and redaction before routing user queries
- Configure rate limiting at the API gateway and StrataRouter layers
- Enable the immutable audit transaction log for compliance evidence
- Apply Kubernetes NetworkPolicies to restrict pod-to-pod traffic