Enterprise Deployment

This guide is for Enterprise and Enterprise+ customers who need SSO/SAML integration, automated user provisioning, on-premise deployment, or advanced security configurations.

SSO / SAML Setup

Quazzar Space supports SAML 2.0 and OpenID Connect (OIDC) for single sign-on, enabling your team to authenticate using your existing identity provider.

Supported Identity Providers

Provider	Protocol	Status
Okta	SAML 2.0 / OIDC	Fully supported
Azure Active Directory	SAML 2.0 / OIDC	Fully supported
Google Workspace	OIDC	Fully supported
OneLogin	SAML 2.0	Fully supported
Custom SAML 2.0 IDP	SAML 2.0	Supported

SAML Configuration

Navigate to Settings > Security > Single Sign-On in your Quazzar Space dashboard
Select SAML 2.0 as the authentication method
Enter the following details from your identity provider:

Field	Description
SSO URL	Your IDP’s single sign-on URL
Entity ID	Your IDP’s entity identifier
Certificate	X.509 signing certificate (PEM format)
Name ID Format	`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`

Download the Quazzar SP metadata XML to configure your identity provider
Test the connection using the Test SSO button before enforcing

OIDC Configuration

Navigate to Settings > Security > Single Sign-On
Select OpenID Connect as the authentication method
Enter the following details:

Field	Description
Discovery URL	`https://your-idp/.well-known/openid-configuration`
Client ID	OAuth client ID from your IDP
Client Secret	OAuth client secret
Scopes	`openid email profile`

Enforcing SSO

Once SSO is configured and tested, you can enforce it organization-wide:

Enable Require SSO to prevent password-based login
Existing users will be prompted to link their SSO identity on next login
New users provisioned via SSO are automatically activated

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) automates user creation, updates, and deactivation based on changes in your identity provider.

Setting Up SCIM

Navigate to Settings > Security > SCIM Provisioning
Copy the SCIM endpoint URL and bearer token
Configure your identity provider’s SCIM integration with these values

Supported SCIM Operations

Operation	Description
Create User	Automatically creates a Quazzar Space account
Update User	Syncs profile changes (name, email, department)
Deactivate User	Disables access without deleting data
Group Assignment	Maps IDP groups to Quazzar project roles

When a user is removed from your directory, their Quazzar Space account is deactivated and all active sessions are revoked.

On-Premise Deployment

Enterprise+ customers can deploy Quazzar Space on their own infrastructure for full data sovereignty and air-gapped environments.

Deployment Options

Option	Description
Kubernetes (Helm)	Recommended for production. Helm chart provided with HA configuration
Docker Compose	Suitable for smaller teams or evaluation environments

Requirements

Kubernetes 1.28+ cluster (or Docker Compose on dedicated servers)
Database: PostgreSQL 15+ with at least 100 GB storage
TLS certificates for your domain
SMTP server for transactional email
DNS configured for your chosen domain

Getting Started

Contact your Quazzar account manager to receive:

Access to the private container registry
Helm chart and configuration templates
Deployment runbook tailored to your environment
Migration assistance for existing cloud data

The Quazzar team provides hands-on deployment support for all Enterprise+ on-premise installations.

Custom SLA Configuration

Enterprise customers receive enhanced SLA guarantees:

Tier	Uptime SLA	Response Time	Support Hours
Enterprise	99.95%	4 hours (critical)	24/7
Enterprise+	99.99%	1 hour (critical)	24/7 dedicated

Custom SLA terms are available and documented in your enterprise agreement. Contact your account manager to negotiate specific terms for your organization.

Dedicated Support Channels

Enterprise customers have access to priority support:

Email: Dedicated support address provided during onboarding
Slack Connect: Shared Slack channel with the Quazzar engineering team (Enterprise+)
Phone: Direct line to senior support engineers (Enterprise+)
Quarterly reviews: Scheduled architecture and usage reviews with your account team

To open a support request, use the Help > Support section in your dashboard or email your dedicated support address.

IP Allowlisting

Restrict platform access to specific IP addresses or CIDR ranges.

Navigate to Settings > Security > IP Allowlists
Add allowed IP addresses or CIDR ranges
Enable enforcement

When enabled, all API requests and dashboard access from non-allowed IPs will be blocked with a 403 Forbidden response. Ensure you include all office networks, VPN exit points, and CI/CD runner IPs before enabling.

Data Residency

Enterprise customers can specify the geographic region for data storage:

US (default) — Data stored in US data centers
EU — Data stored in EU data centers for GDPR compliance
Custom — Specific region requirements available for Enterprise+

Data residency preferences are configured during onboarding. For existing accounts, contact your account manager to discuss migration options.

Compliance Certifications

Standard	Support
GDPR	Data residency control, DPA available, right-to-delete
SOC 2	Audit logging, access control, encryption at rest
ISO 27001	ISMS alignment, security controls documentation
HIPAA	Available upon request with BAA

Audit Trail

All Enterprise plans include a complete audit trail for compliance and security monitoring:

User authentication events (login, logout, failed attempts)
Resource creation, modification, and deletion
Permission changes and role assignments
API key creation and revocation
Export and data access events

Access audit logs from Settings > Activity Log or via the API at GET /activity.

Next Steps

White-Labeling — Customize branding for your organization
Custom Integrations — Build integrations with your existing tools
Troubleshooting — Common issues and solutions