Security & Access Control

StacksAtlas is designed for high-security environments where data privacy and infrastructure integrity are paramount. Our security model focuses on Zero-Knowledge Architecture and Local-First persistence.

Data Sovereignty (The "Zero-Knowledge" Policy)

Unlike SaaS monitoring tools, StacksAtlas assumes your network data is sensitive and should never leave your premise.

• No Cloud Telemetry: The application does not collect usage statistics, anonymized crash reports, or device inventory metadata.
• Encrypted-at-Rest: The internal LiteDB database is encrypted using AES-256 (FIPS 140-2 compliant algorithms).
• License Isolation: The license validation service (api.lemonsqueezy.com) only receives your license key and a unique hardware ID. No technical details about your scanned subnets are included in this handshake.

Access Control (RBAC)

To support multi-user teams, StacksAtlas implements a granular Role-Based Access Control system.

Enterprise Identity & SSO (v1.2.7)

StacksAtlas now supports production-grade external identity providers, allowing your team to use existing corporate credentials (SSO) to access the appliance.

OIDC (OpenID Connect)

Integrate with any modern identity provider (IdP) such as Google Workspace, Microsoft Entra ID (Azure AD), Okta, or Auth0.

• Dynamic Metadata Discovery: Simply provide the Issuer URL, and StacksAtlas will automatically discover endpoints and signing keys.
• JIT (Just-In-Time) Provisioning: Users are automatically created in StacksAtlas upon their first successful login, pulling their name and email from the IdP claims.

LDAP / Active Directory

For internal environments, StacksAtlas provides a high-performance LDAP/AD bridge.

• Bind-Based Authentication: Leverages your existing directory hierarchy for secure password verification without storing external credentials locally.
• Secure LDAP (LDAPS): Full support for encrypted directory communication and certificate validation.

Dynamic Role Mapping

You can map external directory groups (LDAP) or OIDC claims to StacksAtlas roles (Admin, Standard, Viewer) via the UI.

1. Navigate to Settings > Authentication.
2. In the Role Mapping section, add a new rule.
3. Specify the External Group/Claim (e.g., CN=Network Admins,OU=Groups,DC=corp) and choose the corresponding StacksAtlas Role.
4. When users log in, the appliance will automatically assign their permissions based on these rules.

Pre-flight Diagnostics

To ensure a smooth setup, the appliance includes a Diagnostic Pre-flight tool. You can test your LDAP bind credentials or OIDC metadata reachability directly from the configuration UI before enabling SSO globally.

Authentication & Cryptography

• PBKDF2 Hashing: User passwords are never stored in plain text. We utilize industry-standard Password-Based Key Derivation Function 2 (PBKDF2) with unique salts.
• JWT Architecture: All communication between the browser and the background service is secured via JSON Web Tokens (JWT), ensuring stateless and tamper-proof sessions.
• HTTPS Enforcement & CA Maturity: By default, StacksAtlas binds to Port 5001.
  • Certificate Logic: Starting in v1.2.3, the appliance utilizes .NET 10 X509CertificateLoader APIs to generate self-signed certificates with Basic Constraints: CA=True.
  • Trust Workflow: Administrators can download the appliance's root certificate directly from the settings menu to establish permanent browser trust across the network.
• Protocol Hygiene Warnings: The UI provides explicit warnings when using unencrypted Protocol Quick Links (Telnet/FTP), ensuring administrators are aware of the risks of clear-text credentials in the environment.

Infrastructure Resilience

• Sandboxed Environment: The engine adapts to the host's security model. It can run as a standard Windows Service with restricted Service Accounts, a natively constrained macOS Daemon, or a fully isolated, unprivileged Docker container.