/

User Management

AegisWire includes a comprehensive built-in user management system as the default and primary identity system. No external identity provider (Keycloak, Azure AD, Okta) is required for any tier to function.

Built-In User Management

The built-in system provides everything needed to manage your VPN users:

User CRUD Operations

From the admin interface, navigate to Users to:

  • Create users: Set user ID (auto-generated or custom), email, display name, tenant scope, and role
  • Edit users: Update any user field, change group membership, modify role assignments
  • Suspend users: Temporarily disable a user account — all active sessions are terminated immediately and device credentials are invalidated
  • Reactivate users: Re-enable a suspended user account
  • Delete users: Permanently remove a user — all device enrollments are cascade-revoked

All user mutations are audit-logged with the admin's identity, timestamp, and source IP.

Roles

AegisWire supports the following built-in roles:

Role Description Capabilities
Admin Full administrative access All operations: user management, device management, policy, gateway config, audit
User Standard VPN user Enroll devices, connect to VPN, view own sessions
Read Only View-only access to admin View dashboards, user lists, session lists — no mutations

Administrators can create custom roles with granular permissions for organisations that need finer-grained access control.

Groups

Groups allow you to organise users and apply policies at the group level:

  • Create named groups (e.g., "Engineering", "Finance", "Remote Workers")
  • Assign users to multiple groups
  • Assign policies per group — users inherit the policy of their group(s)
  • Group membership changes take effect on the next policy refresh cycle

Password Management

The built-in user management system provides:

  • Password hashing: All passwords are stored using bcrypt or argon2id — never in plaintext
  • Password policy: Configurable minimum length, complexity requirements, and rotation period
  • Admin-initiated reset: Administrators can force a password reset for any user
  • Self-service reset: Users can reset their own password via an email link (requires email configuration)
  • Password history: Optional enforcement that prevents password reuse

Multi-Factor Authentication (MFA)

AegisWire supports TOTP-based multi-factor authentication (RFC 6238):

  • QR code provisioning: Users scan a QR code with their authenticator app (Google Authenticator, Authy, 1Password, etc.)
  • Backup codes: Generated during MFA setup for account recovery
  • Admin enforcement: Administrators can require MFA for all users, for specific roles, or for specific groups
  • Admin override: Administrators can disable MFA for a user in emergency situations (audit-logged)

Session Management

Active sessions are visible in the admin interface:

  • View all active sessions with: device ID, user ID, connection time, last activity, source IP, user agent
  • Terminate any individual session with a single click (audit-logged)
  • Bulk terminate sessions by user, group, or device
  • Configurable session timeout (inactivity timeout and absolute timeout)

Rate Limiting and Account Lockout

To prevent brute-force attacks:

  • Rate limiting: Maximum 5 failed login attempts per 60 seconds per username or source IP
  • Account lockout: After a configurable number of failed attempts, the account locks until an administrator unlocks it or a timeout expires
  • Admin notification: Lockout events trigger admin notifications
  • All failed login attempts are audit-logged

External Identity Provider Integration

For organisations that want SSO federation with their existing identity infrastructure, AegisWire supports optional external IdP integration.

Supported Providers

Provider Type Configuration Fields
OIDC (Generic) Issuer, authorization endpoint, token endpoint, JWKS URI, client ID, client secret, scopes
SAML Entity ID, SSO URL, SLO URL, signing certificate (PEM), attribute mapping
Keycloak Realm URL, client ID, client secret, admin API URL (for directory sync)
Azure Entra ID Tenant ID, client ID, client secret, discovery URL
Okta Organisation URL, client ID, client secret, authorization server ID
AWS Identity Center Region, instance ARN, portal URL

Configuration

  1. Navigate to Identity Providers in the admin interface
  2. Click Add Provider
  3. Select the provider type
  4. Fill in the required fields (all URL fields must be absolute HTTPS URLs)
  5. Click Test Connection to validate connectivity and credentials
  6. Save the configuration

Coexistence Rules

External IdP users and built-in users coexist simultaneously:

  • Both authentication methods remain active when an external IdP is configured
  • Removing or disconnecting the external IdP does not break the control plane — built-in users continue to work
  • Users from the external IdP are mapped to AegisWire roles and groups via attribute mapping
  • The external IdP is never a required dependency

Audit Logging

Every user management action is audit-logged:

  • Login and logout events
  • Failed login attempts
  • Password changes
  • MFA configuration changes
  • Role changes
  • Group membership changes
  • Session terminations
  • Account suspensions and reactivations

Audit logs include: timestamp (millisecond precision), action type, actor ID, actor type (admin/system/API), target user ID, detail JSON, and source IP.

Navigate to Audit Log in the admin interface to view, filter, and export audit records.