Identity governance at scale,
on European ground.
SSO, MFA, provisioning and conditional access for your entire workforce, operated from the European Union with no dependency outside the EU in the request path. This page is about your actual days: a leaver to cut off, an audit to pass, subsidiaries to keep apart.
The problem is not access. It is where your access lives.
Most large European organisations run their identity layer on a US identity provider. That means your authentication logs, your directory and your control plane sit under a foreign jurisdiction, subject to laws you do not write.
Jurisdiction risk
Your directory and audit trail sit outside the EU, exposed to extraterritorial legal demands you cannot contest.
Lock-in
Proprietary formats and connectors make an exit expensive. The switching cost becomes the strategy of the vendor.
Opaque governance
Policy changes ship without versioning or simulation. You discover the effect of a rule in production.
Unmanaged agents
AI agents authenticate with shared secrets and no per-agent scope, TTL or kill switch. Identity sprawl you cannot audit.
Three situations where Obexal earns its keep
No feature list here: three situations your teams already know, and what changes when identity is governed in the right place. Product detail lives on the linked pages.
Offboarding, the day it happens
Someone leaves on a Friday at 5 pm. You suspend the account in Obexal, and outbound SCIM disables their accounts in the downstream applications automatically. Every deactivation is recorded and every failure is audited: nothing disappears in silence. Access is cut in one click, and the evidence is already written. See SCIM provisioning.
- One-click suspension, sessions revoked
- Automatic deprovisioning over outbound SCIM
- Deprovisioning failures recorded in the audit log
On the day it happens, the question is not whether you thought of everything. It is where the evidence is, and it is already in the log.
The annual audit, without the sweat
The auditor asks who accessed what, who decided it, and who checked. The immutable audit log answers: every sensitive action is timestamped and attributed, exportable, and streamed in real time to your SIEM. For AI agents, attested access reviews document that a human actually reviewed each delegation. See the security measures.
- Immutable audit log, timestamped and attributed
- Export plus a real-time stream to your SIEM
- Attested access reviews for AI agents
| Time | Actor | Action |
|---|---|---|
| 17:02 | hr.dupont (console) | User j.martin suspended |
| 17:02 | Outbound SCIM | Account disabled: sales CRM |
| 17:02 | Outbound SCIM | Account disabled: office suite |
| 17:03 | Outbound SCIM | Failure recorded: BI tool |
| 17:04 | hr.dupont (console) | Active sessions revoked |
Subsidiaries and multiple brands
One group, several entities: each subsidiary or brand lives in its own tenant, isolated at the data layer, with its own white-label login and custom domains verified over DNS. Local teams administer their own scope, and the group keeps the overview. See access management.
- One tenant per entity, isolation at the data layer
- White-label per entity: logo and login screen
- Custom domains verified by DNS TXT, automatic TLS
- Model
- One operator, isolated tenants
- Branding
- White-label, per entity
- Domains
- Custom, verified by DNS TXT, automatic TLS
- Roles
- Custom RBAC, anti-escalation
And your AI agents?
Three guarantees in short. The full model lives on the AI agent governance page.
One identity per agent
A human owner, an expiry date and a lifecycle (active, dormant, expired, orphaned): each agent is a first-class identity, not a shared API key.
Fail-closed boundaries
A scope ceiling, a TTL cap and an audience allowlist per agent: the blast radius is capped by design.
An immediate kill switch
Suspend an agent and the tokens already in circulation go inert at introspection, while every delegation stays traceable.
Deployment, without the big bang
Indicative durations, not promises: every context differs, and progressive coexistence avoids the tunnel effect.
Connect your identity source
Provision users over inbound SCIM 2.0 or federate your LDAP or AD directory. Typically a few hours to a few days, depending on how clean the source is.
Wire the first applications
OIDC or SAML clients from a catalogue of about 40 connectors, or custom integrations. Typically a few days, app by app, with no big bang.
Write and simulate policies
Conditional access is versioned and simulated against 30 days of real sign-ins before it applies. Simulation is immediate; writing the rules is a matter of hours.
Switch over, then govern
Migration by coexistence, app by app: SCIM for accounts, a clean password reset at first login. You switch at your own pace, and any policy version can be restored.
Sovereignty, in three facts
The full evidence file lives on the sovereignty and security pages. Here is the short version.
Hosted in France
Datacenter in the Paris region, data residency in the EU.
No dependency outside the EU
No non-EU service in the request path, no external CDN, self-hosted fonts.
Documented encryption
TLS 1.2 minimum (1.3 preferred), application secrets encrypted at rest with AES-256-GCM, passwords hashed with Argon2id.
Questions from procurement and security
How long does deployment take?
Typically a few days for a first scope (identity source, first applications, simulated policies), then a progressive switch, app by app, at your own pace. We prefer honest indicative durations to firm promises: the dominant factor is how clean your source directory is.
What support do we get during migration?
A direct contact throughout the rollout, via the contact page. The method is progressive coexistence: Obexal runs alongside your current provider, app by app, until the full switch. Password hashes are not imported; accounts get a clean reset at first login.
What if we want to leave one day?
Reversibility is a design criterion: OIDC, OAuth 2.1, SAML 2.0 and SCIM 2.0 are open standards, the admin API is published as an OpenAPI 3.1 contract at /v1/openapi.json, and the audit log exports. Your exit cost stays bounded.
What does it cost?
Starter at 2 € and Team at 5 € per user per month, Business and Enterprise on quote. The trial is free for 30 days, no credit card. Details are on the pricing page.
Where is our data hosted?
In France, in a datacenter in the Paris region, with data residency in the EU and no dependency outside the EU in the request path. The evidence file is on the sovereignty page.
Bring your identity layer home.
Free 30-day trial, no credit card. Or tell us about your context: subsidiaries, audits, migration.