+33 9 84 25 52 61
Sign in
For enterprises

Identity governance at scale,
on European ground.

SSO, MFA, provisioning and conditional access for your entire workforce, operated from the European Union with no dependency outside the EU in the request path. This page is about your actual days: a leaver to cut off, an audit to pass, subsidiaries to keep apart.

The problem is not access. It is where your access lives.

Most large European organisations run their identity layer on a US identity provider. That means your authentication logs, your directory and your control plane sit under a foreign jurisdiction, subject to laws you do not write.

Jurisdiction risk

Your directory and audit trail sit outside the EU, exposed to extraterritorial legal demands you cannot contest.

Lock-in

Proprietary formats and connectors make an exit expensive. The switching cost becomes the strategy of the vendor.

Opaque governance

Policy changes ship without versioning or simulation. You discover the effect of a rule in production.

Unmanaged agents

AI agents authenticate with shared secrets and no per-agent scope, TTL or kill switch. Identity sprawl you cannot audit.

Three situations where Obexal earns its keep

No feature list here: three situations your teams already know, and what changes when identity is governed in the right place. Product detail lives on the linked pages.

Offboarding, the day it happens

Someone leaves on a Friday at 5 pm. You suspend the account in Obexal, and outbound SCIM disables their accounts in the downstream applications automatically. Every deactivation is recorded and every failure is audited: nothing disappears in silence. Access is cut in one click, and the evidence is already written. See SCIM provisioning.

  • One-click suspension, sessions revoked
  • Automatic deprovisioning over outbound SCIM
  • Deprovisioning failures recorded in the audit log
Departure notifiedHR or manager
Suspended in Obexal
Outbound SCIMdownstream accounts disabled
Evidencesuccesses and failures in the audit log

On the day it happens, the question is not whether you thought of everything. It is where the evidence is, and it is already in the log.

The annual audit, without the sweat

The auditor asks who accessed what, who decided it, and who checked. The immutable audit log answers: every sensitive action is timestamped and attributed, exportable, and streamed in real time to your SIEM. For AI agents, attested access reviews document that a human actually reviewed each delegation. See the security measures.

  • Immutable audit log, timestamped and attributed
  • Export plus a real-time stream to your SIEM
  • Attested access reviews for AI agents

Subsidiaries and multiple brands

One group, several entities: each subsidiary or brand lives in its own tenant, isolated at the data layer, with its own white-label login and custom domains verified over DNS. Local teams administer their own scope, and the group keeps the overview. See access management.

  • One tenant per entity, isolation at the data layer
  • White-label per entity: logo and login screen
  • Custom domains verified by DNS TXT, automatic TLS
Model
One operator, isolated tenants
Branding
White-label, per entity
Domains
Custom, verified by DNS TXT, automatic TLS
Roles
Custom RBAC, anti-escalation

Deployment, without the big bang

Indicative durations, not promises: every context differs, and progressive coexistence avoids the tunnel effect.

1

Connect your identity source

Provision users over inbound SCIM 2.0 or federate your LDAP or AD directory. Typically a few hours to a few days, depending on how clean the source is.

2

Wire the first applications

OIDC or SAML clients from a catalogue of about 40 connectors, or custom integrations. Typically a few days, app by app, with no big bang.

3

Write and simulate policies

Conditional access is versioned and simulated against 30 days of real sign-ins before it applies. Simulation is immediate; writing the rules is a matter of hours.

4

Switch over, then govern

Migration by coexistence, app by app: SCIM for accounts, a clean password reset at first login. You switch at your own pace, and any policy version can be restored.

Questions from procurement and security

How long does deployment take?

Typically a few days for a first scope (identity source, first applications, simulated policies), then a progressive switch, app by app, at your own pace. We prefer honest indicative durations to firm promises: the dominant factor is how clean your source directory is.

What support do we get during migration?

A direct contact throughout the rollout, via the contact page. The method is progressive coexistence: Obexal runs alongside your current provider, app by app, until the full switch. Password hashes are not imported; accounts get a clean reset at first login.

What if we want to leave one day?

Reversibility is a design criterion: OIDC, OAuth 2.1, SAML 2.0 and SCIM 2.0 are open standards, the admin API is published as an OpenAPI 3.1 contract at /v1/openapi.json, and the audit log exports. Your exit cost stays bounded.

What does it cost?

Starter at 2 € and Team at 5 € per user per month, Business and Enterprise on quote. The trial is free for 30 days, no credit card. Details are on the pricing page.

Where is our data hosted?

In France, in a datacenter in the Paris region, with data residency in the EU and no dependency outside the EU in the request path. The evidence file is on the sovereignty page.

Bring your identity layer home.

Free 30-day trial, no credit card. Or tell us about your context: subsidiaries, audits, migration.