AffirmedID Connect

Executive Summary

AffirmedID Connect is the identity federation layer of the Pulse platform architecture, providing organizations with OIDC and SAML providers that go beyond standard authentication. Both providers are built on a shared foundation: deep integration with the Pulse platform's continuous authentication and authorization engine.

Where conventional OIDC and SAML providers authenticate once and then step aside, Connect providers remain active participants in every access decision made during the session. Each provider embeds a Pulse Policy Enforcement Point (PEP) that intercepts and evaluates requests in real time, exposes RP-accessible endpoints for in-session trust metric collection, and provides an AuthZEN evaluator endpoint for policy-driven authorization — whether the RP wants to enforce policy itself or delegate that work to the Pulse PDP.

Both providers integrate natively with AffirmedID Nexus, the RP configuration and operations dashboard, giving relying party administrators a single control plane for setup, monitoring, trust threshold management, and audit access across every connected application.

The Connect Providers

Connect comprises two providers, each optimized for its protocol ecosystem while sharing the same Pulse integration architecture:

OIDC Provider

The AffirmedID OIDC Provider implements the OpenID Connect protocol over OAuth 2.0, serving web applications, single-page applications, APIs, and AI agent platforms that rely on token-based authorization flows. It issues access tokens and ID tokens that carry embedded trust context from the Pulse PDP — not just the static claims established at login, but the live trust picture at time of issuance.

The integrated PEP monitors all token presentations. When the Pulse PDP detects a trust threshold breach, the PEP pushes an enforcement notification to all registered RP callback endpoints immediately — without waiting for the next request cycle. Token revocation is executed at the provider level, ensuring no further bearer token acceptance occurs from the moment of revocation.

SAML Provider

The AffirmedID SAML Provider implements SAML 2.0 for enterprise SSO environments and applications that rely on assertion-based identity federation. SAML assertions issued by the provider are signed and include trust context attributes drawn from the live Pulse trust state at assertion time, giving service providers a richer identity picture than standard SAML attribute statements.

The integrated PEP operates transparently within the SAML flow, enforcing PDP decisions at the provider level regardless of whether the service provider has implemented its own enforcement logic. When trust degrades mid-session, the PEP pushes enforcement events to registered SP callback endpoints, enabling immediate session action without requiring a new SAML authentication request.

Shared Architecture: What Both Providers Include

Despite serving different protocol ecosystems, the OIDC and SAML providers share a common Pulse integration layer. Every capability described below is available in both providers.

Integrated Pulse PEP

Each Connect provider embeds a Pulse Policy Enforcement Point as a native component — not a proxy, not a plugin, not an add-on requiring separate deployment. The PEP sits inline in the authentication and session management path and enforces PDP decisions in real time:

• When the Pulse PDP evaluates a trust threshold breach, the PEP immediately executes the enforcement decision — token revocation, session termination, or step-up authentication trigger — without RP-side code changes.
• Push notifications are delivered to all registered RP callback endpoints the moment an enforcement decision is issued, carrying the session correlation ID, trust event type, current trust scores, and timestamp.
• The PEP enforces decisions for AI agent sessions as well as human sessions, with revocation propagating through the AuthZEN agent chain to all child agents simultaneously.

RP-Accessible CA Metrics Endpoints

Both providers expose per-session endpoints that return live Pulse trust metrics to authenticated relying parties. These endpoints are designed for RPs that want to incorporate trust signals directly into their own application logic — building custom enforcement, displaying real-time trust dashboards, or triggering application-level controls based on the current trust picture.

Each metrics request is scoped to a session correlation ID. The four trust metrics available reflect the same signals that feed the Pulse PDP:

• Identity Trust Score — behavioral biometrics continuously confirming the right person remains in control
• Proximity Trust Score — Bluetooth-based physical presence verification
• 3D Location Trust Score — latitude, longitude, and barometric altitude (floor-level resolution)
• Device Health Trust Score — jailbreak detection, hijack indicators, and device integrity monitoring

RPs that prefer to consume raw signals and implement their own policy logic — rather than delegating policy evaluation to the Pulse PDP — can use these endpoints to drive fully custom enforcement without any dependency on the AuthZEN layer.

AuthZEN Evaluator Endpoint

Both providers expose an AuthZEN evaluator endpoint implementing the OpenID Foundation's access evaluation specification. This endpoint serves relying parties and RP-side PEPs that prefer to delegate authorization decisions to the Pulse PDP rather than evaluating trust signals themselves.

When an RP PEP submits an access evaluation request, the Pulse PDP evaluates it against the current live trust state — not the trust context from login — and returns a structured decision:

• Permit — trust is sufficient; access granted
• Deny — trust threshold not met; access blocked
• Permit with conditions — access granted subject to reduced scope or pending step-up authentication

The endpoint URL and callback registration are exposed through standard OIDC discovery metadata and SAML IdP metadata respectively, making integration a configuration step rather than a development effort.

Nexus RP Dashboard Integration

Both Connect providers integrate natively with AffirmedID Nexus, the centralized RP configuration and operations platform. Nexus provides the administrative surface for every aspect of the provider relationship:

• Provider configuration — OIDC client registration, SAML service provider setup, metadata management, and trust threshold definition for the integrated PEP
• Callback endpoint registration — configure the RP endpoints that receive push notifications when the PEP issues enforcement decisions
• Real-time session monitoring — live view of active sessions, current trust scores per session, and recent PDP decisions
• Audit log access — complete, tamper-evident log of every authentication event, trust score update, AuthZEN evaluation, and enforcement action, linked by session correlation ID
• Trust threshold management — define per-metric and composite thresholds that govern PEP enforcement behavior, without code changes to either the provider or the RP

Nexus eliminates the operational gap that typically exists between identity provider configuration and enforcement policy management. Both live in a single dashboard, ensuring the thresholds the RP administrator defines are the thresholds the PEP enforces — with no synchronization lag.

Architecture Overview

All components share session-scoped correlation IDs, ensuring every authentication event, trust-score update, CA metrics request, AuthZEN evaluation, and enforcement action is fully traceable end-to-end with a complete and tamper-evident audit trail.

Key Benefits

1. Federation That Keeps Enforcing

Standard OIDC and SAML providers authenticate once and then step aside. Connect providers remain active enforcement participants for the full session lifetime. The integrated PEP ensures that trust degradation triggers immediate action — at the provider level — without requiring RP-side enforcement code or waiting for the next request cycle.

2. Two Integration Paths, One Pulse Foundation

Connect gives relying parties a choice of authorization integration depth. RPs that want direct access to trust signals can consume the CA metrics endpoints and apply their own policy logic. RPs that prefer to delegate authorization decisions entirely can route access evaluation requests to the AuthZEN evaluator endpoint. Both paths draw from the same live Pulse trust state, and both can be used simultaneously within the same application.

3. No Separate Enforcement Layer

The PEP is built into the provider, not bolted on afterward. There is no separate enforcement proxy to deploy, no policy synchronization to manage, and no window between a PDP decision and enforcement action. The moment the PDP issues a decision, the PEP executes it and pushes notification to the RP.

4. Standard Protocols, Non-Standard Enforcement

Connect providers are fully compliant OIDC and SAML implementations. Existing relying parties integrate using standard protocol flows — there is no proprietary handshake required to consume authentication. The enforcement capabilities — PEP, CA metrics endpoints, AuthZEN evaluator — layer on top of standard protocol behavior and are surfaced through standard configuration metadata.

5. AI Agent Support Across Both Protocols

OIDC-based AI agent platforms and SAML-federated enterprise environments both benefit from the same Pulse enforcement architecture. Agent session correlation IDs trace every agent action back to the originating human session. When the human session is revoked, the PEP pushes enforcement through the AuthZEN agent chain, and all child agents halt — regardless of whether they are operating under OIDC tokens or SAML assertions.

6. Unified Operations via Nexus

Provider configuration, trust threshold management, session monitoring, callback registration, and audit log access are all centralized in the Nexus RP dashboard. Administrators do not need to navigate multiple systems to configure an OIDC client, define its enforcement thresholds, and monitor its active sessions. Everything lives in one place, linked by correlation ID.

7. ZTA, CMMC, and NIST Alignment

Every access decision is evaluated against current trust context. No implicit session trust extends from the authentication event. This satisfies Zero Trust Architecture's never-trust, always-verify mandate at the per-request level, not just per-session. PDP decision logging with correlation IDs satisfies CMMC continuous monitoring and audit requirements. The framework aligns with NIST SP 800-207 ZTA principles throughout.

Scenario Comparison

How Connect — with its integrated Pulse PEP, CA metrics endpoints, and AuthZEN evaluator — responds to attack and risk scenarios that standard OIDC and SAML providers cannot address:

Capabilities at a Glance

Conclusion

AffirmedID Connect delivers OIDC and SAML federation that does not end at the login response. By embedding the Pulse PEP directly into each provider and exposing both RP-accessible CA metrics endpoints and an AuthZEN evaluator endpoint, Connect gives relying parties full flexibility in how they consume and act on live trust signals — from raw metric access for custom policy logic to fully delegated authorization evaluation via the AuthZEN standard.

Both providers integrate natively with Nexus, ensuring that the trust thresholds administrators define are the thresholds the PEP enforces, with no synchronization gap and no separate enforcement infrastructure to deploy or manage.

For organizations deploying AI agent platforms, Connect provides the enforcement architecture that agentic workflows require: session correlation from every agent action back to the originating human, with revocation that propagates through the entire agent chain the moment trust degrades — regardless of protocol.