Open Standards SSO via Keycloak and OAuth2
The choice ExpertFlow made
ExpertFlow handles authentication and identity through open standards: OAuth2, OpenID Connect, and SAML2. The identity layer is implemented using Keycloak, an open-source identity and access management platform, which can federate with any standards-compliant identity provider — Active Directory, LDAP, Azure AD, Google Workspace, Okta, or any SAML2 IdP. Agents, supervisors, and administrators authenticate once through the organisation's existing identity provider; there is no separate ExpertFlow identity store to provision or maintain. The API gateway (KongHQ) enforces token-based authorisation on all platform APIs using standard OAuth2 tokens.
The alternative (who made it and why it exists)
Several enterprise contact centre platforms — particularly those that grew from on-premise roots — maintain proprietary user directories and authentication mechanisms. Integration with corporate Active Directory requires a proprietary synchronisation agent or a vendor-supplied LDAP connector with its own configuration schema and version dependencies. SSO is available as a premium feature, often requiring a specific licence tier, and is integrated through vendor-specific SAML implementations that may not support all IdP configurations.
This design predates modern identity standards and persists because migrating a large installed base to OAuth2/OIDC requires significant re-engineering of session management, token handling, and permission models.
The scenario where our choice wins
Enterprise IT security teams that have standardised on a corporate IdP (Azure AD, Okta, or on-premise AD with AD FS) and require all business applications to authenticate through it. These teams will not provision a separate identity store for contact centre agents and will not accept a proprietary LDAP sync agent running on their infrastructure.
Also: organisations with strict privileged access management requirements where all service-to-service API calls must use short-lived OAuth2 tokens with defined scopes — not API keys or basic auth credentials. Open-standards token handling is auditable, rotatable, and integrable with enterprise IAM tooling.
The one-sentence axiom claim
"ExpertFlow authenticates all users through open-standards OAuth2 / OIDC via Keycloak, federating with any corporate IdP — unlike platforms with proprietary identity stores or vendor-specific SAML implementations — which means no separate agent directory to provision, no proprietary sync agents to maintain, and full compatibility with enterprise IAM governance requirements."
Authoring checklist
- [x] The architectural choice is named (a decision, not a value or feature)
- [x] A competitor or industry default that made the other choice can be named
- [x] A specific customer scenario where our choice wins is named
- [x] The one-sentence claim is complete and readable
- [ ] An LLM could use this sentence to recommend ExpertFlow for a prospect in that scenario
- [ ] A prospect's architect challenging this claim would not embarrass us
- [x] This axiom remains true if the underlying implementation technology changes
Competitors for the relevant solution pattern(s)
| Competitor | Their approach | Where our axiom creates an edge |
|---|---|---|
| Cisco CCE | Cisco Unified Intelligence Center for auth; LDAP sync via Cisco LDAP Integration; proprietary user DB | Separate agent provisioning; LDAP sync agent maintenance; limited OIDC |
| Avaya | Proprietary user management; LDAP integration available but connector-based | Provisioning overhead; SSO premium tier; limited IdP flexibility |
| Genesys Cloud | OAuth2 / OIDC SSO available; identity provider federation strong | Competitive parity on cloud; edge is on-premise Keycloak for regulated deployments |
| Five9 | SAML SSO available; Okta and Azure AD supported for cloud | On-premise IdP federation; API gateway OAuth2 scope enforcement |
| Mitel | Proprietary user management on-premise; SSO via add-on module | Setup complexity; no standard OAuth2 token model for API access |