Skip to main content
Safecertus
Safecertus

Identity · Secure · Access

The identity provider built for SaaS.

Centralize authentication, enforce MFA, and federate identities across every app in your stack. Open standards, zero vendor lock-in.

Learn more ↓

What we are

A clean, standards-first identity provider.

Safecertus is an identity provider (IdP) that integrates cleanly with both first-party and third-party applications via OIDC, SAML, and OAuth 2.0. It's built from the ground up as a multi-tenant SaaS backbone — not a retrofit.

Safecertus administration panel

  • Centralized authentication

    One login for every app in your stack. Users authenticate once against Safecertus; every service trusts the same identity.

  • Consistent MFA policy

    Enforce TOTP or Push approvals globally. Admins toggle the method per user; the login flow routes to the right factor automatically.

  • Standards-based tokens

    Safecertus issues JWT access + refresh tokens signed with rotating RS256 keys. Each connected service validates via JWKS — no shared secrets.

  • Federated identity

    Link Microsoft, Google, and Apple accounts to a single Safecertus user. Users pick the provider they already trust.

  • Multi-tenant by design

    Built from day one for SaaS ecosystems. Tenants, services, and users are isolated at the database layer.

Background

Quick primer — IdP and MFA in 60 seconds.

If you've never implemented single sign-on or multi-factor auth, here's the ten-thousand-foot view.

What's an identity provider?

An identity provider (IdP) is the single source of truth for user identities across multiple applications. Instead of each app storing its own usernames and passwords, every app delegates login to the IdP.

The result: users sign in once and access everything. Admins manage access in one place. And the authentication logic stays out of each individual app — a huge security win.

Safecertus speaks the three open standards most apps use today: OpenID Connect (OIDC), OAuth 2.0, and SAML 2.0.

Why multi-factor auth?

A password on its own is a single point of failure. Phishing, credential stuffing, and leaked databases mean passwords get compromised every day.

Multi-factor authentication (MFA) adds a second proof of identity — something you have (your phone) on top of something you know (your password).

Safecertus supports two factor types out of the box: a rotating TOTP code from any authenticator app, or a one-tap push approval from the Safecertus mobile app. Admins can enforce either, per user.

Authentication

Three ways to prove it's you.

Pick one per user, or mix them across your tenant. All methods share the same backend audit trail and admin controls.

RFC 6238

TOTP · Time-based one-time password

Six-digit codes that rotate every 30 seconds. Works with any standard authenticator — Google Authenticator, 1Password, Authy, or the Safecertus mobile app.

  • Standard-compliant: scan the QR from any authenticator
  • Offline — works without network once enrolled
  • Secrets encrypted at rest in the Safecertus vault
Safecertus Mobile

Push confirmation

A single tap on your phone approves or rejects a login. No code to type, no code to mistype.

  • Biometric confirmation (Face ID / Touch ID) is mandatory to approve — an unlocked phone isn't enough
  • Approve or reject from the lock screen
  • Each challenge is short-lived and single-use
  • Device-bound via signed tokens — phishing-resistant
OAuth 2.0 · OIDC

Federated login

Bring your own identity. Users sign in with Microsoft, Google, or Apple; Safecertus links the external provider to a first-class Safecertus user.

  • Microsoft · Google · Apple supported out of the box
  • Identity linking — one Safecertus user, many providers
  • Email ownership verified by the upstream provider

Single sign-on

One login. Every app you trust.

When a user authenticates against Safecertus, every service connected via OIDC or SAML instantly trusts that identity. No more repeat logins across your SaaS stack — and no more N copies of the password, either.

  • One login opens every connected service
  • Silent re-auth via refresh tokens — no repeat password prompts
  • Session binding ties the token to the browser that requested it
  • Global logout revokes access everywhere at once
Safecertus SSO in action

Mobile app

The Safecertus app replaces every authenticator.

A single app for iOS and Android that handles both sides of your MFA: standards-compliant TOTP codes for any service that speaks the protocol, plus one-tap push approvals for services on Safecertus.

  • TOTP for every service

    Drop-in replacement for Google Authenticator, Authy, or 1Password. Any QR that follows RFC 6238 just works.

  • One-tap push approvals

    For Safecertus-protected logins, approve or reject from the lock screen. Each challenge is single-use, device-bound, and requires Face ID or Touch ID to approve — an unlocked phone alone can't confirm a login.

  • Secrets stay on-device

    TOTP seeds and push-device keys live in the phone's secure enclave. Safecertus only sees what it needs to verify a challenge.

Available on iOS · App Store Android · Play Store

Security · Protocols

Standards-first, no surprises.

Every integration speaks well-known RFCs. If your app supports OAuth 2.0, OIDC, or SAML — it connects to Safecertus.

Security features

  • OAuth 2.1 Authorization Code
  • PKCE · Anti-replay
  • Silent SSO · Session binding
  • Refresh-token rotation
  • Global · federated logout
  • RS256 signing + JWKS
  • Tenant-level isolation
  • MFA · TOTP
  • MFA · Push
  • Full audit logs
  • Identity linking (MS · Google · Apple)

Supported protocols

  • OAuth 2.0 — delegated authorization
  • OpenID Connect (OIDC)
  • SAML 2.0 — enterprise federation
  • JWT-based token security
  • RS256 for OIDC exchanges
  • HS256 for backend-frontend channel

RFC alignment

RFC 6749 · OAuth 2.0 Authorization Framework RFC 6750 · Bearer Token Usage RFC 7519 · JSON Web Token (JWT) RFC 6238 · Time-based One-Time Password

Architecture

High-level deployment.

  • Single sign-on portal for browser + mobile
  • Central authentication backend — stateless, horizontally scalable
  • Multi-tenant orchestration at the database layer
  • Cloud-native: HTTPS end-to-end, secrets in Azure Key Vault
  • Pluggable methods — new factors drop in without breaking clients
Safecertus three-tier architecture: user layer connects to frontend and MFA/device-enrollment on a VPS on Azure, which in turn communicates with the backend, PostgreSQL, API, and Key Vault inside an Azure Container App.

Why Safecertus

Cloud-grade engineering, SMB pricing.

Cloud-native, containerized backend

  • HTTPS enforced end-to-end, HTTP listeners refused
  • Secrets live outside application code (Azure Key Vault)
  • Stateless backend — scale out without session stickiness
  • Horizontal autoscaling on Container Apps

Vendor-neutral and cloud-agnostic

  • Optimized for SaaS multi-service ecosystems
  • Lower total cost of ownership vs. hyperscaler IAM
  • You own the identity data and the authentication flows
  • Extensible — add new factors or protocols without re-platforming

Built for

Who Safecertus is for.

Safecertus isn't a replacement for Okta at 50,000 seats. It's the right fit when you're building multi-tenant software and need enterprise-grade identity without enterprise friction.

SaaS builders

You're shipping a multi-tenant product and need login, MFA, and RBAC on day one. Safecertus drops in behind your OIDC client and takes care of the rest.

SMBs & startups

Enterprise IAM is priced for enterprise. Safecertus gives you the same standards (OIDC, SAML, MFA, audit) at SMB-friendly economics with full control of your data.

Vertical platforms

Regional or industry-specific SaaS ecosystems. Federate tenants, unify identity across multiple services, and avoid the vendor lock-in of US hyperscalers.

Pricing

Per user, not per service.

One flat rate per user · month. Connect as many services as you want behind it — the price doesn't change.

TOTP · Federated

One factor beyond the password — the standard everybody knows.

$2 USD · user · month
  • Password + TOTP authenticator (any app)
  • Federated login (Microsoft · Google · Apple)
  • Unlimited connected services
  • Full OIDC · SAML · OAuth 2.0 support
  • Audit logs
  • Multi-tenant organization

Contact

Let's talk.

We usually respond within one business day.

Safecertus
Recommended

Push · Passkey

Phishing-resistant factors. Device-bound, one-tap approvals.

$5 USD · user · month
  • Everything in TOTP · Federated, plus:
  • Safecertus mobile app with one-tap push approvals
  • Passkey / FIDO2 support
  • Device enrollment and revocation controls
  • Per-user method override from the admin panel

Contact

Let's talk.

We usually respond within one business day.

Safecertus

Volume pricing and enterprise SLAs available — email contact@safecertus.com.

Ready when you are

Start securing your apps today.

Create your Safecertus account, enroll MFA in under a minute, and connect your first service via OIDC or SAML.

Enter Safecertus

Contact

Let's talk.

We usually respond within one business day.

Safecertus