SSO · identity · permissions · self-hosted

Obligate

Centralized SSO gateway for the Obli* ecosystem.

One login, one identity, one permission system. Obligate is the authentication hub that connects Obliview, Obliguard, Oblimap, Obliance and Oblireach — without any of them knowing about each other.

How it works ↓

SSO flow

Obliview
Obliguard
Oblimap
Obliance
OAuth 2.0
Obligate
SSO hub auth · identity · perms
LDAP / AD
Active
Directory
OAuth
2.0 SSO
LDAP
AD integration
TOTP
Two-factor auth
RBAC
Permission groups

How it works

One identity, every tool

Users authenticate once on Obligate. Each Obli* app trusts Obligate via OAuth 2.0 — no app stores passwords, no app knows about the others. Permissions, preferences and 2FA are all managed centrally.

OAuth 2.0 SSO

Standard OAuth authorization code flow with 60-second TTL. Unidirectional trust — Obligate issues tokens, apps never see credentials. Anti-loop and session guards built in.

LDAP / Active Directory

Import users from your existing directory. Sync AD groups to Obligate permission groups automatically — when a user's AD membership changes, their app access follows.

Two-factor authentication

TOTP with QR-code provisioning. Users set up 2FA once on Obligate and it protects access to every connected app — no per-app 2FA configuration needed.

Permission groups

Three-level mapping: AD group → Obligate group → per-app role, tenant and team. No mapping means no access — deny by default. Global or tenant-scoped groups.

Centralized preferences

Theme, language, notifications, profile photo — set once, synced to every app. Apps can also register their own preference schemas and Obligate stores them per user.

Multi-tenant

One Obligate instance manages users and permissions across all tenants. Each tenant has isolated data, their own groups and their own role mappings — ideal for MSPs.

Connects to every Obli* tool

Obliview Obliguard Oblimap Obliance Oblireach

Dashboard

All your apps, all your users, one console

The admin dashboard shows connected apps with live stats, user counts and group mappings. Users see their own "My Apps" grid with only the tools they have access to.

Obligate — Admin dashboard
obligate-dashboard.png Admin console · apps connectées · stats live

Permission groups

Map AD groups to app roles

Create permission groups that map your existing Active Directory groups to specific roles, tenants and teams in each Obli* app. No mapping means no access — secure by default.

  • AD group → Obligate group → app role
  • Global or tenant-scoped groups
  • Deny by default — no mapping = no access
  • Dynamic role fetching from each app
Permission groups
obligate-groups.png

User management

Centralized identity

Create local users or import from LDAP/AD. Manage 2FA, toggle active status, assign groups — all from one place. Usernames are immutable across the entire ecosystem.

Local accountsLDAP importAD sync TOTP 2FAImmutable usernames
User management
obligate-users.png

Quick deploy

Docker Compose, one command

Obligate ships as Docker images on Docker Hub. Pull, configure your .env and start — the database migrations run automatically on first boot.

Deploy
$git clone https://github.com/MeeJay/Obligate && cd Obligate
$cp .env.example .env && nano .env
$docker compose up -d
✓ Obligate running on http://localhost:3000

Tech stack

Modern, typed, containerized

Node.js + TypeScript Express.js React + Vite PostgreSQL Docker LDAP / AD OAuth 2.0 TOTP 2FA