Enterprise Security at Yast: SSO, SAML, and Audit Logs

A detailed look at how Yast meets enterprise security requirements with SSO, SAML 2.0, directory sync, audit logs, and role-based access controls.

When enterprises evaluate AI platforms, security and compliance are not nice-to-haves. They are hard requirements that determine whether a tool gets past the procurement process or dies in a security review. We built Yast's security infrastructure to meet these requirements from day one, not as an afterthought bolted onto a product that was never designed for enterprise use.

Single Sign-On (SSO)

Yast supports SSO through SAML 2.0 and OpenID Connect (OIDC). Employees authenticate through their organization's identity provider (Okta, Azure AD, Google Workspace, OneLogin, or any SAML-compliant provider) and are automatically provisioned in Yast without creating separate credentials.

SSO is not just a convenience feature. It is a security control. When an employee leaves the organization and their IdP account is deactivated, their Yast access is revoked immediately. There are no orphaned accounts, no forgotten passwords, and no shared credentials floating around.

We enforce SSO at the organization level, meaning individual users cannot bypass it by creating accounts with email and password. Once SSO is enabled for an organization, it is the only way in. This eliminates the shadow IT problem where employees create personal accounts that are not governed by company security policies.

SAML 2.0 Configuration

Setting up SAML with Yast follows the standard flow that IT teams are familiar with. The admin configures the SAML connection in Yast's security settings, providing the IdP metadata URL or uploading the metadata XML. Yast generates the service provider metadata that gets imported into the IdP.

We support IdP-initiated and SP-initiated login flows, signed authentication requests, encrypted assertions, and configurable name ID formats. For organizations with strict security policies, we support SHA-256 signature algorithms and can enforce specific certificate requirements.

The SAML configuration also supports multiple IdPs for organizations that are going through mergers, acquisitions, or transitions between identity providers. Users from different IdPs can coexist in the same Yast organization with appropriate role mappings.

Directory Sync (SCIM)

SAML handles authentication, but directory sync handles provisioning and deprovisioning. Yast implements the SCIM 2.0 protocol for automated user lifecycle management.

When a new employee is added to the identity provider and assigned the Yast application, their Yast account is created automatically with the appropriate role and permissions. When they change departments or roles, their Yast permissions update to match. When they leave the organization, their account is deactivated and their agent access is revoked.

This automation eliminates the manual provisioning workflow that plagues many SaaS tools: filing a ticket with IT, waiting for account creation, manually setting permissions, and hoping someone remembers to deactivate the account when the employee leaves.

Directory sync also supports group-based provisioning. IT teams can map IdP groups to Yast roles, so all members of the "Sales Ops" group automatically get the right permissions for sales-related agents, while members of the "Engineering" group get access to development-focused agents.

Audit Logs

Every action in Yast is logged in an immutable audit trail. This includes user authentication events, agent creation and modification, agent execution history, tool connection changes, permission changes, and administrative actions.

Audit logs capture who did what, when they did it, from which IP address, and using which session. For agent executions, the logs record which tools were accessed, how many API calls were made, and the duration of each step (without recording the actual business data that flowed through the execution, consistent with our zero data storage policy).

Logs are retained for a configurable period, with enterprise plans offering retention of up to seven years to meet regulatory requirements. Logs can be exported in structured formats for ingestion into SIEM tools like Splunk, Datadog, or Elastic.

We also provide real-time log streaming via webhook for organizations that want to monitor Yast activity in their existing security operations center. Any authentication failure, permission change, or unusual activity pattern can trigger immediate alerts through your existing monitoring infrastructure.

Role-Based Access Control

Yast implements granular role-based access control (RBAC) that governs who can create agents, who can run them, who can view results, and who can modify configurations.

Organization Admin: Full control over organization settings, billing, security configuration, and user management. Can create, modify, and delete any agent.

Agent Builder: Can create new agents and modify agents they own. Can connect tools within their authorized scope. Cannot modify organization settings or manage other users.

Agent Operator: Can run agents and view results. Cannot create or modify agent configurations. This role is ideal for team members who use agents daily but should not change how they work.

Viewer: Read-only access to agent results and dashboards. Cannot run, create, or modify agents. Useful for stakeholders who need visibility without operational access.

Custom roles can be created to fit specific organizational needs. Permissions are granular enough to allow, for example, a user who can run sales agents but not engineering agents, or a user who can modify agent descriptions but not tool connections.

Data Encryption

All data in transit is encrypted with TLS 1.3. Data at rest, including agent configurations, execution logs, and connection credentials, is encrypted with AES-256 using per-tenant encryption keys.

Connection credentials (OAuth tokens, API keys) receive an additional layer of encryption with a key management system that supports automatic key rotation. Decrypted credentials exist only in memory during agent execution and are never written to disk in plaintext.

Compliance Certifications

Yast maintains rigorous security standards, audited regularly by independent third-party firms. Our security program covers availability, confidentiality, and data protection trust criteria.

We are also compliant with GDPR requirements for data processing, including data processing agreements (DPAs) for EU customers, documented sub-processor lists, and standard contractual clauses for cross-border data transfers.

For organizations subject to HIPAA, we offer a Business Associate Agreement (BAA) and additional controls appropriate for handling protected health information through agent workflows.

Security as a Foundation

Security at Yast is not a layer painted on top of the product. It is woven into the architecture. The zero data storage design, the encryption at every level, the comprehensive audit logging, and the enterprise authentication support all work together to create a platform that IT and security teams can approve with confidence.

We publish a detailed security whitepaper that covers our infrastructure, processes, and controls in depth. Enterprise customers also receive direct access to our security team for architecture reviews and compliance questions.