Microsoft Teams, SAML 2.0 SSO, RBAC, audit log CSV export, and on-premise Docker deployment — everything your IT team needs to evaluate and deploy AEGIS OS at scale.
What's included, what you need from your IT team, and what AEGIS handles for you.
| Feature | What it does | Who sets it up |
|---|---|---|
| Microsoft Teams | Employees message the AEGIS bot in Teams — full agent intelligence in their existing tool | IT: Azure Bot registration (~30 min) |
| SAML 2.0 SSO | Corporate Microsoft login — no new passwords, automatic user provisioning | IT: Azure AD Enterprise App + SP cert (~45 min) |
| RBAC | Owner vs member roles enforced at the route level, not just hidden in the UI | Admin: assign roles in Settings → Team Members (5 min) |
| Audit CSV export | Full activity log exportable as CSV for compliance and SIEM | Available immediately to owners at /audit → Download CSV |
| On-premise Docker | Complete stack in your datacenter — PostgreSQL, LiteLLM, AEGIS, nginx — no cloud dependency | IT: Ubuntu server + Docker (~2–3h) |
Employees message the AEGIS bot in Teams — same agent intelligence and KB context, no new tool to learn.
The Teams connector uses the Azure Bot Framework. All message processing happens on your AEGIS server — Teams is only the delivery layer. The connector works identically to the Telegram channel from the agent's perspective.
Go to portal.azure.com → Create a resource → Azure Bot. Choose "Multi-tenant" registration type. Note the Microsoft App ID and generate a Client Secret in the Certificates & Secrets section.
In the Azure Bot resource → Configuration → Messaging Endpoint, enter:
https://your-aegis-domain.com/api/webhooks/teams/inboundSettings → Integrations → Microsoft Teams → paste your App ID and Client Secret → Save.
Add the following to your environment and restart the service:
TEAMS_ENABLED=true
TEAMS_APP_ID=your-app-id
TEAMS_APP_PASSWORD=your-client-secretIn Teams Admin Center → Manage apps → add the bot using the App ID. Employees can then find it by searching "@AEGIS" in any Teams channel or direct message.
/channel-log in AEGIS — the message should appear with source=teams within a few seconds.
Employees log in with their existing corporate account — no new password, automatic provisioning on first login. Works with Azure AD / Entra ID, Okta, Google Workspace / Cloud Identity, OneLogin, Ping Identity, JumpCloud, Keycloak, and ADFS — any SAML 2.0-compliant IdP. The steps below use Azure AD as the example; the SP Entity ID and ACS URL are identical for all providers. Native OAuth/OIDC tiles for Okta and Google are on the roadmap.
Run this on your server — the cert is valid for 10 years:
openssl req -newkey rsa:2048 -nodes \
-keyout saml_sp.key -x509 -days 3650 \
-out saml_sp.crt \
-subj "/C=DE/O=YourCompany/CN=your-aegis-domain.com"
# Extract base64 bodies (no headers):
grep -v "^-----" saml_sp.crt | tr -d '\n' # → SAML_SP_CERT
grep -v "^-----" saml_sp.key | tr -d '\n' # → SAML_SP_KEYSAML_SP_CERT=MIID...your-base64-cert...
SAML_SP_KEY=MIIEv...your-base64-key...Then restart the service. The SP metadata becomes available at /saml/metadata.
Azure Portal → Azure Active Directory → Enterprise Applications → New application → Create your own. Select "Integrate any other application you don't find in the gallery".
Single Sign-On → SAML. Set:
https://your-aegis-domain.com/saml/metadatahttps://your-aegis-domain.com/saml/acshttps://your-aegis-domain.com/saml/redirect?tenant=YOUR_TENANT_IDDownload the Federation Metadata XML from the SAML Signing Certificate section.
Settings → Integrations → SAML → paste the XML → Save. Employees will now see a "Continue with Microsoft" button on the AEGIS login page. First login provisions their account automatically as member role.
saml_sp.key secure — never commit it to git. The .env file should be in your .gitignore. Rotate the SP certificate before it expires (10 years from generation).
Two roles enforced at the route level — not just hidden in the UI.
| Capability | owner | member |
|---|---|---|
| Use all 8 agents | ✅ | ✅ |
| View CRM pipeline | ✅ | ✅ |
| View audit log | ✅ | ✅ |
| Export audit CSV | ✅ | — |
| Manage integrations | ✅ | — (403) |
| View/change billing | ✅ | — (403) |
| Manage team members | ✅ | — (403) |
| Admin panel (/admin) | Super-admin only | — |
To change a user's role: Settings → Team Members → click the role badge next to their name. SSO-provisioned users default to member on first login.
member account to show RBAC live. Navigate to /subscription/success while logged in as member — the 403 page proves the enforcement is at the route level, not just UI-hidden.
Export a date-ranged activity log for compliance reviews, GDPR data subject requests, or SIEM ingestion.
Navigate to /audit as an owner → click Download CSV. Optionally set a date range using the filter controls before downloading.
GET /api/audit/export?format=csv&start=2026-01-01&end=2026-04-30
Authorization: Session cookie (owner role required)The CSV is sanitised against injection — all fields containing formula characters are prefixed with a tab, making it safe to open directly in Excel or load into a SIEM.
Run the complete AEGIS stack inside your own datacenter. No data ever leaves your network. 2–3 hours from a clean Ubuntu 22.04 server.
docs/ENTERPRISE_DEPLOYMENT.md — ask us for a copy at [email protected].
| Service | Image | Role |
|---|---|---|
| postgres | pgvector/pgvector:pg16 | Primary DB + vector search (768-dim embeddings) |
| litellm | ghcr.io/berriai/litellm:main-latest | AI model router — Groq → Gemini → Ollama failover |
| app | Built from app/Dockerfile | AEGIS web application (Gunicorn, 4 workers) |
| nginx | nginx:alpine | TLS termination + reverse proxy |
| ollama (optional) | ollama/ollama:latest | Local LLM inference — fully air-gapped operation |
| whatsapp-qr (optional) | Built from whatsapp-qr-service/ | WhatsApp QR microservice |
# 1. Clone the repository
git clone https://github.com/bencarkaxhia/aegis-platform.git /opt/aegis
cd /opt/aegis
# 2. Configure environment
cp .env.enterprise.example .env
# Edit .env — at minimum: POSTGRES_PASSWORD, SECRET_KEY, APP_BASE_URL
# 3. Start the stack
docker compose -f docker-compose.enterprise.yml up -d --build
# 4. Verify all services are healthy
docker compose -f docker-compose.enterprise.yml ps# Start with Ollama profile (GPU recommended)
docker compose -f docker-compose.enterprise.yml --profile local-llm up -d
# Pull models inside the container
docker exec aegis-ollama ollama pull llama3.3:70b
docker exec aegis-ollama ollama pull nomic-embed-text| Tenants | Concurrent users | Recommended spec |
|---|---|---|
| 1–5 | up to 20 | 4 vCPU / 8 GB RAM / 40 GB SSD |
| 5–20 | up to 100 | 8 vCPU / 16 GB RAM / 100 GB SSD |
| 20+ | >100 | 16 vCPU / 32 GB RAM / 200 GB SSD + managed PostgreSQL |
Run these before a demo or production go-live to confirm all enterprise features are working.
# 1. Service health
curl https://your-aegis-domain.com/health
# Expected: {"status": "ok", ...}
# 2. Teams webhook endpoint active (when TEAMS_ENABLED=true)
curl -I https://your-aegis-domain.com/api/webhooks/teams/inbound
# Expected: 405 Method Not Allowed (GET not allowed, but endpoint exists)
# 3. SAML metadata reachable
curl https://your-aegis-domain.com/saml/metadata
# Expected: XML with EntityDescriptor
# 4. Audit CSV export works
# GET https://your-aegis-domain.com/api/audit/export?format=csv
# Expected: CSV file download (owner session required)
# 5. RBAC blocks member
# Log in with member account → navigate to /subscription/success
# Expected: 403 Forbidden
# 6. SSO button visible
# Open /login → "Continue with Microsoft" button must be visible
# 7. Teams card in Settings
# Open /settings → Integrations tab → Microsoft Teams card must be present