Identity, channel, access, audit, and private deployment controls for teams that need AEGIS to watch business seams without turning into an autonomous executor or another unmanaged tool.
What's implemented, what needs customer configuration, and how the portal remains the control plane for approval, evidence, memory, and audit.
| Feature | What it does | Who sets it up |
|---|---|---|
| Microsoft Teams | Connector path via Azure Bot so employees can reach AEGIS from Teams while AEGIS keeps approvals and audit in the portal | IT: Azure Bot registration + tenant mapping |
| SAML 2.0 SSO | Corporate identity path through any SAML 2.0-compliant IdP | IT: Enterprise App + SP certificate + metadata |
| RBAC | Owner vs member roles enforced at the route layer, not only hidden in the UI | Admin: assign roles in Settings โ Team Members |
| Agent Control | Per-agent Control tab for source grants, Skill grants, routing status, approval gate, recent runs, recent policy decisions, and accepted memory boundaries | Admin: configure at /agents โ Control |
| Channel reliability | Telegram intake records source events before processing, then uses terminal outcomes and retries so duplicate delivery does not become duplicate action | AEGIS platform default; reviewed during pilot verification |
| Audit CSV export | Activity trail exportable as CSV for compliance review, SIEM, or diligence packet | Owners at /audit โ Download CSV |
| Private deployment | Docker-based path for customer-controlled infrastructure, model routing, backup, and data boundary choices | IT + AEGIS deployment walkthrough |
Employees can message AEGIS from Teams after Azure Bot setup, while the tenant backend still controls context, approvals, logging, and memory.
The Teams connector uses the Azure Bot Framework. Teams is the delivery layer; message processing, retrieval, approval logic, and audit stay on the tenant's AEGIS backend. The portal remains the evidence and control plane.
Go to portal.azure.com โ Create a resource โ Azure Bot. Choose "Multi-tenant" registration type. Note the Microsoft App ID and generate a Client Secret in the Certificates & Secrets section.
In the Azure Bot resource โ Configuration โ Messaging Endpoint, enter:
https://your-aegis-domain.com/api/webhooks/teams/inboundSettings โ Integrations โ Microsoft Teams โ paste your App ID and Client Secret โ Save.
Add the following to your environment and restart the service:
TEAMS_ENABLED=true
TEAMS_APP_ID=your-app-id
TEAMS_APP_PASSWORD=your-client-secretIn Teams Admin Center โ Manage apps โ add the bot using the App ID. Employees can then reach AEGIS from a Teams channel or direct message where tenant policy allows it.
/channel-log in AEGIS โ the message should appear with source=teams and the expected tenant mapping.
Employees can log in with their existing corporate account after IdP configuration. The path supports Azure AD / Entra ID, Okta, Google Workspace / Cloud Identity, OneLogin, Ping Identity, JumpCloud, Keycloak, and ADFS through SAML 2.0. The steps below use Azure AD as the example; SP Entity ID and ACS URL are the same pattern for other providers. Native OAuth/OIDC tiles for Okta and Google are on the roadmap.
Run this on your server โ the cert is valid for 10 years:
openssl req -newkey rsa:2048 -nodes \
-keyout saml_sp.key -x509 -days 3650 \
-out saml_sp.crt \
-subj "/C=DE/O=YourCompany/CN=your-aegis-domain.com"
# Extract base64 bodies (no headers):
grep -v "^-----" saml_sp.crt | tr -d '\n' # โ SAML_SP_CERT
grep -v "^-----" saml_sp.key | tr -d '\n' # โ SAML_SP_KEYSAML_SP_CERT=MIID...your-base64-cert...
SAML_SP_KEY=MIIEv...your-base64-key...Then restart the service. The SP metadata becomes available at /saml/metadata.
Azure Portal โ Azure Active Directory โ Enterprise Applications โ New application โ Create your own. Select "Integrate any other application you don't find in the gallery".
Single Sign-On โ SAML. Set:
https://your-aegis-domain.com/saml/metadatahttps://your-aegis-domain.com/saml/acshttps://your-aegis-domain.com/saml/redirect?tenant=YOUR_TENANT_ID โ you will replace YOUR_TENANT_ID in step 5.Download the Federation Metadata XML from the SAML Signing Certificate section.
Settings โ Team โ Enterprise SSO Configuration. Paste the Federation Metadata XML, set your company email domain (e.g. airfranceklm.com), choose the default role for new joiners, and save.
AEGIS uses the domain to automatically route employees to the right workspace on login โ no tenant ID needed. Employees type their corporate email on the login page and are redirected to the correct Microsoft SSO flow automatically. First login provisions their account with the configured default role.
Once the domain is registered, you can update the Sign-on URL in Azure AD to the simpler email-lookup form: https://your-aegis-domain.com/sso
saml_sp.key secure โ never commit it to git. The .env file should be in your .gitignore. Rotate the SP certificate before it expires (10 years from generation).
Two roles enforced at the route level โ not just hidden in the UI.
| Capability | owner | member |
|---|---|---|
| Use all 8 agents | โ | โ |
| View CRM pipeline | โ | โ |
| View audit log | โ | โ |
| Export audit CSV | โ | โ |
| Manage integrations | โ | โ (403) |
| View/change billing | โ | โ (403) |
| Manage team members | โ | โ (403) |
| Admin panel (/admin) | Super-admin only | โ |
To change a user's role: Settings โ Team Members โ click the role badge next to their name. SSO-provisioned users default to member on first login.
member account to show RBAC live. Navigate to /subscription/success while logged in as member โ the 403 page proves the enforcement is at the route level, not just UI-hidden.
Export a date-ranged activity log for compliance reviews, GDPR-aligned controls, diligence packets, or SIEM ingestion.
Navigate to /audit as an owner โ click Download CSV. Optionally set a date range using the filter controls before downloading.
GET /api/audit/export?format=csv&start=2026-01-01&end=2026-04-30
Authorization: Session cookie (owner role required)The CSV is sanitised against injection โ all fields containing formula characters are prefixed with a tab, making it safe to open directly in Excel or load into a SIEM.
Run AEGIS on customer-controlled infrastructure with explicit choices for networking, identity, model routing, backup, and data boundary policy.
docs/ENTERPRISE_DEPLOYMENT.md โ ask us for a copy at [email protected].
AEGIS delivers a deployment package and architecture walkthrough. Your IT team receives the required deployment files and a license key:
| File | Purpose |
|---|---|
docker-compose.yml | Full stack definition โ pulls pre-built images from the AEGIS private registry |
.env.example | Configuration template โ fill in your passwords, AI provider keys, and domain |
install.sh | One-command installer โ validates config and starts the stack |
AEGIS_LICENSE_KEY | Your signed license key โ encodes seat limit, expiry date, and licensed features. Set in .env. |
| Service | Image | Role |
|---|---|---|
| postgres | pgvector/pgvector:pg16 | Primary DB + vector search (768-dim embeddings) |
| litellm | ghcr.io/berriai/litellm:main-latest | AI model router โ customer-approved provider and local model policies |
| app | ghcr.io/bencarkaxhia/aegis-os:latest | AEGIS web application โ pre-built, delivered by AEGIS |
| nginx | nginx:alpine | TLS termination + reverse proxy |
| ollama (optional) | ollama/ollama:latest | Local LLM inference for restricted or air-gapped deployments |
| whatsapp-qr (optional) | ghcr.io/bencarkaxhia/aegis-os-wa:latest | WhatsApp QR microservice |
# 1. Authenticate with the AEGIS private registry
# (credentials provided by AEGIS on contract signing)
docker login ghcr.io -u <your-registry-user> -p <your-registry-token>
# 2. Create your working directory and add the files from AEGIS
mkdir /opt/aegis && cd /opt/aegis
# Copy docker-compose.yml, .env.example, install.sh here
# 3. Configure environment
cp .env.example .env
# Edit .env โ required: POSTGRES_PASSWORD, SECRET_KEY, APP_BASE_URL, AEGIS_LICENSE_KEY
# 4. Run the installer
chmod +x install.sh && ./install.sh
# 5. Verify all services are healthy
docker compose ps# Start with Ollama profile (GPU recommended)
docker compose --profile local-llm up -d
# Pull models inside the container
docker exec aegis-ollama ollama pull llama3.3:70b
docker exec aegis-ollama ollama pull nomic-embed-text| Tenants | Concurrent users | Recommended spec |
|---|---|---|
| 1โ5 | up to 20 | 4 vCPU / 8 GB RAM / 40 GB SSD |
| 5โ20 | up to 100 | 8 vCPU / 16 GB RAM / 100 GB SSD |
| 20+ | >100 | 16 vCPU / 32 GB RAM / 200 GB SSD + managed PostgreSQL |
Run these before a demo or controlled pilot go-live to confirm the configured enterprise controls are working.
# 1. Service health
curl https://your-aegis-domain.com/health
# Expected: {"status": "ok", ...}
# 2. Teams webhook endpoint active (when TEAMS_ENABLED=true)
curl -I https://your-aegis-domain.com/api/webhooks/teams/inbound
# Expected: 405 Method Not Allowed (GET not allowed, but endpoint exists)
# 3. SAML metadata reachable
curl https://your-aegis-domain.com/saml/metadata
# Expected: XML with EntityDescriptor
# 4. Audit CSV export works
# GET https://your-aegis-domain.com/api/audit/export?format=csv
# Expected: CSV file download (owner session required)
# 5. RBAC blocks member
# Log in with member account โ navigate to /subscription/success
# Expected: 403 Forbidden
# 6. SSO button visible
# Open /login โ "Continue with Microsoft" button must be visible
# 7. Teams card in Settings
# Open /settings โ Integrations tab โ Microsoft Teams card must be present