# Enterprise identity, done the boring right way

> SAML SSO and SCIM provisioning on enterprise plans, with WebAuthn passkeys, TOTP two-factor, recovery codes, and hardened session security for every account.

Canonical: https://emailfast.dev/features/identity

## Sign-in your security team won't fight

Email Fast is an SSO and SCIM email platform on its enterprise plans: SAML single
sign-on against your identity provider, and SCIM to provision and deprovision users
automatically from your directory. Passkeys, TOTP, and hardened sessions aren't
gated at all — every account gets them.

## How it works

1. SAML SSO — connect your identity provider; sign-in happens where your directory lives. Available on enterprise plans.
2. SCIM — provisioning and deprovisioning follow your directory, so offboarding removes access here the moment it happens there. Enterprise plans.
3. WebAuthn passkeys — phishing-resistant sign-in, on every account.
4. TOTP with recovery codes — standard authenticator-app two-factor, on every account.

Underneath all of it, sessions are hardened: `__Host-`-prefixed cookies and CSRF
protection.

## The evidence

:::panel What the __Host- prefix buys
Per the cookie-prefixes rules in the current cookie specification (RFC 6265bis), a
browser refuses a `__Host-` cookie unless it is set with `Secure`, from a secure
origin, with no `Domain` attribute, and `Path=/`. The session cookie therefore
structurally cannot be scoped wider than this host or sent over plaintext — an
invariant enforced by the browser itself, not by our configuration staying correct.
:::

## Honest limits

:::tradeoffs Gating and lost-key reality
SAML SSO and SCIM sit on enterprise plans — the same answer the pricing page gives,
because a feature page and a pricing page that disagree are their own kind of
security problem. Recovery codes are shown once; store them like the credential they
are. And SAML setup requires an administrator on your identity provider's side —
that half of the handshake is necessarily yours.
:::

## Where to go next

The wider control set — audit chains, DLP, key custody — lives behind the
[enterprise door](/enterprise). Our disclosure posture is on the
[security page](/security), and the data-handling side is under
[compliance](/features/compliance). Evaluating vendors side by side? Start at the
[comparison hub](/compare).

## Which identity providers work with SSO?

Any SAML identity provider — sign-in happens where your directory already lives, and Email Fast acts as the service provider.

## Which plans include SSO and SCIM?

SAML SSO and SCIM are available on enterprise plans, matching the pricing page . Passkeys, TOTP, recovery codes, and session hardening come with every account on every plan.

## What happens when we deprovision someone?

Removing a user in your directory deprovisions them here through SCIM — offboarding removes access without anyone filing a ticket or remembering a checklist item.

## Passkeys or TOTP — which should we use?

Passkeys where you can: WebAuthn is phishing-resistant, since the credential is bound to the origin. TOTP with recovery codes remains available as the widely-compatible fallback.
