aqili
StreamSign

Security

Authentication, encryption, and data protection for your organization.

Single Sign-On (SSO)

Enterprise plans support SSO integration for centralized authentication:

SAML 2.0

Connect StreamSign as a service provider to any SAML 2.0 identity provider:

  • Okta
  • Azure Active Directory / Entra ID
  • OneLogin
  • PingFederate
  • Any SAML 2.0-compliant IdP

OpenID Connect (OIDC)

Connect with any OIDC-compliant identity provider. Provide your issuer URL, client ID, and client secret to enable OIDC authentication.

SSO Setup

  1. Go to Dashboard → Settings → SSO
  2. Choose SAML or OIDC
  3. Enter your identity provider's metadata URL or upload the metadata XML
  4. Map user attributes (email, name, role)
  5. Test the SSO connection
  6. Optionally, enforce SSO-only login (disable password authentication)

Multi-Factor Authentication (MFA)

Add a second layer of security to user logins. StreamSign supports multiple MFA methods:

Authenticator App (TOTP)

Time-based one-time passwords using Google Authenticator, Authy, Microsoft Authenticator, or any TOTP app.

SMS

Verification codes sent via SMS to a registered phone number.

Email OTP

One-time codes sent to the user's registered email address.

Passkeys (WebAuthn)

Hardware security keys (YubiKey) or biometric authentication (Touch ID, Face ID, Windows Hello).

Admins can enforce MFA for the entire organization from Dashboard → Settings → Security. Users enable MFA from their individual Profile → Security settings.

Encryption

  • In Transit: All data is encrypted with TLS 1.2+ (HTTPS). Player-to-server communication uses secure WebSocket connections.
  • At Rest: Content stored in AWS S3 is encrypted with AES-256 server-side encryption. Database records are encrypted at rest.
  • Passwords: Passwords are hashed using bcrypt with per-user salts. Passwords are never stored in plaintext.

Data Isolation

Each organization's data is strictly isolated. Users can only access content, players, and settings belonging to their organization. API access is scoped by organization. Cross-organization data access is not possible, even for Super Admins.

Session Management

  • Sessions use secure, HTTP-only cookies with SameSite protection
  • Session tokens expire after a configurable inactivity timeout
  • Active sessions can be viewed and revoked from Profile → Security
  • Concurrent session limits can be enforced per organization

Responsible Disclosure

If you discover a security vulnerability in StreamSign, please report it responsibly by emailing security@aqili.ai. We take all reports seriously and will respond within 24 hours.