Security · By · 4 min read

SSO and built-in XDR land in LynxTrac

Two things teams kept asking for are now live: single sign-on over SAML and OpenID Connect, and a Wazuh-powered XDR and SIEM suite on the agent you already run.

Two requests came up again and again from teams running LynxTrac at any real size. The first was “let us log in through our own identity provider.” The second was some version of “we already see the servers, can we see what is happening on them from a security angle.” Both are now live in production.

Single sign-on, on your terms

You can connect LynxTrac to your identity provider over SAML 2.0 or OpenID Connect. Pick whichever your IdP speaks. On the SAML side we send signed AuthnRequests and validate the assertion that comes back; on the OIDC side the flow uses PKCE and validates state and nonce on every callback. If you run more than one email domain, you can route each one to the right provider so people land on the correct login without thinking about it.

Accounts are the part that usually turns into busywork, so there are two ways to keep them in sync. Just-in-time provisioning creates an account on first login. SCIM 2.0 lets your directory create, update, and deactivate users directly, which means an offboarding in your IdP removes access here with no manual step on our end. You map the claims your provider sends to the fields we expect, per provider, and that is the setup.

Multi-factor still applies on top: TOTP codes or WebAuthn and FIDO2 security keys, with recovery codes for the day someone loses a phone. SSO and SCIM are part of the Enterprise plan. The full breakdown is on the single sign-on page.

Security monitoring, on the same agent

The bigger addition is a security suite powered by Wazuh, running on the agent you already deployed for monitoring. There is no second agent to install or babysit. Once a host is enrolled, you get:

  • Threat detection with alerts streaming from the indexer, filterable by severity, with timelines and CSV export.
  • Vulnerability detection that matches each host’s installed packages against known CVEs, with a CVSS-score distribution and the packages worth patching first.
  • File integrity monitoring that records file changes as added, modified, or deleted, and tracks the Windows registry too, with on-demand scans when you want a fresh baseline.
  • Configuration assessment against CIS benchmarks, read as a per-policy pass and fail score.
  • MITRE ATT&CK mapping so alerts roll up into the tactics and techniques showing across your fleet, not a flat event list.
  • System inventory covering hardware, OS, packages, ports, processes, services, and Windows hotfixes.

The part we care about most is how this fits the multi-tenant model. Agents are grouped by customer, and every security query is scoped to the requesting account, so one customer never sees another’s machines or alerts. Remediation actions are limited to admin roles and written to the immutable audit trail with the operator, host, and timestamp. High-severity alerts are forwarded into that same audit trail every minute, so a critical event is recorded even when nobody is looking at the dashboard.

Security monitoring is available on the Business plan and up. The security overview walks through each capability.

Why bundle it this way

Plenty of teams already run a SIEM and an identity stack, and if yours is working, keep it. What we kept hearing was from teams who wanted one less integration to own: the same console that shows a server’s CPU and lets them open a shell now also shows that server’s vulnerabilities and file changes, under the same access rules and the same audit log. That consolidation is the whole point of LynxTrac, and these two modules extend it past operations into access and security.

More on how this works in practice: the features overview, the security suite, or email [email protected] with questions about your identity provider.

Related posts