Skip to main content
Version: Next

What is Shyntr?

Shyntr is a Zero Trust Identity Broker that bridges identity protocols without forcing you to replace your existing IAM, directory, or custom authentication system.

It handles protocol exchange, token issuance, tenant isolation, and security controls while keeping login and consent UI outside the core broker.

What Shyntr Does

Shyntr does not act as a generic user directory. It sits between clients and identity sources so you can connect SAML, OpenID Connect, LDAP, and custom login systems through one control plane.

Core Capabilities

The Authentication Hub

Shyntr centralizes the identity traffic for your tenants and applications. It brokers authentication requests, tracks login and consent challenges, and returns the correct protocol response for the downstream client.

Protocol Translation

Shyntr is built to bridge SAML and OpenID Connect / OAuth2 in the routed combinations implemented by the current codebase.

Supported combinations include:

  • SAML client -> OIDC provider
  • OIDC client -> SAML provider
  • SAML client -> SAML provider
  • OIDC client -> LDAP directory
  • SAML client -> LDAP directory
  • OIDC client -> custom / local user system
  • SAML client -> custom / local user system

This is not a generalized "any-to-any" routing engine. The supported paths depend on the client type, the configured upstream connection, and the flow handlers implemented in Shyntr.

Headless Identity Control

Shyntr keeps login, consent, and logout UI outside the broker. Your UI handles the user interaction; Shyntr handles challenge generation, protocol state, security checks, and token issuance.

Network-Level Security

Shyntr also enforces outbound request boundaries for actions such as:

  • OIDC discovery
  • JWKS retrieval
  • SAML metadata retrieval
  • Webhook delivery

Outbound requests are evaluated through policy controls before execution, which helps reduce SSRF and unintended network access.

The Shyntr Ecosystem

Shyntr is headless by design. The backend focuses on cryptographic protocols, routing, token issuance, and security boundaries. UI stays in separate companion apps.

The current ecosystem includes:

ComponentDescriptionRepository
Shyntr Identity HubGo backend for protocol brokering, token issuance, tenant isolation, and admin/control-plane APIsshyntr/shyntr
Shyntr Auth PortalUser-facing app for login, consent, and logout challenge flowsshyntr/shyntr-auth-portal
Shyntr DashboardAdmin UI for tenants, clients, OIDC connections, SAML connections, scopes, and related management workflowsshyntr/shyntr-dashboard
Flexibility

You can use the provided Auth Portal and Dashboard, or replace them with your own applications. Shyntr exposes the underlying management and headless flow APIs separately from the UI layer.

Core Scenarios

1. SAML Client to OIDC Provider

You have an existing OpenID Connect provider, but an enterprise customer needs SAML.

Shyntr accepts the SAML request, completes the upstream OIDC flow, maps the identity result, and returns a SAML response to the client.

2. OIDC Client to SAML Provider

You operate modern OIDC applications, but the upstream enterprise identity source is SAML.

Shyntr translates the OIDC authorization flow into the required SAML exchange, validates the upstream assertion, and issues OIDC tokens for the client.

3. LDAP or Custom User System

You want to keep your own directory or application user store, but still expose standard authentication protocols.

Shyntr can use LDAP as an identity source and can also continue headless flows from your own login backend through the Admin API challenge endpoints.

Supported Routing Model

Shyntr routes across the combinations it implements through configured clients and connections. In practice, that means:

  • client protocol still matters
  • tenant boundaries still matter
  • configured upstream connection type still matters
  • flow support is explicit, not open-ended

That is why this documentation describes supported combinations directly instead of presenting Shyntr as a generic policy rules engine for arbitrary identity routing.

Why Choose Shyntr?

FeatureBenefit
Headless ArchitectureKeep full control over login, consent, and logout UX
Protocol TranslationBridge SAML and OIDC without rewriting every application
LDAP and Custom SourcesKeep existing directories and custom auth backends in place
Multi-Tenant NativeIsolate tenants, clients, connections, and flows cleanly
Zero Trust ControlsEnforce strict redirect, protocol, and outbound security boundaries
Open SourceApache-2.0 licensed

Quick Start

Get the Shyntr stack running locally with Docker Compose:

# Create docker-compose.yml (see Docker Compose guide)
# Then start the services
docker-compose up -d

# Example local endpoints
# - Dashboard: http://localhost:3274
# - Auth Portal: http://localhost:3000
# - OIDC Discovery: http://localhost:7496/.well-known/openid-configuration
Next Steps

License

Shyntr is licensed under the Apache-2.0 license. See the LICENSE file for details.