Enterprise

Single sign-on, compliance exports, and the quiet confidence that comes with proper governance.

I have prepared Gold Lapel's enterprise capabilities with the same attention given to every other feature: they are configured through the same TOML file, the same CLI flags, and the same environment variables you already know. No separate control plane. No additional services. The enterprise features are part of Gold Lapel itself, activated by an enterprise license.

OIDC authentication

Gold Lapel's dashboard supports OpenID Connect for single sign-on. Once configured, accessing the dashboard redirects to your identity provider, and only authenticated users see the dashboard and its API. This applies to any browser session reaching the dashboard from outside localhost.

Localhost access remains unauthenticated. If you are sitting at the machine running Gold Lapel and open http://127.0.0.1:7933, you are in. SSO is not needed when you are already at the front door.

Supported providers

Any OIDC-compliant identity provider will work. I have confirmed the following specifically: Okta, Azure AD (Entra ID), and Google Workspace. If your provider publishes a .well-known/openid-configuration endpoint, Gold Lapel will discover the rest automatically.

Configuration

Four settings are required. Provide them through whichever method suits your deployment:

# goldlapel.toml
[oidc]
issuer = "https://your-tenant.okta.com"
client_id = "0oabc123..."
client_secret = "secret..."
redirect_uri = "http://localhost:7933/auth/oidc/callback"

goldlapel \
  --upstream postgresql://user:pass@localhost:5432/mydb \
  --oidc-issuer "https://your-tenant.okta.com" \
  --oidc-client-id "0oabc123..." \
  --oidc-client-secret "secret..." \
  --oidc-redirect-uri "http://localhost:7933/auth/oidc/callback"

GOLDLAPEL_OIDC_ISSUER=https://your-tenant.okta.com
GOLDLAPEL_OIDC_CLIENT_ID=0oabc123...
GOLDLAPEL_OIDC_CLIENT_SECRET=secret...
GOLDLAPEL_OIDC_REDIRECT_URI=http://localhost:7933/auth/oidc/callback

The redirect URI must match exactly what you have registered with your identity provider. For a dashboard accessible at https://gl.internal.yourcompany.com:7933, the redirect URI would be https://gl.internal.yourcompany.com:7933/auth/oidc/callback.

SAML 2.0 authentication

For organizations that use SAML 2.0 rather than OIDC, Gold Lapel acts as a SAML Service Provider. The flow is the same as OIDC from the user's perspective: accessing the dashboard redirects to your identity provider, and authenticated users are granted access.

As with OIDC, localhost access remains unauthenticated.

Configuration

Three settings are required:

# goldlapel.toml
[saml]
idp_metadata_url = "https://your-tenant.okta.com/app/abc123/sso/saml/metadata"
sp_entity_id = "goldlapel-dashboard"
acs_url = "http://localhost:7933/auth/saml/acs"

goldlapel \
  --upstream postgresql://user:pass@localhost:5432/mydb \
  --saml-idp-metadata-url "https://your-tenant.okta.com/app/abc123/sso/saml/metadata" \
  --saml-sp-entity-id "goldlapel-dashboard" \
  --saml-acs-url "http://localhost:7933/auth/saml/acs"

GOLDLAPEL_SAML_IDP_METADATA_URL=https://your-tenant.okta.com/app/abc123/sso/saml/metadata
GOLDLAPEL_SAML_SP_ENTITY_ID=goldlapel-dashboard
GOLDLAPEL_SAML_ACS_URL=http://localhost:7933/auth/saml/acs

SP metadata for your IdP

Your IdP administrator will need Gold Lapel's Service Provider metadata. Gold Lapel publishes it at a standard endpoint:

# Retrieve SP metadata to provide to your IdP administrator
curl http://localhost:7933/auth/saml/metadata

Provide the URL http://localhost:7933/auth/saml/metadata (or your external dashboard address) to your IdP admin. The metadata includes the entity ID, ACS URL, and signing certificate that the IdP needs to complete the trust relationship.

Compliance audit exports

Gold Lapel records an audit trail of every optimization it performs: materialized views created, indexes built, queries rewritten, and configurations changed. The compliance export endpoint makes this trail available in JSON or CSV format for your compliance, security, or operations teams.

Export formats

Two formats are available, selected with the format query parameter:

curl -H "X-GL-Dashboard: 1" \
  "http://localhost:7933/api/audit/export?format=json"

curl -H "X-GL-Dashboard: 1" \
  "http://localhost:7933/api/audit/export?format=csv"

Filtering

For targeted exports, filter by date range and event type:

curl -H "X-GL-Dashboard: 1" \
  "http://localhost:7933/api/audit/export?format=json&from=2026-01-01&to=2026-04-01&type=matview,index"

The X-GL-Dashboard: 1 header authenticates the request through the dashboard's API. If SSO is configured, authenticated browser sessions can also access the endpoint directly at /api/audit/export.

Enterprise licensing

The features on this page require an enterprise license. Gold Lapel's license payload includes an enterprise: true field that activates OIDC, SAML, and compliance exports. Without it, Gold Lapel continues to operate with all of its core capabilities — materialized views, indexes, caching, connection pooling, the dashboard, monitoring — everything described in the rest of these docs.

Enterprise licensing is handled through a concierge process rather than a self-serve checkout. I find that enterprise deployments benefit from a brief conversation about your environment, team size, and the identity provider you intend to use. This ensures the license is configured correctly and that I can assist with any IdP-specific nuances during setup.

To begin the conversation: thebutler@goldlapel.com. I will prepare a custom invoice through Stripe, and your enterprise license will be delivered upon payment — the same secure delivery mechanism used for all Gold Lapel licenses.