Overview
Trousseau is the centralized Identity Provider for the KeySuite ecosystem. Integrate SSO into your application with standard OIDC.
What is Trousseau?
Trousseau is a centralized authentication service built for the KeySuite ecosystem. It provides a single, secure Identity Provider (IdP) that any partner application can integrate with using standard OpenID Connect (OIDC).
Your users authenticate once with Trousseau and gain access to all connected applications — no need to manage passwords, MFA, or user accounts in your own system.
Architecture
┌───────────────────────────┐
│ TROUSSEAU │
│ Identity Provider (IdP) │
│ │
│ Users & Credentials │
│ OIDC / OAuth2 │
│ MFA (optional) │
│ Password Management │
└─────────────┬─────────────┘
│
┌─────────────┼─────────────┐
│ │ │
▼ ▼ ▼
┌───────────┐ ┌──────────┐ ┌──────────┐
│ KeySuite │ │ Your │ │ Other │
│ App │ │ App │ │ Apps │
│ │ │ │ │ │
│ OIDC │ │ OIDC │ │ OIDC │
│ Client │ │ Client │ │ Client │
└───────────┘ └──────────┘ └──────────┘What you get
| Capability | Description |
|---|---|
| Single Sign-On | Users log in once and access all connected applications seamlessly |
| No credential management | Trousseau handles passwords, recovery flows, and account security |
| MFA included | Optional multi-factor authentication (TOTP, WebAuthn, recovery codes) at no extra effort |
| User provisioning API | Create and manage users programmatically via REST API |
| Organization context | Know which organization a user belongs to (B2B scenarios) |
| European hosting | Hosted in France (Scaleway), GDPR-compliant infrastructure |
| Standards-based | Pure OIDC/OAuth2 — works with any OIDC client library |
Separation of responsibilities
Trousseau handles authentication. Your application handles business logic.
| Responsibility | Trousseau | Your application |
|---|---|---|
| User identities | Stores email, name, avatar | References via sub (user ID) |
| Passwords | Hashed and secured | Never stored or transmitted |
| MFA | TOTP, WebAuthn, recovery codes | Nothing to implement |
| Sessions | OIDC tokens (short-lived) | Your own application sessions |
| Organizations | Shared across ecosystem | Your business logic on top |
| Roles & permissions | Platform-level only | Your application's RBAC |
Integration tiers
Trousseau offers three levels of integration, depending on your needs:
| Tier | Scope | What you get |
|---|---|---|
| Tier 1 — Standard OIDC | openid email profile | User identity (name, email, avatar). Works out of the box with any OIDC library. |
| Tier 2 — Trousseau Context | trousseau:context | Ecosystem-wide user ID and locale preference. For cross-app user correlation. |
| Tier 3 — Organization | trousseau:organization | Organization memberships (id, name, role). For B2B partners needing org context. |
Most partners start with Tier 1 and add scopes as needed.