I was about to say this sounds like our on prem PAM setup which is integrated with our idp - or some mixture of things folks are asking about. Seems like this is something largely solved regardless of how it's being done, but maybe we're all missing something. Or maybe his implementation is just that slick.