Documentation

Identity Provider Connectors

Integrate TigerIdentity with your identity providers to sync users, groups, and access policies in real-time.

Overview

Identity Provider (IdP) connectors enable TigerIdentity to synchronize user identities, group memberships, and organizational structure from your existing identity systems. These connectors support both real-time webhook-based sync and scheduled polling.

50+ Integrations

Connect to Okta, Azure AD, Google Workspace, and more.

Real-Time Sync

Webhook support for instant identity updates.

SCIM Support

Standard SCIM 2.0 provisioning integration.

Supported Identity Providers

Okta

Azure AD / Entra ID

Google Workspace

OneLogin

Ping Identity

Auth0

JumpCloud

Duo

Cisco Identity Services

ForgeRock

Common Configuration

All identity provider connectors share a common configuration structure. Here's a complete example using Okta:

# okta-connector.yaml
name: okta-production
type: okta
enabled: true

config:
  # Authentication
  domain: your-company.okta.com
  apiToken: ${OKTA_API_TOKEN}

  # Sync Configuration
  sync:
    mode: webhook  # Options: webhook, polling
    interval: 5m   # Used when mode is polling
    resources:
      - users
      - groups
      - applications

    # Batch settings
    batchSize: 100
    concurrency: 5

  # Attribute Mapping
  mapping:
    user:
      id: id
      email: profile.email
      username: profile.login
      firstName: profile.firstName
      lastName: profile.lastName
      displayName: profile.displayName
      department: profile.department
      title: profile.title
      manager: profile.manager
      status: status
      lastLogin: lastLogin

    group:
      id: id
      name: profile.name
      description: profile.description
      members: _embedded.users

  # Filtering
  filters:
    users:
      - status eq "ACTIVE"
      - profile.userType ne "SERVICE_ACCOUNT"
    groups:
      - type.name eq "OKTA_GROUP"
      - profile.name sw "TIG_"

  # SCIM Configuration (optional)
  scim:
    enabled: true
    endpoint: /scim/v2
    authentication: bearer

# Webhook Configuration
webhooks:
  enabled: true
  secret: ${OKTA_WEBHOOK_SECRET}
  verifySignature: true
  events:
    # User Lifecycle
    - user.lifecycle.create
    - user.lifecycle.activate
    - user.lifecycle.update
    - user.lifecycle.deactivate
    - user.lifecycle.suspend

    # Group Management
    - group.user_membership.add
    - group.user_membership.remove
    - group.lifecycle.create
    - group.lifecycle.delete

    # App Assignment
    - user.app.assign
    - user.app.unassign

# Retry Policy
retryPolicy:
  maxAttempts: 3
  backoff: exponential
  initialDelay: 1s
  maxDelay: 30s

# Rate Limiting
rateLimit:
  requestsPerSecond: 10
  burstSize: 20

SCIM Provisioning Setup

TigerIdentity supports SCIM 2.0 for bidirectional provisioning with your identity provider. This enables automatic user and group provisioning.

Step 1: Enable SCIM in TigerIdentity

# Enable SCIM in your connector configuration
scim:
  enabled: true
  endpoint: /scim/v2
  authentication: bearer

  # Feature flags
  features:
    users: true
    groups: true

  # Supported operations
  operations:
    - create
    - read
    - update
    - delete
    - patch

Step 2: Generate SCIM Credentials

# Generate a SCIM bearer token
tiger connector scim generate-token okta-production

# Output:
# SCIM Base URL: https://api.tigeridentity.com/scim/v2/connectors/okta-production
# Bearer Token: tiger_scim_1234567890abcdef...
#
# Configure these values in your IdP's SCIM settings.

Step 3: Configure in Your IdP

In your identity provider:

Navigate to the SCIM provisioning settings
Enter the SCIM Base URL from step 2
Enter the Bearer Token from step 2
Test the connection
Enable provisioning for users and groups

Attribute Mapping Examples

Configure how identity provider attributes map to TigerIdentity's identity model.

Azure AD / Entra ID Mapping

mapping:
  user:
    id: id
    email: mail
    username: userPrincipalName
    firstName: givenName
    lastName: surname
    displayName: displayName
    department: department
    title: jobTitle
    manager: manager.id
    officeLocation: officeLocation
    mobilePhone: mobilePhone
    businessPhones: businessPhones[0]
    status: accountEnabled

  group:
    id: id
    name: displayName
    description: description
    mailEnabled: mailEnabled
    securityEnabled: securityEnabled
    members: members
    owners: owners

Google Workspace Mapping

mapping:
  user:
    id: id
    email: primaryEmail
    username: primaryEmail
    firstName: name.givenName
    lastName: name.familyName
    displayName: name.fullName
    department: organizations[0].department
    title: organizations[0].title
    manager: relations[?type=='manager'].value | [0]
    photoUrl: thumbnailPhotoUrl
    status: suspended
    isAdmin: isAdmin
    lastLoginTime: lastLoginTime

  group:
    id: id
    email: email
    name: name
    description: description
    members: members
    aliases: aliases

Custom Attribute Mapping

# Support for JSONPath and transformations
mapping:
  user:
    id: id
    email: profile.email

    # Conditional mapping
    status: |
      profile.status == 'ACTIVE' ? 'active' : 'inactive'

    # Array transformation
    roles: |
      profile.roles[*].name

    # Nested object extraction
    employeeId: profile.customAttributes.employeeNumber
    costCenter: profile.customAttributes.finance.costCenter

    # Date transformation
    hireDate: profile.hireDate | date('YYYY-MM-DD')

  group:
    id: id
    name: profile.name

    # Custom type detection
    type: |
      profile.name.startsWith('SEC_') ? 'security' :
      profile.name.startsWith('DIST_') ? 'distribution' :
      'general'

Sync Modes

Real-Time Webhooks

Receive instant updates when identities change. Recommended for production environments.

sync:
  mode: webhook

webhooks:
  enabled: true
  secret: ${WEBHOOK_SECRET}
  verifySignature: true
  events:
    - user.lifecycle.*
    - group.user_membership.*

Pros:

•Instant identity updates (sub-second latency)
•Reduced API calls and rate limit usage
•More efficient for large organizations

Scheduled Polling

Periodically sync identities on a schedule. Good for IdPs without webhook support.

sync:
  mode: polling
  interval: 5m  # 5 minutes

  # Incremental sync settings
  incremental: true
  lookbackWindow: 10m

Pros:

•Works with any identity provider
•No webhook endpoint required
•Simpler setup for development

Group and Role Sync Configuration

Configure how groups and roles are synchronized from your identity provider.

# Advanced group sync configuration
sync:
  resources:
    - users
    - groups

  # Group sync options
  groups:
    # Sync group memberships
    syncMemberships: true

    # Sync nested groups (group-in-group)
    syncNested: true
    maxDepth: 5

    # Sync group metadata
    syncMetadata: true

    # Group filters
    filters:
      # Only sync groups matching patterns
      include:
        - "TIG_*"
        - "APP_*"
        - "ROLE_*"

      # Exclude groups
      exclude:
        - "*_TEST"
        - "TEMP_*"

    # Transform group names
    transforms:
      - type: prefix
        action: remove
        pattern: "TIG_"

      - type: case
        action: lowercase

# Role mapping from groups
roleMapping:
  enabled: true

  # Map IdP groups to TigerIdentity roles
  rules:
    - groupPattern: "ROLE_ADMIN_*"
      role: admin

    - groupPattern: "ROLE_DEVELOPER_*"
      role: developer

    - groupPattern: "ROLE_VIEWER_*"
      role: viewer

    # Dynamic role extraction
    - groupPattern: "ROLE_(.*)"
      role: "$1"
      transform: lowercase

Ready to Connect Your Identity Provider?

Start syncing identities in minutes with our pre-built connectors.

Get Started View Quick Start