Directory Sync
Build frictionless onboarding for organizations with real-time user provisioning and deprovisioning.
Enterprise organizations use company directories and HRIS systems like Okta, Microsoft Entra ID, and Google Workspace to manage employee accounts and control access to tools. When employees join, change teams, or leave, IT admins update the directory and expect those changes to propagate automatically to every connected application.
Directory Sync bridges this gap by providing developer-friendly APIs and IT admin tools for implementing enterprise-grade User Lifecycle Management (ULM). Your application stays in sync with your customers’ directories in real time – automatically provisioning new users, updating group memberships, and deactivating accounts when employees depart. To learn more about how it works, see Understanding Directory Sync.
To integrate Directory Sync into your app, follow the Quick Start.
- ULM
- User Lifecycle Management (or ULM) is the process of managing a user’s access to an app. This occurs from app onboarding until they are removed from an app. ULM is also commonly referred to as identity provisioning.
- SCIM
- System for Cross-domain Identity Management (or SCIM) is an open standard for managing automated user and group provisioning. It’s a standard that many directory providers interface with.
- HRIS
- A Human Resources Information System (or HRIS) is software designed to maintain, manage, and process detailed employee information and human resources-related policies. Examples include: Workday, HiBob, BambooHR, etc.
- User Provisioning
- Provisioning is the process of creating a user and setting attributes for them – inside of an app.
- User Deprovisioning
- Deprovisioning is the process of removing a user from an app.
Directory Sync is a set of developer-friendly APIs and IT admin tools that allows you to implement enterprise-grade User Lifecycle Management (ULM) into your existing app.
ULM allows IT admins to centrally provision and deprovision users from their directory provider. A directory provider is the source of truth for your enterprise customer’s user and group lists. Directory Sync sends automatic updates to your app for changes to directories, groups, users, or access rules.
Common directory providers include: Microsoft Active Directory, Okta, Workday, and Google Workspace. See the full list of supported directory providers on the integrations page.
ULM increases the security of your app and makes it easier for your customers to use your app. ULM is most often implemented using SCIM. SCIM requests are sent between directory providers and your app to inform you of changes to a user’s identity. Changes can include:
- Provisioning an identity for a user (account creation)
- When a user’s attribute has changed (account update)
- Deprovisioning a user from your app (account deletion)
Each directory provider implements SCIM differently. Implementing SCIM is often a challenging process and can introduce security vulnerabilities into your app. Directory Sync hides this complexity, so you can focus on building core product features in your app.
Without ULM, your customers have to manually add, update, and remove users from your app.
Imagine a scenario where your customer has purchased your software and onboards a new employee to your app. Your customer would have to do the following:
- The IT admin provisions the employee in their directory provider (if they use one) and manually in your app.
- All employee information has to be set manually in both the directory provider and your app.
- The IT admin has to manually provision a login method for the employee; through either SSO (if they use an identity provider) or a self-registration page.
- The IT admin sends the invite link to their employee. Often initiating a back and forth via either email, messaging app, or IT helpdesk ticket.
- The employee has to proceed with the registration method and can then use your app.
All future changes to this employee’s data and access are manually entered by the IT admin. This is error prone and can lead to security vulnerabilities where users get unauthorized access to resources.
As your customers adopt more cloud software, these manual processes do not scale well. Manual input error can lead to the source of truth (directory) drifting from your app’s state. As a result, ULM has become a table stakes product requirement for enterprises.
If your app supports ULM via Directory Sync, the IT admin can provision this employee from one place:
- Add the employee to their directory provider.
- Assign the employee to your app with the appropriate role once; via the directory provider admin page.
- Optional. Have the employee go through a password setup if they are not using an identity provider (SSO).
Directory Sync makes this integration easy by providing APIs your app interfaces with. All updates for this directory will automatically be sent to your app from WorkOS.
Directory, directory group, and directory user are the main components an app interfaces with.
A directory is the source of truth for a customer’s user and group lists.
WorkOS supports dozens of integrations including SCIM. Directory updates can be delivered via webhooks or retrieved using the Events API. The app stores a mapping between the customer and their directory, keeping it in sync with the directory provider.
Enable self-service Directory Sync setup for customers using the Admin Portal.
A directory group is a collection of users within an organization who have been provisioned with access to the app.
Directory groups are mapped from directory provider groups and are most often used to categorize a collection of users based on shared traits (e.g., grouping software developers at a company under an “Engineering” group).
A directory user is a person or entity within an organization who has been provisioned with access to the app.
Users can belong to multiple directory groups. Users have attributes associated with them that can be configured for the app’s needs.