WorkOS Docs Homepage
Directory Sync
API referenceDashboardSign In

Understanding Directory Sync

What Directory Sync is, why it matters, and how it changes the user provisioning experience.

Definitions

ULM
User Lifecycle Management (or ULM) is the process of managing a user’s access to an app. This occurs from app onboarding until they are removed from an app. ULM is also commonly referred to as identity provisioning.
SCIM
System for Cross-domain Identity Management (or SCIM) is an open standard for managing automated user and group provisioning. It is a standard that many directory providers interface with.
HRIS
A Human Resources Information System (or HRIS) is software designed to maintain, manage, and process detailed employee information and human resources-related policies. Examples include Workday, HiBob, BambooHR, and others.
User Provisioning
Provisioning is the process of creating a user and setting attributes for them inside of an app.
User Deprovisioning
Deprovisioning is the process of removing a user from an app.

What is Directory Sync?

Directory Sync is a set of developer-friendly APIs and IT admin tools that provides enterprise-grade User Lifecycle Management (ULM) for applications.

ULM allows IT admins to centrally provision and deprovision users from their directory provider. A directory provider is the source of truth for an enterprise customer’s user and group lists. Directory Sync sends automatic updates to the application for changes to directories, groups, users, or access rules.

Common directory providers include Microsoft Active Directory, Okta, Workday, and Google Workspace. See the full list of supported directory providers on the integrations page.

Why use Directory Sync?

ULM increases application security and makes it easier for customers to use the app. ULM is most often implemented using SCIM. SCIM requests are sent between directory providers and the application to inform it of changes to a user’s identity. Changes can include:

  • Provisioning an identity for a user (account creation)
  • When a user’s attributes have changed (account update)
  • Deprovisioning a user from the app (account deletion)

Each directory provider implements SCIM differently. Implementing SCIM directly is often a challenging process that can introduce security vulnerabilities. Directory Sync hides this complexity so that developers can focus on building core product features.

What the customer experiences

Without Directory Sync

Without ULM, customers have to manually add, update, and remove users from the app.

Consider a scenario where a customer has purchased the software and onboards a new employee:

  1. The IT admin provisions the employee in their directory provider (if they use one) and manually in the app.
  2. All employee information has to be set manually in both the directory provider and the app.
  3. The IT admin has to manually provision a login method for the employee – through either SSO (if they use an identity provider) or a self-registration page.
  4. The IT admin sends the invite link to the employee, often initiating a back-and-forth via email, messaging app, or IT helpdesk ticket.
  5. The employee proceeds with the registration method and can then use the app.

All future changes to this employee’s data and access are entered manually. This is error-prone and can lead to security vulnerabilities where users get unauthorized access to resources.

As customers adopt more cloud software, these manual processes do not scale. Manual input errors can cause the source of truth (directory) to drift from the app’s state. As a result, ULM has become a table-stakes product requirement for enterprises.

With Directory Sync

If the app supports ULM via Directory Sync, the IT admin can provision the employee from one place:

  1. Add the employee to their directory provider.
  2. Assign the employee to the app with the appropriate role once, via the directory provider admin page.
  3. Optional: Have the employee go through a password setup if they are not using an identity provider (SSO).

Directory Sync makes this integration easy by providing APIs the app interfaces with. All updates for the directory are automatically sent to the app from WorkOS.

See also

Understanding the Events LifecycleUnderstand the lifecycle of the events that occur in Directory Sync
Up next