Identity Provider (IdP) (Beta)
Overview
Sift supports the integration of external Identity Providers (IdPs) to manage users and groups. Sift can connect to IdPs that implement push provisioning, which enables real-time synchronization of data from the IdP to Sift. When changes occur in the IdP, such as creating, deleting, or renaming users or groups, or modifying group memberships, those changes are synchronized to Sift.
Connecting your IdP with Sift
The IdP feature is in Beta, meaning that connecting an Identity Provider (IdP) to Sift requires initial configuration by your Sift account representative. After this is complete, you will need to obtain a SCIM endpoint URL and an access token, both of which are available from the Users page in Sift. To learn more, see Tutorial: Integrate an Identity Provider (IdP) with Sift (Beta).
Supported IdPs
Sift supports Identity Providers (IdPs) that use push-based provisioning to create and update users and groups in Sift based on the current configuration in the IdP. For example, the following IdPs support push-based provisioning and have been verified to work with Sift:
- Microsoft Entra ID
- Oracle Identity and Access Management (Oracle IAM)
Oracle IAM SCIM URL: Format
- When entering the SCIM endpoint URL in Oracle IAM, split it into two parts: enter everything before
.comexcluding the protocol in the Host Name field, and enter everything after.com(including the initial/) in the Base URI field. - For example, if the SCIM Server URL is
https://sift.keycloak.com/realms/ScimExample/scim/v2, the Host Name issift.keycloak.comand the Base URI is/realms/ScimExample/scim/v2.
- When entering the SCIM endpoint URL in Oracle IAM, split it into two parts: enter everything before
Pull-based provisioning: Sift only supports IdPs that use push provisioning. IdPs that require pull-based provisioning, such as Google Workspace, require custom integration work.
SCIM provisioning
SCIM provisioning in Sift synchronizes users and groups from your Identity Provider (IdP) into Sift. When the IdP creates, deletes, or updates a user, a group, or a group’s membership, those changes are applied in Sift during the next scheduled sync. Sift runs an automatic sync every 24 hours, and administrators can trigger a manual sync at any time to apply changes sooner.
Groups synchronized from an IdP are called external groups in Sift. Changes to membership or group attributes must be made in the IdP. Permissions for these groups can be changed in Sift, but the membership and attributes themselves remain controlled by the IdP.