Tutorial: Integrate an Identity Provider (IdP) with Sift (Beta)
Overview
In this tutorial, you will learn how to connect an external Identity Provider (IdP) to Sift, using Microsoft Entra ID as the example. The same general process applies to other IdPs that support push provisioning. By the end, your Microsoft Entra ID tenant will be integrated with Sift, enabling you to synchronize external groups and manage their permissions directly in Sift.
Prerequisites
- Administrator access to Sift.
- Administrator access to your IdP, such as Microsoft Entra ID.
- IdP integration enabled for your Sift account, with the initial configuration completed by your Sift account representative.
Step 1: Understand IdP integration in Sift
Sift can connect to an external Identity Provider (IdP) that supports push provisioning to keep your groups in sync. Once your IdP is set up in Sift, an automatic sync runs every 24 hours to apply any changes from the IdP. You can also run a manual sync at any time, giving you the ability to apply updates from the IdP whenever needed. Groups that come from an IdP are called external groups in Sift. You can change the permissions of an external group in Sift, but any changes to its membership must be made in the IdP. To learn more, see SCIM provisioning.
Pull-based provisioning: Sift only supports IdPs that use push provisioning. IdPs that require pull-based provisioning, such as Google Workspace, require custom integration work.
Step 2: Generate the SCIM endpoint URL and access token in Sift
After getting in contact with your Sift account representative and having IdP integration enabled for your account, you can generate the credentials needed to connect your IdP to Sift. The steps below are generic for obtaining these credentials, which are the SCIM endpoint URL and access token, and can be followed for any IdP integration. In the next step, we will use the generated URL and token to configure Microsoft Entra ID.
- Click your profile icon, which shows the first initial of your account name.
- Select Manage.
- Click Manage Identity Provider.
- Click Generate Token.
- Copy URL: In the SCIM Server URL section, click Copy.
- Copy token: In the Token section, click Copy.
- Click Close.
Step 3: Configure your IdP (Microsoft Entra ID) with the SCIM credentials
After obtaining the SCIM endpoint URL and access token from Sift, configure your IdP to connect to Sift. In Microsoft Entra ID, enter the SCIM endpoint URL in the Tenant URL field and the access token in the Secret Token field. Save the configuration and test the connection to confirm that your IdP can communicate with Sift. Once the connection is verified, start provisioning to enable synchronization. Changes from your IdP will then appear in Sift after the next automatic sync or a manual sync.
Step 4: Sync and verify external groups in Sift
Rather than waiting 24 hours for the automatic sync, run a manual sync to import external groups into Sift immediately.
- Click Manage Identity Provider.
- Click Sync Organization.
Conclusion
In this tutorial, you connected an IdP to Sift using Microsoft Entra ID as an example. You generated SCIM credentials in Sift, configured your IdP with those credentials, and synchronized external groups into Sift. You can now assign permissions to these external groups in Sift. Membership changes must be made in the IdP and will appear in Sift after the next automatic sync or a manual sync. Many of the steps in this tutorial can also be used for other IdP integrations that support push provisioning.
Resources
- Reference: Identity Provider (IdP) (Beta)
- How-to guide: Manage Identity Provider (IdP) (Beta)