Identity Provider Integration
Overview
Identity provider integrations sync your employee directory and enable single sign-on (SSO). This is typically the first integration to set up.
Supported Providers
If your organization uses a different identity provider, you can import users manually via CSV. See Manual Import for details.
Benefits
| Feature | Benefit |
|---|---|
| User Sync | Automatic employee directory |
| SSO | Single sign-on to Bastion |
| Groups | Sync groups for targeting |
| Lifecycle | Auto-offboarding when users leave |
Azure Active Directory
Prerequisites
- Azure AD tenant admin access
- Application registration permissions
Setup Steps
Create App Registration
In Azure Portal, create a new application registration.
Configure Permissions
Grant required Microsoft Graph permissions.
Generate Credentials
Create client secret or certificate.
Connect in Bastion
Enter credentials in Bastion integration settings.
Configure Sync
Set up user and group sync options.
Required Permissions
| Permission | Type | Purpose |
|---|---|---|
User.Read.All | Application | Read user profiles |
Group.Read.All | Application | Read group memberships |
Directory.Read.All | Application | Read directory data |
Configuration Options
| Setting | Description |
|---|---|
| User Scope | All users or specific groups |
| Group Sync | Which groups to sync |
| Attributes | User attributes to import |
| Sync Frequency | How often to sync |
Google Workspace
Prerequisites
- Google Workspace super admin access
- Domain-wide delegation enabled
Setup Steps
Create Service Account
In Google Cloud Console, create a service account.
Enable Domain Delegation
Grant domain-wide delegation to the service account.
Add API Scopes
Add required Admin SDK scopes.
Connect in Bastion
Upload service account credentials.
Required Scopes
| Scope | Purpose |
|---|---|
admin.directory.user.readonly | Read user profiles |
admin.directory.group.readonly | Read groups |
admin.directory.orgunit.readonly | Read org units |
Configuration Options
| Setting | Description |
|---|---|
| Org Units | Which org units to sync |
| Groups | Which groups to sync |
| Suspended Users | Include or exclude |
User Sync
Synced Attributes
| Attribute | Description |
|---|---|
| Primary identifier | |
| Name | First and last name |
| Department | Organizational unit |
| Title | Job title |
| Manager | Reporting relationship |
| Status | Active/inactive |
Sync Behavior
| Event | Bastion Action |
|---|---|
| New User | Create employee record |
| User Updated | Update attributes |
| User Disabled | Mark for offboarding |
| User Deleted | Archive employee |
Handling Conflicts
When data conflicts:
- Identity provider is source of truth
- Manual edits preserved (configurable)
- Conflicts logged for review
Group Sync
Synced Groups
Sync groups for:
- Training assignment
- Phishing campaign targeting
- Access reviews
- Policy application
Group Mapping
Map provider groups to Bastion:
| Provider Group | Bastion Group |
|---|---|
Engineering | Engineering Team |
Sales | Sales Team |
All Employees | Everyone |
SSO Configuration
SAML SSO
Configure SAML for single sign-on:
- Download Bastion metadata
- Configure provider with metadata
- Upload provider metadata to Bastion
- Test SSO flow
OIDC SSO
Configure OIDC authentication:
- Register Bastion in provider
- Note client ID and secret
- Configure in Bastion settings
- Test authentication
Troubleshooting
Google Workspace sync stopped working — new employees are not appearing
This typically means the service account credentials have expired or domain-wide delegation was revoked. Check the integration status under Integrations > Installed — if it shows "Warning" or "Error," disconnect and reconnect the Google Workspace integration. Re-upload your service account credentials and verify domain-wide delegation is still enabled in the Google Admin console.
Users Not Syncing
- Verify the user filter or org unit scope includes the expected users
- Check that API permissions have not been revoked
- Review sync logs under the integration detail view
- Confirm network connectivity to the identity provider
- For Google Workspace, ensure the service account has domain-wide delegation enabled
- For Azure AD, verify the app registration client secret has not expired
SSO Failing
- Verify SAML/OIDC configuration matches between provider and Bastion
- Check that the signing certificate has not expired
- Review attribute mapping (email must match)
- Test in an incognito or private window to rule out cached sessions
- Ensure the user exists in Bastion (SSO does not auto-create users)
Groups Missing
- Verify group filter settings include the expected groups
- Check that group read permissions are granted (
Group.Read.Allfor Azure AD,admin.directory.group.readonlyfor Google) - Review group type compatibility — some group types (distribution lists) may not sync
Can I manage employees without an identity provider?
Yes. Import employees manually via CSV or add them individually through Employees > People. If a previous IdP integration is still configured, disconnect it first to avoid conflicts. Manual import means automatic sync, onboarding, and offboarding workflows will not be available.
Best Practices
Use Service Accounts
Use dedicated service accounts, not personal admin accounts.
Sync Incrementally
Start with a subset of users to verify before full sync.
Monitor Sync Health
Watch for sync failures and address quickly.
Test Offboarding
Verify offboarding works correctly before production.