Identity Provider Integration
Overview
Identity provider integrations sync your employee directory and enable single sign-on (SSO). This is typically the first integration to set up.
Supported Providers
If your organization uses a different identity provider, you can import users manually via CSV. See Manual Import for details.
Benefits
| Feature | Benefit |
|---|---|
| User Sync | Automatic employee directory |
| SSO | Single sign-on to Bastion |
| Groups | Sync groups for targeting |
| Lifecycle | Auto-offboarding when users leave |
Azure Active Directory
Prerequisites
- Azure AD tenant admin access
- Application registration permissions
Setup Steps
Create App Registration
In Azure Portal, create a new application registration.
Configure Permissions
Grant required Microsoft Graph permissions.
Generate Credentials
Create client secret or certificate.
Connect in Bastion
Enter credentials in Bastion integration settings.
Configure Sync
Set up user and group sync options.
Required Permissions
| Permission | Type | Purpose |
|---|---|---|
User.Read.All | Application | Read user profiles |
Group.Read.All | Application | Read group memberships |
Directory.Read.All | Application | Read directory data |
Configuration Options
| Setting | Description |
|---|---|
| User Scope | All users or specific groups |
| Group Sync | Which groups to sync |
| Attributes | User attributes to import |
| Sync Frequency | How often to sync |
Google Workspace
Prerequisites
- Google Workspace super admin access
- Domain-wide delegation enabled
Setup Steps
Create Service Account
In Google Cloud Console, create a service account.
Enable Domain Delegation
Grant domain-wide delegation to the service account.
Add API Scopes
Add required Admin SDK scopes.
Connect in Bastion
Upload service account credentials.
Required Scopes
| Scope | Purpose |
|---|---|
admin.directory.user.readonly | Read user profiles |
admin.directory.group.readonly | Read groups |
admin.directory.orgunit.readonly | Read org units |
Configuration Options
| Setting | Description |
|---|---|
| Org Units | Which org units to sync |
| Groups | Which groups to sync |
| Suspended Users | Include or exclude |
User Sync
Synced Attributes
| Attribute | Description |
|---|---|
| Primary identifier | |
| Name | First and last name |
| Department | Organizational unit |
| Title | Job title |
| Manager | Reporting relationship |
| Status | Active/inactive |
Sync Behavior
| Event | Bastion Action |
|---|---|
| New User | Create employee record |
| User Updated | Update attributes |
| User Disabled | Mark for offboarding |
| User Deleted | Archive employee |
Handling Conflicts
When data conflicts:
- Identity provider is source of truth
- Manual edits preserved (configurable)
- Conflicts logged for review
Group Sync
Synced Groups
Sync groups for:
- Training assignment
- Phishing campaign targeting
- Access reviews
- Policy application
Group Mapping
Map provider groups to Bastion:
| Provider Group | Bastion Group |
|---|---|
Engineering | Engineering Team |
Sales | Sales Team |
All Employees | Everyone |
SSO Configuration
SAML SSO
Configure SAML for single sign-on:
- Download Bastion metadata
- Configure provider with metadata
- Upload provider metadata to Bastion
- Test SSO flow
OIDC SSO
Configure OIDC authentication:
- Register Bastion in provider
- Note client ID and secret
- Configure in Bastion settings
- Test authentication
Troubleshooting
Users Not Syncing
- Verify filter includes users
- Check API permissions
- Review sync logs
- Confirm network connectivity
SSO Failing
- Verify SAML/OIDC configuration
- Check certificate validity
- Review attribute mapping
- Test in incognito mode
Groups Missing
- Verify group filter settings
- Check group read permissions
- Review group type compatibility
Best Practices
Use Service Accounts
Use dedicated service accounts, not personal admin accounts.
Sync Incrementally
Start with a subset of users to verify before full sync.
Monitor Sync Health
Watch for sync failures and address quickly.
Test Offboarding
Verify offboarding works correctly before production.