Configure Identity Provider
Connect Entra ID, Google Workspace, or Okta — automatic user sync, group-to-role mapping, deactivation on removal.
Wire your identity provider into Palveron once and never touch the member list again — users sync automatically, group changes map to permission levels, and removed users are deactivated within minutes.
Supported providers
| Provider | Protocol | User sync | Group mapping | Auto-deactivation |
|---|---|---|---|---|
| Microsoft Entra ID | SCIM 2.0 + OIDC | ✅ continuous | ✅ | ✅ within 5 min |
| Google Workspace | OIDC + Directory API | ✅ on login + hourly poll | ✅ | ✅ within 1 hour |
| Okta | SCIM 2.0 + OIDC | ✅ continuous | ✅ | ✅ within 5 min |
Pick the one your organization already uses for SSO. Setup takes 10-15 minutes; ongoing maintenance is zero.
Generic flow (any provider)
- Open Team → Identity Provider (visible to
ownerandadminonly). - Click Connect provider and pick Entra ID, Google Workspace, or Okta.
- Enter credentials (provider-specific — see below).
- Map IdP groups to Palveron permission levels.
- Click Start synchronization.
The platform imports users from every mapped group, then keeps them in sync on the schedule above. Each user lands in the role corresponding to their IdP group.
Entra ID (Azure AD)
In Microsoft Entra
- Go to Azure portal → Entra ID → Enterprise applications → New application → Create your own application.
- Pick Integrate any other application you don't find in the gallery and call it
Palveron. - Under Provisioning, set mode to Automatic. Tenant URL:
https://app.palveron.com/api/v1/scim/{your-project-id}/v2. Secret token: generate one in Palveron under Team → IdP → Generate SCIM token and paste it here. - Under Single sign-on, configure OIDC. Redirect URI:
https://app.palveron.com/api/v1/auth/callback/entra. Note the Application (client) ID, Directory (tenant) ID, and create a client secret. - Under Users and groups, assign the groups you want to sync (typically:
Palveron Admins,Palveron Editors,Palveron Viewers).
In Palveron
| Field | Value |
|---|---|
| Tenant ID | from Entra |
| Client ID | from Entra |
| Client Secret | from Entra |
| SCIM endpoint URL | the URL you configured in Entra |
| SCIM token | the token you generated in Palveron |
Click Test connection before saving — the test calls GET /scim/v2/Users?count=1 and confirms credentials work.
Google Workspace
In Google Admin Console
- Go to Security → API controls → Domain-wide delegation → Add new.
- Client ID:
palveron-google-sync(generated when you click Connect in Palveron). Scopes:admin.directory.user.readonly,admin.directory.group.readonly,admin.directory.user.security. - Create an OAuth client at APIs & Services → Credentials. Authorized redirect URI:
https://app.palveron.com/api/v1/auth/callback/google.
In Palveron
| Field | Value |
|---|---|
| Workspace domain | e.g. example.com |
| Client ID | from Google |
| Client Secret | from Google |
| Admin email | a Workspace super-admin email (used for the initial directory pull) |
Initial sync runs immediately. After that, Google Workspace polls hourly. Trigger an immediate sync with Sync now.
Okta
In Okta
- Admin Console → Applications → Browse App Catalog → SCIM 2.0 Test App (OAuth Bearer Token) (or use Create New App → SCIM 2.0).
- SCIM connector base URL:
https://app.palveron.com/api/v1/scim/{your-project-id}/v2. Authentication mode: HTTP Header. Header name:Authorization. Value:Bearer {token-from-Palveron}. - Enable Push Users, Push Profile Updates, Push Groups.
- Configure OIDC for SSO. Redirect URI:
https://app.palveron.com/api/v1/auth/callback/okta. - Assign the application to the groups you want to sync.
In Palveron
| Field | Value |
|---|---|
| Okta domain | e.g. company.okta.com |
| API token | from Okta API tokens |
| SCIM token | the token you generated in Palveron |
Map groups to Palveron levels
After the connection succeeds, Palveron lists every group it can read from the IdP. Map each to a permission level:
| IdP group (example) | → Palveron level |
|---|---|
Palveron Admins | admin |
Compliance & Risk | editor |
Engineering | viewer |
Sales | viewer |
Unmapped groups default to viewer (lowest permissions). Members of multiple groups inherit the highest mapped level.
📸 Screenshot: Group mapping table with dropdowns per group.
What auto-sync does
After the IdP is connected:
- New user added to a mapped group → user appears in Palveron at the mapped level (status:
ACTIVE). - User removed from all mapped groups → user deactivated in Palveron (cannot log in, listed responsibility-chain references trigger reassignment warnings).
- User moved between groups → role updated; takes effect within ~5 minutes (Entra / Okta) or up to 1 hour (Google Workspace).
- User profile updated in IdP (display name, email) → fields update in Palveron on next sync.
Synced users carry an IdP badge in the member list. They cannot be removed or role-changed manually — managed entirely through the IdP.
Disconnect the IdP
- Team → Identity Provider → Settings (⚙️) → Disconnect.
- Confirm.
On disconnect, synced users remain in Palveron but are converted to manually-managed users — they are no longer affected by IdP changes. Their current role is preserved. If you wanted to delete the users entirely, do so in the IdP first, let the deactivation propagate, then disconnect.
Audit trail
Every sync action (user added, role changed, deactivated) is recorded as a TEAM_* governance event. The full sync history is available under Monitoring → Governance Events.