Identity Provider Sync
Connect Entra ID, Okta, or Google Workspace to automatically manage team members and enforce group-based security policies.
Supported providers
Microsoft Entra ID
formerly Azure AD- ✓SCIM 2.0 provisioning
- ✓Group sync
- ✓Auto-deprovision on removal
Okta
- ✓SCIM 2.0 provisioning
- ✓Group push
- ✓Lifecycle management
Google Workspace
- ✓Directory API sync
- ✓Organizational unit mapping
- ✓Auto-deprovision on suspension
How it works
- 1
Connect your IDP
Navigate to Settings → Identity and select your provider.
- 2
Generate SCIM credentials
Agent Keeper generates a unique SCIM endpoint URL and bearer token for your organization.
- 3
Configure provisioning
Paste the endpoint URL and token into your IDP admin console under provisioning or SCIM settings.
- 4
Users and groups sync
Your IDP pushes user and group changes to Agent Keeper automatically, no manual imports needed.
- 5
Policies apply
Group memberships determine which Claude Code security policies apply to each workstation.
Group-based policies
Once groups are synced from your IDP, you can attach policy overrides to each group. Members inherit their group's policy on top of the org-wide defaults.
Blocked tools
Prevent specific Claude Code tools per group. Example: contractors cannot use WebFetch or Bash.
Security level overrides
Set stricter detection modes for sensitive groups. Example: "interns" group gets paranoid mode enabled.
Blocked write paths
Restrict which file paths a group can write to. Useful for read-only auditor roles.
Allowed skills restrictions
Limit which Claude Code skills and slash commands are available to a group.
Auto-provisioning
User creation
When a user is added to a synced group in your IDP, an Agent Keeper account is created automatically. They receive an email invitation to set their password and activate their workstation.
Deprovisioning
When a user is removed from a synced group or deactivated in your IDP, their Agent Keeper access is revoked within minutes. Workstation API keys are invalidated and active sessions are terminated.
Role mapping
IDP groups map to Agent Keeper roles. Set role mappings in Settings → Identity → Role Mapping.
| IDP group | Agent Keeper role |
|---|---|
| agentkeeper-admins (example) | Admin |
| agentkeeper-developers (example) | Developer |
| Any other synced group | Developer (default) |
Sync frequency
SCIM events are processed in real time as your IDP pushes them. Google Workspace Directory API sync polls every 15 minutes.
Setup guides
Steps vary by IDP version and tenant configuration. Contact us for setup assistance if you run into anything unexpected.
Microsoft Entra ID
- 1.In Entra ID, go to Enterprise Applications → New Application → Create your own.
- 2.Under Provisioning, set mode to Automatic.
- 3.Paste your Agent Keeper SCIM endpoint URL into Tenant URL.
- 4.Paste your Agent Keeper bearer token into Secret Token.
- 5.Click Test Connection, then save and enable provisioning.
- 6.Assign the groups you want to sync under Users and Groups.
Okta
- 1.In Okta, go to Applications → Create App Integration → select SCIM.
- 2.Set SCIM connector base URL to your Agent Keeper SCIM endpoint URL.
- 3.Set Unique identifier field to email.
- 4.Set Authentication Mode to HTTP Header and paste your bearer token.
- 5.Enable Push New Users, Push Profile Updates, and Push Groups.
- 6.Assign the groups you want to sync to the application.
Google Workspace
- 1.In Google Admin Console, go to Apps → Web and mobile apps → Add App → SAML/SCIM.
- 2.Under Auto-provisioning, enable SCIM and paste your Agent Keeper endpoint URL.
- 3.Paste your bearer token into the OAuth token field.
- 4.Select the organizational units or groups to sync.
- 5.Save and activate provisioning.
Identity Provider sync is available on Team and Enterprise plans.
Upgrade to connect your IDP, enable SCIM provisioning, and enforce group-based security policies across your entire organization.
Upgrade your plan