Build frictionless onboarding for organizations with real‑time user provisioning and deprovisioning.
Organizations use company directories and HRIS systems to manage users and enforce their access to organization resources. Directories enable IT admins to activate and deactivate accounts, create groups that inform access rules, accelerate adoption of new tools, and more.
Directory Sync is a set of developer-friendly APIs and IT admin tools that allows you to implement enterprise-grade User Lifecycle Management (ULM) into your existing app.
ULM allows IT admins to centrally provision and deprovision users from their directory provider. A directory provider is the source of truth for your enterprise customer’s user and group lists. Directory Sync sends automatic updates to your app for changes to directories, groups, users, or access rules.
Common directory providers include: Microsoft Active Directory, Okta, Workday, and Google Workspace. See the full list of supported directory providers on the integrations page.
ULM increases the security of your app and makes it easier for your customers to use your app. ULM is most often implemented using SCIM. SCIM requests are sent between directory providers and your app to inform you of changes to a user’s identity. Changes can include:
Each directory provider implements SCIM differently. Implementing SCIM is often a challenging process and can introduce security vunerabilties into your app. Directory Sync hides this complexity, so you can focus on building core product features in your app.
Without ULM, your customers have to manually add, update, and remove users from your app.
Imagine a scenario where your customer has purchased your software and onboards a new employee to your app. Your customer would have to do the following:
All future changes to this employee’s data and access are manually entered by the IT admin. This is error prone and can lead to security vunerabilties where users get unauthorized access to resources.
As your customers adopt more cloud software, these manual processes do not scale well. Manual input error can lead to the source of truth (directory) drifting from your app’s state. As a result, ULM has become a table stakes product requirement for enterprises.
If your app supports ULM via Directory Sync, the IT admin can provision this employee from one place:
Directory Sync makes this integration easy by providing APIs your app interfaces with. All updates for this directory will automatically be sent to your app from WorkOS.
Directory, directory group, and directory user are the main components your app interfaces with.
A directory is the source of truth for your customer’s user and group lists.
WorkOS supports dozens of integrations including SCIM. Directory updates are delivered to you via webhooks. Your app stores a mapping between your customer and their directory. This allows you to maintain your app in sync with the directory provider used by your customer.
You can enable self-service Directory Sync setup for your customers using the Admin Portal.
A directory group is a collection of users within an organization who have been provisioned with access to your app.
Directory groups are mapped from directory provider groups. Directory groups are most often used to categorize a collection of users based on shared traits. i.e. Grouping software developers at a company under an “Engineering” group.
A directory user is a person or entity within an organization who has been provisioned with access to your app.
Users can belong to multiple directory groups. Users have attributes associated with them. These attributes can be configured for your app’s needs.