Integrations

Connectors where you can. A builder where you can't.

Native connectors for the identity and workforce systems mid-market teams already run — Google Workspace, Microsoft Entra ID, Okta, Auth0, Active Directory — and the SaaS around them. For everything else — the internal tool your company actually built, the SaaS your vendor hasn't heard of — an in-app connector builder you use directly in Owlie.

Configuration-first. Functions where config ends. AI-assisted where useful.

Full provisioning

Native connectors that actually provision.

Sync plus write-back — create, update, disable, revoke, and grant entitlements. Headlined by the identity and workforce core, because that's where lifecycle governance lives: Google Workspace, Microsoft Entra ID, Okta, Auth0, and Active Directory.

Google Workspace

Users, groups, admin roles, org units, domains. Full lifecycle plus group and role grants.

syncprovisionentitlementscustom actions

Microsoft Entra ID

Users and groups. Full account lifecycle plus group-membership grants.

syncprovisionentitlements

Okta

Users, groups, applications, roles. Full account lifecycle.

syncprovisionentitlements

Auth0

Users, organizations, roles. Full lifecycle plus organization and role grants.

syncprovisionentitlements

Active Directory

Users, groups, OUs, membership. Full lifecycle, password operations, and incremental sync — through the gateway.

syncprovisionentitlementsgateway

Full provisioning reaches well past identity — Salesforce, ServiceNow, Slack, GitHub, Zoom, Box, Dropbox, Microsoft Teams, OneDrive, and more all run the same create, update, disable, revoke, and entitlement-grant lifecycle.

Systems of record

The sources we read, not write.

Some systems are sources of truth, not targets. We sync them for the signals that drive identity and access — and deliberately don't write back. BambooHR and Workday anchor the workforce graph: who joined, who left, and — for BambooHR — who reports to whom. Jira, Confluence, SharePoint, and Notion fill in the access picture. Read-only by design, not by limitation.

A sync connector and a provisioning connector are different tools. We don't pretend otherwise.

Protocol rails

Speak the standard your system already exposes.

When there's no named connector, connect over the protocol your system already speaks and supply the mapping. Owlie ships the rails; you point them at your endpoint.

Generic SCIM

Any SCIM 2.0 endpoint, over HTTP or through the gateway. Four presets prefill the config: AWS IAM Identity Center, Databricks, Snowflake, and GitHub Enterprise Managed Users.

Generic LDAP

Any LDAP v3 directory. Configurable account and group schema, membership direction, and optional incremental sync. Runs through the gateway.

Generic SQL

Customer-authored SQL for account and entitlement sync and provisioning. Named parameters only. Runs through the gateway.

Flat-file CSV

Drop a CSV. Each upload is one full authoritative snapshot — for the system that exposes no API at all.

The connector gateway

Reach what's behind the firewall.

Active Directory, LDAP directories, on-prem SQL — plenty of the systems you need to govern never touch the public internet. The Owlie gateway is a small agent you run inside your own network. It executes those connectors locally and brokers each operation over a single outbound connection to Owlie's edge, so provisioning and sync behave exactly as they do for cloud systems — same errors, same retries — without opening a port.

Runs in your network.
The agent executes connector logic and resolves secrets locally. Owlie's control plane never sees them.
Outbound only.
Every connection originates from the agent. No inbound firewall rules, no exposed ports.
Single-use enrollment.
Create a gateway, get a one-time token, run setup. The agent generates its own key pair and authenticates by key after that; the token is consumed.

For everything else

Connectors you build in the product.

The builder is a web UI you use directly inside the admin dashboard. Configure the connection shape — OAuth 2.0, API key, bearer token, or basic and custom-header auth. Declare the entity schemas you want to sync. Map fields with the Owlie Expression Language. Fill in the behaviors that don't fit a config field with a Function — a few lines of TypeScript, sandboxed, version-managed. AI assistance accelerates the parts that have public documentation. A connector that would be a six-figure services engagement elsewhere is a configuration task in Owlie.

Config-first.
Most of a typical connector is mapping and lifecycle rules.
Functions where config ends.
The behaviors that vary get written in TypeScript.
AI-assisted where useful.
Schema inference and handler scaffolding for systems with public docs.
Versioned releases.
Draft and edit. Publish to go live. Upgrade installed integrations when you're ready.

What we're not.

We don't ship a directory of shallow logos you'd never trust in an audit. Every native connector is versioned and deep enough to do real governance work — provisioning connectors run the full create, update, disable, revoke, grant lifecycle; sync connectors read the systems of record that drive it. Contract and conformance tests run against each connector's published API, and newer connectors are validated against a live vendor tenant during early access. Where we don't ship native coverage, the builder does — no separate integration project.

Deep connectors. Honest coverage. A builder for the long tail.

Don't see what you need?

Tell us which system. If the builder can shape it, we'll help. If it needs a native connector, it goes on the priority list.

Security & Trust.

  • Trust Center

    Formal review materials at trust.owlie.com.

  • SOC 2 program in progress

    Controls design and evidence collection underway ahead of Type I.

  • security@owlie.com

    Direct line for security reviewers and responsible disclosure.

The stack you have. Not the one your vendor wishes you had.

Early access is open. Bring a real integration ask and we'll show you the builder working against it.