Integrations
Connectors where you can. A builder where you can't.
Native connectors for the identity and workforce systems mid-market teams already run — Google Workspace, Microsoft Entra ID, Okta, Auth0, Active Directory — and the SaaS around them. For everything else — the internal tool your company actually built, the SaaS your vendor hasn't heard of — an in-app connector builder you use directly in Owlie.
Configuration-first. Functions where config ends. AI-assisted where useful.
In-app connector builder — entry screen
Full provisioning
Native connectors that actually provision.
Sync plus write-back — create, update, disable, revoke, and grant entitlements. Headlined by the identity and workforce core, because that's where lifecycle governance lives: Google Workspace, Microsoft Entra ID, Okta, Auth0, and Active Directory.
Google Workspace
Users, groups, admin roles, org units, domains. Full lifecycle plus group and role grants.
Microsoft Entra ID
Users and groups. Full account lifecycle plus group-membership grants.
Okta
Users, groups, applications, roles. Full account lifecycle.
Auth0
Users, organizations, roles. Full lifecycle plus organization and role grants.
Active Directory
Users, groups, OUs, membership. Full lifecycle, password operations, and incremental sync — through the gateway.
Full provisioning reaches well past identity — Salesforce, ServiceNow, Slack, GitHub, Zoom, Box, Dropbox, Microsoft Teams, OneDrive, and more all run the same create, update, disable, revoke, and entitlement-grant lifecycle.
Systems of record
The sources we read, not write.
Some systems are sources of truth, not targets. We sync them for the signals that drive identity and access — and deliberately don't write back. BambooHR and Workday anchor the workforce graph: who joined, who left, and — for BambooHR — who reports to whom. Jira, Confluence, SharePoint, and Notion fill in the access picture. Read-only by design, not by limitation.
A sync connector and a provisioning connector are different tools. We don't pretend otherwise.
Protocol rails
Speak the standard your system already exposes.
When there's no named connector, connect over the protocol your system already speaks and supply the mapping. Owlie ships the rails; you point them at your endpoint.
Generic SCIM
Any SCIM 2.0 endpoint, over HTTP or through the gateway. Four presets prefill the config: AWS IAM Identity Center, Databricks, Snowflake, and GitHub Enterprise Managed Users.
Generic LDAP
Any LDAP v3 directory. Configurable account and group schema, membership direction, and optional incremental sync. Runs through the gateway.
Generic SQL
Customer-authored SQL for account and entitlement sync and provisioning. Named parameters only. Runs through the gateway.
Flat-file CSV
Drop a CSV. Each upload is one full authoritative snapshot — for the system that exposes no API at all.
The connector gateway
Reach what's behind the firewall.
Active Directory, LDAP directories, on-prem SQL — plenty of the systems you need to govern never touch the public internet. The Owlie gateway is a small agent you run inside your own network. It executes those connectors locally and brokers each operation over a single outbound connection to Owlie's edge, so provisioning and sync behave exactly as they do for cloud systems — same errors, same retries — without opening a port.
- Runs in your network.
- The agent executes connector logic and resolves secrets locally. Owlie's control plane never sees them.
- Outbound only.
- Every connection originates from the agent. No inbound firewall rules, no exposed ports.
- Single-use enrollment.
- Create a gateway, get a one-time token, run setup. The agent generates its own key pair and authenticates by key after that; the token is consumed.
Connector gateway — enrollment token + live agent status
Admin creates a named gateway, runs the on-prem agent with a single-use token; dashboard shows PENDING → ACTIVE, last-seen, and announced connectors.
For everything else
Connectors you build in the product.
The builder is a web UI you use directly inside the admin dashboard. Configure the connection shape — OAuth 2.0, API key, bearer token, or basic and custom-header auth. Declare the entity schemas you want to sync. Map fields with the Owlie Expression Language. Fill in the behaviors that don't fit a config field with a Function — a few lines of TypeScript, sandboxed, version-managed. AI assistance accelerates the parts that have public documentation. A connector that would be a six-figure services engagement elsewhere is a configuration task in Owlie.
- Config-first.
- Most of a typical connector is mapping and lifecycle rules.
- Functions where config ends.
- The behaviors that vary get written in TypeScript.
- AI-assisted where useful.
- Schema inference and handler scaffolding for systems with public docs.
- Versioned releases.
- Draft and edit. Publish to go live. Upgrade installed integrations when you're ready.
Connector builder — mid-configuration (panels + OEL + Function snippet)
Go deeper.
Standards
SCIM and OIDC for SSO and directory sync. SAML 2.0 is on the roadmap.
GraphQL API
A GraphQL API for every platform object.
Sync & import
Scheduled pulls, incremental where the source supports it, full-state reconciliation where it doesn't.
Custom systems
The builder handles this. Request an integration for systems we haven't shaped yet.
What we're not.
We don't ship a directory of shallow logos you'd never trust in an audit. Every native connector is versioned and deep enough to do real governance work — provisioning connectors run the full create, update, disable, revoke, grant lifecycle; sync connectors read the systems of record that drive it. Contract and conformance tests run against each connector's published API, and newer connectors are validated against a live vendor tenant during early access. Where we don't ship native coverage, the builder does — no separate integration project.
Deep connectors. Honest coverage. A builder for the long tail.
Don't see what you need?
Tell us which system. If the builder can shape it, we'll help. If it needs a native connector, it goes on the priority list.
Security & Trust.
Trust Center
Formal review materials at trust.owlie.com.
SOC 2 program in progress
Controls design and evidence collection underway ahead of Type I.
security@owlie.com
Direct line for security reviewers and responsible disclosure.
The stack you have. Not the one your vendor wishes you had.
Early access is open. Bring a real integration ask and we'll show you the builder working against it.