Identity & directories
Connected to the directory you already run.
Native connectors for Google Workspace, Microsoft Entra ID, Okta, Auth0, and Active Directory. OIDC for SSO — SAML 2.0 is on the roadmap, not yet available (see /integrations/standards). SCIM for directory and lifecycle sync. Users and groups are a solved problem.
Named live connectors
Directory-native. Not directory-adjacent.
Production connectors for the identity stacks teams actually run — cloud directories and on-prem Active Directory alike. Each one syncs the entities that matter for access governance, and provisions the writes your workflows produce.
Google Workspace
Users, groups, admin roles, org units, domains. Full provisioning and sync. Custom actions for operational workflows — move user to OU, sign out active sessions.
Microsoft Entra ID
Users, groups, group membership. Full provisioning and sync. The Entra surface that backs the rest of your Microsoft estate.
Okta
Users, groups, applications, roles. Full provisioning and sync. A major IdP, treated with the same depth as the rest of your directory core.
Auth0
Users, organizations, roles. Full provisioning and sync. Matches the way Auth0-first product orgs actually model customers and staff.
Active Directory
Users, groups, OUs, group membership, with uSNChanged incremental sync. Full account lifecycle, plus ad hoc ops — unlock, force password change, move OU. On-prem, reached through the Owlie gateway.
Beyond sync and provision
The one-off operations you actually run.
Governance isn't only create and revoke. Connectors expose the ad hoc operations a helpdesk reaches for every day — run them from Owlie instead of jumping into each vendor's console. Which ones are available depends on the connector.
Unlock account
Clear an Active Directory lockout without opening the DC console.
Force password change at next logon
Require a fresh password the next time the user signs in.
Move to a different OU
Relocate a user's org unit in Active Directory or Google Workspace.
Re-send an invitation
Re-issue a pending invite on invite-based systems like GitHub and Linear.
SSO and directory sync
The standards that do the work.
Owlie supports OIDC SSO with Google (shared credentials) and tenant-supplied Microsoft, Okta, or custom OIDC providers. SAML 2.0 is on the roadmap, not yet available — external sign-in is OIDC-based today (see /integrations/standards). SCIM is used for directory and lifecycle sync where the source system speaks it.
Owlie as an identity provider
Owlie can be the identity provider.
Beyond connecting to the directory you already run, Owlie ships a multi-tenant OpenID Connect provider. Point your own OAuth 2.1 / OIDC apps at your tenant's issuer and let Owlie handle sign-in — every tenant gets its own issuer and its own data scope.
- Client management
- Register and manage your own OAuth/OIDC clients per tenant. Redirect URIs and scopes are allowlisted and enforced on every authorization request.
- Authorization code + PKCE
- Authorization-code flow with PKCE (S256) for SPAs and native apps, plus client-credentials for service-to-service. OAuth 2.1 behavior — no implicit or hybrid flows.
- Refresh tokens, rotated
- Family-based refresh-token rotation gated on offline_access. Reusing a consumed token revokes the whole family, so replay is caught.
- Secret and signing-key rotation
- Client secrets are stored hashed and rotatable. Per-tenant signing keys are published through JWKS with a kid and rotate on a grace window for in-flight tokens.
Owlie IdP — client management
Tenant admin view: registered OAuth/OIDC clients with redirect-URI and scope allowlists, secret rotation, and signing-key rotation.
If your directory isn't in the list.
If your directory or identity system isn't named above, the in-app connector builder is usually the path — it covers OAuth 2.0, API-key, and JWT auth shapes. Request a native connector via /integrations/request if one makes sense for more teams than yours.
The directory you already run. Governed by Owlie.
Early access is open. Bring your directory and we'll show you the connector working against it.