Standards

Speaks the standards your security team expects.

SCIM for directory and lifecycle sync. OIDC and OAuth 2.0 for sign-in and connector auth. Part of the platform's authentication and sync layers from day one — not a retrofit.

What's supported.

The short list of what a security reviewer actually cares about — at the depth the review questionnaire asks for.

SSO — OIDC
Tenant-configured external sign-in. Google ships with managed credentials; Microsoft, Okta, and custom OIDC providers use tenant-supplied configuration. Domain allowlists, verified-email requirements, account linking, and optional just-in-time user provisioning are first-class settings — not bolt-ons.
SCIM — directory and lifecycle sync
Owlie's config-driven SCIM 2.0 connector reads users, groups, and memberships from a SCIM source and provisions accounts and groups back out to SCIM targets — Owlie is the client to the external system, not a hosted endpoint your IdP pushes into. Shipped presets cover AWS IAM Identity Center, Databricks, Snowflake, and GitHub Enterprise Managed Users; a standards-compliant server needs little more than a base URL and auth. Field shapes and lifecycle semantics depend on the target system, so coverage is scoped, documented, and honest about what each side supports.
OAuth 2.0 — throughout the integrations layer
Native connectors support authorization-code flow, client credentials, and JWT bearer, as declared by the target system. The in-app builder covers the authorization-code and client-credentials flows: pick the flow, store credentials under tenant-scoped encryption, and refresh tokens without custom code.

What's not at launch.

We don't ship every standards variant. SAML 2.0 is on the roadmap, not at launch — external sign-in is OIDC-based today. Proprietary SSO flavors and obscure federation profiles aren't in launch scope either. If your stack needs one, tell us.