Identity provider (IdP) integrations are among the most impactful connections in LowerPlane. They provide evidence for access control, authentication, and user lifecycle management — requirements that span every compliance framework.

Supported Identity Providers

ProviderAuth MethodKey Capabilities
OktaOAuth / API KeyUsers, groups, MFA enrollment, SSO apps, system logs
Google WorkspaceOAuthUsers, groups, MFA status, admin reports, organizational units
Azure AD / Entra IDOAuth (App Registration)Users, groups, MFA registration, conditional access, sign-in logs
OneLoginAPI KeyUsers, roles, MFA status, app assignments
JumpCloudAPI KeyUsers, groups, MFA, device associations
Auth0API KeyUsers, connections, MFA enrollment
DuoAPI KeyMFA enrollment, authentication logs
PingOneAPI KeyUsers, groups, MFA policies
AWS Identity StoreIAM RoleSSO users and groups in AWS Organizations
Office 365OAuthUsers, groups, licenses, MFA status
Zoho (IDP)API KeyUsers, groups, directory data

What Data Is Collected

LowerPlane syncs your full user directory from the identity provider:
  • Full name, email address, and username
  • Department and job title (if available)
  • Account status (active, suspended, deactivated)
  • Creation date and last login time
  • Assigned groups and roles
  • Licensed applications and SSO assignments

How Identity Data Maps to Compliance

Identity provider data directly addresses critical controls across every framework:
RequirementISO 27001SOC 2HIPAAGDPRPCI-DSS
MFA enforcementA.9.4.2CC6.1164.312(d)Art. 328.3
Access provisioningA.9.2.2CC6.2164.312(a)Art. 327.1
Access reviewsA.9.2.5CC6.3164.308(a)(4)Art. 327.1.2
Account deactivationA.9.2.6CC6.2164.312(a)Art. 178.1.3
Password policiesA.9.4.3CC6.1164.312(a)Art. 328.2
Privileged accessA.9.2.3CC6.1164.308(a)(4)Art. 327.1.1

Automated Tests from Identity Providers

When an identity provider is connected, LowerPlane automatically creates and runs these tests:
  • MFA enrolled for all users — Verifies every active user has at least one MFA factor registered.
  • No inactive accounts — Flags accounts that have not logged in within a configurable period (default: 90 days).
  • SSO enforced for critical applications — Checks that key applications are accessed through SSO rather than local credentials.
  • Admin accounts use strong MFA — Verifies privileged accounts use hardware keys or authenticator apps, not SMS.
  • Deactivated users have no active sessions — Confirms terminated employee accounts are fully deprovisioned.
  • Password policy meets requirements — Validates minimum length, complexity, and rotation requirements.
The “MFA enrolled for all users” test is one of the most frequently requested evidence items by auditors. Connecting your identity provider automates this check entirely.

People Directory Integration

Identity provider data syncs into the People directory alongside HR data. When both an HR system and identity provider are connected:
  1. HR system provides employment data (name, department, start/end date, status).
  2. Identity provider provides access data (MFA status, account status, last login).
  3. LowerPlane matches records by email address.
  4. The combined record gives you a complete compliance view per employee.
This merged data powers:
  • Access reviews: Compare active employees to active accounts and flag mismatches.
  • Offboarding verification: Confirm terminated employees have deactivated accounts.
  • MFA compliance: Track MFA enrollment rates across the organization.

Connection Guides

  1. In Okta Admin Console, go to Security > API > Tokens.
  2. Create a new token with a descriptive name (e.g., “LowerPlane Read-Only”).
  3. Copy the token value immediately — it is only shown once.
  4. In LowerPlane, navigate to Integrations > Okta and paste the token.
  5. Enter your Okta domain (e.g., yourcompany.okta.com).
  6. Click Connect to verify and begin the initial sync.
  1. In LowerPlane, navigate to Integrations > Google Workspace and click Connect.
  2. You will be redirected to Google’s OAuth consent screen.
  3. Sign in with a Google Workspace super admin account.
  4. Grant the requested permissions (read-only access to directory, reports, and admin settings).
  5. After authorization, you are redirected back to LowerPlane and the sync begins.
  1. In the Azure Portal, register a new application under App registrations.
  2. Grant the following API permissions: User.Read.All, Group.Read.All, Directory.Read.All, AuditLog.Read.All.
  3. Create a client secret and note the Application (client) ID and Directory (tenant) ID.
  4. In LowerPlane, navigate to Integrations > Azure Active Directory.
  5. Enter the tenant ID, client ID, and client secret.
  6. Click Connect to verify credentials and start syncing.
Identity provider integrations often contain sensitive access data. Ensure that only authorized administrators can view integration configurations and sync results within LowerPlane. Use role-based access to restrict visibility.

Troubleshooting

IssueResolution
MFA data not appearingCheck that the API key or OAuth scope includes access to MFA enrollment data. Some providers require admin-level permissions.
User count mismatchVerify the integration scope. Some providers filter by user status (active only) or organizational unit.
Authentication logs are emptyLog collection may require additional permissions or an enterprise-tier subscription with your provider.
Sync takes too longLarge directories (10,000+ users) may take several minutes. The initial sync is always the longest.