Identity Provider Integration
Connecting your identity provider (IdP) is the most impactful first integration. It enables employee directory sync, authentication event monitoring, and MFA status tracking.
Supported Identity Providers
| Provider | Protocol | Events Captured |
|---|---|---|
| Okta | REST API + Event Hooks | SSO, MFA, lifecycle, admin actions |
| Microsoft Entra ID | Microsoft Graph API | Sign-in logs, MFA, conditional access, risky users |
| Google Workspace | Admin SDK + Reports API | Login activity, 2FA status, admin events |
| OneLogin | REST API + Event Webhooks | Authentication, provisioning events |
| Ping Identity | REST API | SSO events, MFA events |
Setting Up Okta
Prerequisites
- Okta admin account with Super Admin or Org Admin role
- API token with read access to System Log and Users
Steps
- In TIDALBAY, navigate to Admin → Integrations → Add Integration
- Select Okta
- Enter your Okta domain (e.g.,
yourcompany.okta.com) - In Okta Admin Console, create an API token: Security → API → Tokens → Create Token
- Paste the token in TIDALBAY and click Test Connection
- Once verified, click Activate
Event Hooks (Recommended)
For real-time event streaming, configure Okta Event Hooks to send events to your TIDALBAY webhook endpoint. Without event hooks, TIDALBAY polls the System Log API every 5 minutes.
Setting Up Microsoft Entra ID
Prerequisites
- Azure AD admin account with Global Reader or Security Reader role
- Azure AD Premium P1 or P2 license (for sign-in logs)
Steps
- In TIDALBAY, select Microsoft Entra ID
- Click Authorize with Microsoft to initiate OAuth flow
- Sign in with your Azure AD admin account
- Grant the requested permissions (Directory.Read.All, AuditLog.Read.All)
- TIDALBAY will verify the connection and begin syncing
Setting Up Google Workspace
Prerequisites
- Google Workspace Super Admin account
- Google Cloud project with Admin SDK enabled
Steps
- In TIDALBAY, select Google Workspace
- Click Authorize with Google
- Sign in with your Google Workspace admin account
- Grant the requested API scopes
- TIDALBAY will verify access and begin syncing
Events Captured
Identity provider integrations capture the following event types:
| Event | Default Impact | Description |
|---|---|---|
| Login success | No impact | Normal authentication (logged for context) |
| Login failure (repeated) | -10 points | 5+ failed login attempts within 1 hour |
| MFA disabled | -30 points | User disables multi-factor authentication |
| MFA enrolled | +10 points | User enables MFA |
| Suspicious login | -15 points | Login from new location, impossible travel, or TOR |
| Password changed | No impact | Logged for context |
| Account locked | -20 points | Account locked due to too many failures |
Custom Rules
All default event impacts can be customized via Scoring Rules.
Employee Directory Sync
When an IdP is connected, TIDALBAY automatically syncs your employee directory:
- New employees are created in TIDALBAY with an initial score
- Employee attributes (name, email, department, manager) are kept in sync
- Deactivated accounts are marked as inactive in TIDALBAY
- Sync runs every 15 minutes by default
Troubleshooting
Connection fails
Verify your API token has the required permissions and has not expired. For OAuth integrations, try re-authorizing.
Missing events
Check that your IdP plan includes access to the required logs. Some log types (e.g., Azure AD sign-in logs) require premium licenses.