# Integrations ### Overview This page covers the integrations that power Lifecycle Management workflows and can act as identity sources for LCM policies, and target applications that can be provisioned or deprovisioned. Enabling provisioning on an integration also makes it available to other Veza products that use write-back capabilities, including Access Intelligence (Disable Accounts) and Access Requests. The integration tables below represent the validated, production-ready set for Lifecycle Management specifically. Veza supports three primary implementation pathways: 1. **Native Integrations**: Direct API-based provisioning with out-of-the-box support (see validated integrations below) 2. **SCIM 2.0 Protocol**: Standards-based provisioning for any SCIM-compliant application 3. **OAA Write Framework**: Veza's Open Authorization API (OAA) extends write-back support to applications not natively integrated with the Veza platform This architecture means that **nearly any existing Veza integration can be enabled for provisioning**. The validated integrations listed below represent tested, production-ready configurations. For additional integration support, contact your Customer Success Manager. ### Supported Integrations #### Identity Sources Identity sources are authoritative systems that provide information about user identities. While Veza does not require write permissions to the identity source of truth, some of these integrations are also supported as provisioning targets. Integrations can also allow write-back of a user's newly created email address to the user's record in the source of identity as part of the initial provisioning workflow. Veza supports leading HR systems, IDPs and directory services, ITSM platforms, payroll systems, custom applications, and flat files: | Identity Source | Supported Entity Types | Notes | | ----------------------------------------------------------------------------------------------------- | --------------------------- | ------------------------- | | [Active Directory](/4yItIzMvkpAvMVFAamTf/integrations/integrations/active-directory.md) | ActiveDirectoryUser | | | [Beeline](/4yItIzMvkpAvMVFAamTf/integrations/integrations/beeline.md) | CustomHRISEmployee | | | [Coupa CCW](/4yItIzMvkpAvMVFAamTf/integrations/integrations/coupa-ccw.md) | CustomHRISEmployee | | | [Custom IDP](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/templates/custom-identity-provider-template.md) | CustomIDPUser | | | [Custom HRIS (OAA)](/4yItIzMvkpAvMVFAamTf/developers/api/oaa/templates/hris-template.md) | CustomHRISEmployee | | | [HiBob](/4yItIzMvkpAvMVFAamTf/integrations/integrations/hibob.md) | CustomHRISEmployee | Supports email write-back | | [LDAP](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap/provisioning.md) | LDAP user | | | [Ivanti Neurons HR](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ivanti_nurons_hr.md) | CustomHRISEmployee | | | [Azure AD](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure.md) | AzureADUser | | | [Google Workspace](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google.md) | GoogleWorkspaceUser | | | [Okta](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta.md) | OktaUser | | | [Oracle HCM](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-hcm.md) | OAA.Oracle HCM.HRISEmployee | Supports email write-back | | [ServiceNow](/4yItIzMvkpAvMVFAamTf/integrations/integrations/servicenow/provisioning.md) | ServiceNowUser | | | [UKGPro](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ukgpro.md) | CustomHRISEmployee | | | [Workday](/4yItIzMvkpAvMVFAamTf/integrations/integrations/workday.md) | WorkdayWorker | Supports email write-back | #### Target Application Support The following integrations are validated as provisioning targets for Lifecycle Management workflows. Enabling provisioning on an integration enables actions (create, sync, deprovision, manage relationships) that can be triggered from LCM policies and from other Veza products. **Validated Integrations** The following table lists the out-of-the-box, Veza-validated target application integrations. | Target Application | Manage Relationships | Sync Identities | Deprovision Identity | Additional Actions | Supported Entitlement Types | Notes | | --------------------------------------------------------------------------------------------------------------------- | :------------------: | :-------------: | :------------------: | --------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | [**Active Directory**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/active-directory/provisioning.md) | ✅ | ✅ | ✅ | Reset Password, Create Entitlements, Delete Identity | ActiveDirectoryGroup | - | | [**Atlassian Cloud**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | AtlassianCloudAdminGroup | - | | [**AWS SSO**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/aws/provisioning.md) | ✅ | ✅ | ✅ | Create Entitlement | AwsSsoGroup | - | | [**Azure**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/azure/provisioning.md) | ✅ | ✅ | ✅ | Reset Password, Create & Manage Email, Create Entitlement | AzureADGroup, AzureADRole, ExchangeOnlineDistributionGroup, AzureADLicense | Email management includes mailbox configuration (size limits, quotas, auditing) and client access settings (OWA, ActiveSync, MAPI, POP, IMAP) | | [**Custom Application (OAA Template)**](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/integrations/oaa-scim.md) | ✅ | ✅ | ✅ | Delete Identity | ApplicationGroup, ApplicationRole | - | | [**Exchange Server**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/exchange-online/provisioning.md) | ❌ | ❌ | ❌ | Create Email | - | - | | [**GitHub**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/github/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | GithubOrganization, GithubTeam | - | | [**LDAP**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/ldap/provisioning.md) | ✅ | ✅ | ✅ | Create Entitlement, Delete Identity | LDAP group | Includes Red Hat Identity Manager and FreeIPA | | [**Google Workspace (Google Cloud)**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/google/provisioning.md) | ✅ | ✅ | ✅ | - | GoogleWorkspaceGroup | - | | [**MySQL**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/mysql/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | MySQLRoleInstance | - | | [**Okta**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/okta/provisioning.md) | ✅ | ✅ | ✅ | Reset Password, Create Entitlement, Delete Identity | OktaGroup | Supports two deprovision types: SUSPENDED (temporary) and DISABLED (permanent deactivation) | | [**Oracle Database**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-database/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | OracleDBRole | - | | [**Oracle Fusion Cloud**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-fusion-cloud/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | OracleRole | - | | [**Oracle HCM**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/oracle-hcm/provisioning.md) | ❌ | ✅ | ❌ | - | - | - | | [**PagerDuty**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/pagerduty/provisioning.md) | ✅ | ✅ | ❌ | Delete Identity | PagerDutyTeam | Platform does not support user deactivation; use Delete Identity instead | | [**PostgreSQL**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/postgresql/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | PostgreSQLGroup | - | | [**Salesforce**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/salesforce/provisioning.md) | ✅ | ✅ | ✅ | - | SalesforceGroup, SalesforcePermissionSet, SalesforcePermissionSetGroup, SalesforceProfile, SalesforceUserRole | - | | **SAP ECC** | ✅ | ✅ | ✅ | - | SapEccRole | Manage Relationships supports role assignment only (revocation is not supported) | | [**SCIM**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/scim/provisioning.md) | ✅ | ✅ | ✅ | Delete Identity | SCIMGroup | - | | [**ServiceNow**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/servicenow/provisioning.md) | ❌ | ❌ | ❌ | Custom Action | - | - | | [**Snowflake**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/snowflake/provisioning.md) | ✅ | ✅ | ✅ | - | SnowflakeRole | - | | [**Splunk Enterprise**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/splunk-enterprise/provisioning.md) | ✅ | ✅ | ❌ | Delete Identity | SplunkEnterpriseRole | Platform does not support user deactivation; use Delete Identity instead | | [**Workday**](/4yItIzMvkpAvMVFAamTf/integrations/integrations/workday/provisioning.md) | ✅ | ✅ | ❌ | - | WorkdaySecurityGroup | - | | **Veza** | ✅ | ✅ | ✅ | - | VezaRoleBinding, VezaAccessProfile, VezaGroup | - | **Other Supported Integrations** For any Veza-supported application not listed above, contact your Customer Success Manager for more details on how to enable the specific Veza integration for use with provisioning as a target application for provisioning and de-provisioning. **Custom REST Actions** Veza provisioning supports Custom REST Actions that enable HTTP requests to external APIs and services as part of automated workflows. This action type provides integration with custom applications, webhooks, and any REST-based service that supports identity management operations. Custom REST Actions extend provisioning support to virtually any system with an accessible API, enabling use cases such as triggering custom workflows, notifying external systems, or coordinating provisioning sequences across multiple downstream applications. ### Configuring Integrations for Provisioning #### Insight Points for provisioning An Insight Point is required to enable provisioning operations and identity discovery for systems that Veza cannot access directly, such as an on-premises application server behind a firewall. The Insight Point is a lightweight connector that runs in your environment, enabling secure gathering and processing of authorization metadata for provisioning tasks. A Veza Insight Point is typically deployed as a Docker container or VM OVA, running within your network for metadata discovery and provisioning job execution. This ensures secure communication between your environment and Veza. For deployment instructions, refer to the [Insight Point Documentation](/4yItIzMvkpAvMVFAamTf/integrations/connectivity.md). #### Scheduled and Manual Extractions You can configure extraction intervals for your integrations to ensure data is regularly updated for provisioning workflows. 1. Go to Veza **Administration** > **System Settings** 2. In the **Pipeline** > **Extraction Interval** section, set the global extraction interval 3. To override the global setting for specific integrations, use the *Active Overrides* section Available extraction intervals are: * Auto (hourly, but may take longer when the extraction pipeline is full) * 15 Minutes * 1 Hour * 6 Hours * 12 Hours * 1 Day * 2 Days * 3 Days * 7 Days * 30 Days To manually trigger an extraction: 1. Go to **Integrations** > **All Data Sources** 2. Search for the desired data source 3. Select **Actions** > **Start Extraction** **Note**: Custom application payloads are extracted after the payload is pushed to Veza using the Open Authorization API. #### Enabling provisioning To enable provisioning for a specific integration: 1. Open the **Integrations** page (in the Featured section of the navigation sidebar), or **Lifecycle Management** > **Integrations** (in the Products section). 2. Search for the integration you want to enable and open its settings. 3. Check the **Enable usage for Provisioning** checkbox, then click **Save Configuration**. ![The Edit Integration panel showing the Enable usage for Provisioning checkbox](/files/CH6LjOL7HxbbLUpax9EP) After saving, the integration shows **Enabled** in the **Lifecycle Management** column on the Integrations overview. ![The Integrations overview showing Lifecycle Management Enabled for configured integrations](/files/8axskiSJHzakaUSQ8bRB) #### Checking provisioning data sources To verify the health of the provisioning data source: 1. Open **Lifecycle Management** > **Integrations** (in the Products section of the navigation sidebar), or the main **Integrations** page (in the Featured section) 2. Search for the integration and click the name to view details 3. In the **Properties** panel, click the magnifying glass icon under **Lifecycle Management Enabled** ## Best practices for identity sources ### API rate limits Many identity source systems have API rate limits that can affect extraction timing. Avoid forcing repeated extractions within short time windows (typically 5 minutes) to prevent API errors that delay workflow execution. ### Custom field management For systems using custom or user-defined fields (UDFs), maintain clear documentation of: * Field purpose and mapping * Expected data formats and validation rules * Which fields are used in workflow trigger conditions This documentation ensures consistency when fields are added or modified. ### Data retention policies Understand the data retention policies of your identity sources, particularly for terminated employees or contractors. Some systems retain terminated records for limited periods (e.g., 90 days), which affects leaver workflow design. Plan workflow timing to ensure LCM can process records before they're purged from the source system. ### Critical field changes Changes to core identity fields can break LCM workflows. Coordinate with system administrators before modifying: * Unique identifiers (employee ID, username) * Employment status fields * Date fields (hire date, termination date) * Location or department identifiers * Any fields used in workflow trigger conditions Communicate planned changes in advance and test in sandbox environments before applying to production identity sources. ### Additional Resources For more information: * Refer to individual integration documentation for detailed provisioning capabilities * Consult the Veza documentation for troubleshooting and best practices * Contact Veza support for assistance with enabling or configuring provisioning for your integrations --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/integrations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.