Skip to main content

Admin

Single sign-on & provisioning

Connect ThreatWeaver to your organization's identity provider so people sign in with their existing corporate account, and so accounts are created and kept in sync automatically. There are two related settings areas: Single sign-on (SSO) for how people log in, and user provisioning (SCIM) for how accounts are created, updated, and deactivated.

What it's for

  • Let people sign in with Microsoft 365 / Entra ID instead of a separate password.
  • Require SSO for your domains so corporate accounts can't fall back to password login.
  • Map identity-provider groups to ThreatWeaver roles so access follows your existing group memberships.
  • Automate account lifecycle — have your identity provider create, update, and deactivate ThreatWeaver users for you.

Both areas are for administrators. If you only need to add a few people by hand, see Users & roles instead.

Single sign-on (Microsoft Entra ID)

The SSO page walks top to bottom from connection details to fine-grained controls. A status strip near the top summarizes where you stand: whether SSO is Active, whether the login button is shown, whether credentials are configured, whether the last connection test passed, and whether auto-provisioning is on.

Single sign-on — status strip and configuration sections

Deployment & provider URLs

This card shows the exact URLs to copy into your identity provider — your sign-in callback URL and provisioning base URL — along with any setup warnings. The values come from the server so they stay correct. Use the copy buttons next to each URL.

Microsoft Entra ID credentials

FieldWhat it's for
Directory (Tenant) IDYour Microsoft Entra directory identifier, from your app registration's Overview.
Application (Client) IDThe application identifier for the app registration you created for ThreatWeaver.
Client SecretThe secret value generated in your app registration. It's stored encrypted; once set, leave it blank to keep the existing value. Use the eye icon to reveal what you're typing.
Grant Admin ConsentStarts the Microsoft consent flow so ThreatWeaver has the sign-in permissions it needs. Once granted, the card shows when consent was given.
Test ConnectionChecks the saved credentials against Microsoft and reports success or failure. Appears once credentials are fully configured.

The page lists the exact Microsoft Graph sign-in permissions to add in your app registration, and a heavier group-lookup permission you only need for the group-overage fallback described below.

Login options

ControlWhat it does
Enable Microsoft Entra ID SSOThe master switch. When off, all SSO sign-in attempts are rejected.
Show SSO button on login pageWhen on, people see a "Sign in with Microsoft 365" button on the login form. A small preview of the login page appears beneath the toggle.

Domain controls

ControlWhat it does
Allowed DomainsOnly people whose email is in one of these domains can sign in with SSO. Leave empty to allow any domain. Type a domain and click Add; remove one with its ✕.
Enforced DomainsPeople in these domains cannot use password login — they're redirected to Microsoft SSO. A warning reminds you to fully configure and test SSO before enforcing a domain, so you don't lock anyone out.

User provisioning (on sign-in)

ControlWhat it does
Auto-provision new usersWhen on, a ThreatWeaver account is created automatically the first time an Entra ID user signs in.
Default RoleThe role given to a new SSO user when no group mapping matches. If a previously chosen role was later deleted, the picker flags it so you can pick a current one.
Strict role mappingWhen group mappings exist, deny sign-in for users who match no mapping instead of quietly granting the default role.

Group-to-role mapping

Map your Microsoft Entra security groups to ThreatWeaver roles; a signing-in user gets the role of the first group they match.

ControlWhat it does
Allow default role on group overageFor users in very many groups, Microsoft may omit the group information. By default ThreatWeaver fails that sign-in rather than silently downgrading the person. Turn this on only if you accept giving such users the default role.
Entra Group Object IDThe group's object identifier from your directory.
Display NameAn optional friendly label for the mapping.
ThreatWeaver RoleThe role that group should receive.
AddAdds the mapping to the table below. Remove a row with its trash icon.

Save & test

Save Changes stores the whole configuration. Test Connection (top right) verifies the credentials against Microsoft without saving new secrets.

User provisioning (SCIM)

SCIM lets Microsoft Entra or Okta create, update, and deactivate ThreatWeaver accounts on their own, so your directory stays the source of truth.

User provisioning — SCIM status, controls, and tokens
ControlWhat it does
Enable SCIMThe master switch for the provisioning endpoints your identity provider connects to.
SCIM Tenant URLThe address to paste into your identity provider. A warning appears if it isn't a public HTTPS address, which providers require.
Provisioning modeHow accounts may be created — manual only, just-in-time on sign-in, SCIM only, or a combination.
Role authorityWhere a user's role comes from — set manually, from SSO groups, from SCIM groups, or from provider app roles.
Default roleThe role assigned when nothing else determines one.
Strict role mappingDeny provisioning for users who match no role mapping, when mappings exist.
Allow email updatePermit the provider to change a user's email.
Deactivate on deleteTreat a provider "delete" as a deactivation, preserving history and ownership rather than erasing the account.
Require assigned users onlyOnly provision people your identity provider has assigned to the ThreatWeaver app.

SCIM group role mapping

When Role authority is set to SCIM groups, map each provider group to a ThreatWeaver role. Each mapping takes a provider group ID or group display name, a Role, a Priority (lower numbers win first), and an Enabled toggle. Save the table with Save Role Mappings.

Provisioning tokens

Your identity provider authenticates with a bearer token you generate here. Enter a Token name, click Generate, and copy the token immediately — it's shown only once and stored hashed. Paste it into your provider's secret-token field. Revoke a token any time with its trash icon.

Backfill and events

  • Backfill existing users links people who already have accounts to their provider identity before the first sync, so they aren't duplicated. Use Dry run first to preview, then Apply backfill.
  • Recent provisioning events shows the latest create/update/deactivate actions and whether each succeeded, so you can confirm sync is working.

Common workflows

Workflow: turn on Microsoft 365 sign-in

  1. In your Microsoft app registration, copy the Directory (Tenant) ID and Application (Client) ID, and create a client secret.

  2. On the SSO page, paste those three values and click Save Changes.

    Step 1 — entering the Entra ID credentials
  3. Click Grant Admin Consent and complete the Microsoft prompt, then click Test Connection to confirm the connection passes.

  4. Turn on Enable Microsoft Entra ID SSO and Show SSO button on login page, then Save Changes. People now see "Sign in with Microsoft 365."

    Step 2 — enabling SSO and the login button

Workflow: automate account creation with SCIM

  1. On the provisioning page, turn on Enable SCIM and copy the SCIM Tenant URL.
  2. Generate a provisioning token and copy it once.
  3. In your identity provider, paste the URL and token into its provisioning setup.
  4. Run a Dry run backfill to preview matches, then Apply backfill, and watch Recent provisioning events confirm the first sync.

Workflow: add a new group-to-role mapping (SSO)

  1. In Microsoft Entra, copy the Object ID of the security group you want to map.

  2. On the SSO page's Group-to-role mapping section, paste it into Entra Group Object ID, and optionally give the mapping a Display Name so it's easy to recognize later.

  3. Pick the ThreatWeaver Role that group should receive, then click Add.

    Step — adding a group-to-role mapping
  4. Click Save Changes. Remember that a signing-in user gets the role of the first group they match, so order matters if someone belongs to more than one mapped group — put the more privileged mapping first if that matters for your directory.