Admin
Single sign-on & provisioning
Connect ThreatWeaver to your organization's identity provider so people sign in with their existing corporate account, and so accounts are created and kept in sync automatically. There are two related settings areas: Single sign-on (SSO) for how people log in, and user provisioning (SCIM) for how accounts are created, updated, and deactivated.
What it's for
- Let people sign in with Microsoft 365 / Entra ID instead of a separate password.
- Require SSO for your domains so corporate accounts can't fall back to password login.
- Map identity-provider groups to ThreatWeaver roles so access follows your existing group memberships.
- Automate account lifecycle — have your identity provider create, update, and deactivate ThreatWeaver users for you.
Both areas are for administrators. If you only need to add a few people by hand, see Users & roles instead.
Single sign-on (Microsoft Entra ID)
The SSO page walks top to bottom from connection details to fine-grained controls. A status strip near the top summarizes where you stand: whether SSO is Active, whether the login button is shown, whether credentials are configured, whether the last connection test passed, and whether auto-provisioning is on.
Deployment & provider URLs
This card shows the exact URLs to copy into your identity provider — your sign-in callback URL and provisioning base URL — along with any setup warnings. The values come from the server so they stay correct. Use the copy buttons next to each URL.
Microsoft Entra ID credentials
| Field | What it's for |
|---|---|
| Directory (Tenant) ID | Your Microsoft Entra directory identifier, from your app registration's Overview. |
| Application (Client) ID | The application identifier for the app registration you created for ThreatWeaver. |
| Client Secret | The secret value generated in your app registration. It's stored encrypted; once set, leave it blank to keep the existing value. Use the eye icon to reveal what you're typing. |
| Grant Admin Consent | Starts the Microsoft consent flow so ThreatWeaver has the sign-in permissions it needs. Once granted, the card shows when consent was given. |
| Test Connection | Checks the saved credentials against Microsoft and reports success or failure. Appears once credentials are fully configured. |
The page lists the exact Microsoft Graph sign-in permissions to add in your app registration, and a heavier group-lookup permission you only need for the group-overage fallback described below.
Login options
| Control | What it does |
|---|---|
| Enable Microsoft Entra ID SSO | The master switch. When off, all SSO sign-in attempts are rejected. |
| Show SSO button on login page | When on, people see a "Sign in with Microsoft 365" button on the login form. A small preview of the login page appears beneath the toggle. |
Domain controls
| Control | What it does |
|---|---|
| Allowed Domains | Only people whose email is in one of these domains can sign in with SSO. Leave empty to allow any domain. Type a domain and click Add; remove one with its ✕. |
| Enforced Domains | People in these domains cannot use password login — they're redirected to Microsoft SSO. A warning reminds you to fully configure and test SSO before enforcing a domain, so you don't lock anyone out. |
User provisioning (on sign-in)
| Control | What it does |
|---|---|
| Auto-provision new users | When on, a ThreatWeaver account is created automatically the first time an Entra ID user signs in. |
| Default Role | The role given to a new SSO user when no group mapping matches. If a previously chosen role was later deleted, the picker flags it so you can pick a current one. |
| Strict role mapping | When group mappings exist, deny sign-in for users who match no mapping instead of quietly granting the default role. |
Group-to-role mapping
Map your Microsoft Entra security groups to ThreatWeaver roles; a signing-in user gets the role of the first group they match.
| Control | What it does |
|---|---|
| Allow default role on group overage | For users in very many groups, Microsoft may omit the group information. By default ThreatWeaver fails that sign-in rather than silently downgrading the person. Turn this on only if you accept giving such users the default role. |
| Entra Group Object ID | The group's object identifier from your directory. |
| Display Name | An optional friendly label for the mapping. |
| ThreatWeaver Role | The role that group should receive. |
| Add | Adds the mapping to the table below. Remove a row with its trash icon. |
Save & test
Save Changes stores the whole configuration. Test Connection (top right) verifies the credentials against Microsoft without saving new secrets.
User provisioning (SCIM)
SCIM lets Microsoft Entra or Okta create, update, and deactivate ThreatWeaver accounts on their own, so your directory stays the source of truth.
| Control | What it does |
|---|---|
| Enable SCIM | The master switch for the provisioning endpoints your identity provider connects to. |
| SCIM Tenant URL | The address to paste into your identity provider. A warning appears if it isn't a public HTTPS address, which providers require. |
| Provisioning mode | How accounts may be created — manual only, just-in-time on sign-in, SCIM only, or a combination. |
| Role authority | Where a user's role comes from — set manually, from SSO groups, from SCIM groups, or from provider app roles. |
| Default role | The role assigned when nothing else determines one. |
| Strict role mapping | Deny provisioning for users who match no role mapping, when mappings exist. |
| Allow email update | Permit the provider to change a user's email. |
| Deactivate on delete | Treat a provider "delete" as a deactivation, preserving history and ownership rather than erasing the account. |
| Require assigned users only | Only provision people your identity provider has assigned to the ThreatWeaver app. |
SCIM group role mapping
When Role authority is set to SCIM groups, map each provider group to a ThreatWeaver role. Each mapping takes a provider group ID or group display name, a Role, a Priority (lower numbers win first), and an Enabled toggle. Save the table with Save Role Mappings.
Provisioning tokens
Your identity provider authenticates with a bearer token you generate here. Enter a Token name, click Generate, and copy the token immediately — it's shown only once and stored hashed. Paste it into your provider's secret-token field. Revoke a token any time with its trash icon.
Backfill and events
- Backfill existing users links people who already have accounts to their provider identity before the first sync, so they aren't duplicated. Use Dry run first to preview, then Apply backfill.
- Recent provisioning events shows the latest create/update/deactivate actions and whether each succeeded, so you can confirm sync is working.
Common workflows
Workflow: turn on Microsoft 365 sign-in
-
In your Microsoft app registration, copy the Directory (Tenant) ID and Application (Client) ID, and create a client secret.
-
On the SSO page, paste those three values and click Save Changes.
Step 1 — entering the Entra ID credentials -
Click Grant Admin Consent and complete the Microsoft prompt, then click Test Connection to confirm the connection passes.
-
Turn on Enable Microsoft Entra ID SSO and Show SSO button on login page, then Save Changes. People now see "Sign in with Microsoft 365."
Step 2 — enabling SSO and the login button
Workflow: automate account creation with SCIM
- On the provisioning page, turn on Enable SCIM and copy the SCIM Tenant URL.
- Generate a provisioning token and copy it once.
- In your identity provider, paste the URL and token into its provisioning setup.
- Run a Dry run backfill to preview matches, then Apply backfill, and watch Recent provisioning events confirm the first sync.
Workflow: add a new group-to-role mapping (SSO)
-
In Microsoft Entra, copy the Object ID of the security group you want to map.
-
On the SSO page's Group-to-role mapping section, paste it into Entra Group Object ID, and optionally give the mapping a Display Name so it's easy to recognize later.
-
Pick the ThreatWeaver Role that group should receive, then click Add.
Step — adding a group-to-role mapping -
Click Save Changes. Remember that a signing-in user gets the role of the first group they match, so order matters if someone belongs to more than one mapped group — put the more privileged mapping first if that matters for your directory.