Identity Mesh Logo Identity Mesh
Documentation Connector Configuration

Connector Configuration

Learn how to configure and connect Identity Mesh to your identity providers and target systems.

Connector Configuration

Supported Connectors

Identity Mesh supports a wide range of identity providers and target systems through our connector framework.

Active Directory

LDAP

Connect to on-premises or cloud-hosted Active Directory

Microsoft Entra ID

Azure AD Coming Soon

Sync with Microsoft Entra ID (formerly Azure AD)

Okta

SCIM Coming Soon

Integrate with Okta identity platform

Workday

REST API Coming Soon

Connect to Workday HCM for HR-driven provisioning

LDAP

LDAP Coming Soon

Generic LDAP connector for any LDAP-compliant directory

SCIM 2.0

SCIM Coming Soon

Standard SCIM 2.0 connector for any SCIM-compliant system

SQL Database

SQL

Direct database connector for custom identity stores

REST API

REST Coming Soon

Generic REST API connector for custom integrations

Active Directory Configuration

Prerequisites

  • Active Directory domain controller accessible from Identity Mesh
  • Service account with read permissions (or read/write for bi-directional sync)
  • LDAP port 389 (or LDAPS port 636) open in firewall
  • Base DN for user and group searches

Configuration Example

{
  "type": "active-directory",
  "name": "Corporate AD",
  "config": {
    "host": "dc01.company.com",
    "port": 636,
    "useSsl": true,
    "baseDn": "DC=company,DC=com",
    "bindDn": "CN=svc-identitymesh,OU=Service Accounts,DC=company,DC=com",
    "bindPassword": "{{secret:ad-password}}",
    "userSearchBase": "OU=Users,DC=company,DC=com",
    "userSearchFilter": "(&(objectClass=user)(objectCategory=person))",
    "groupSearchBase": "OU=Groups,DC=company,DC=com",
    "groupSearchFilter": "(objectClass=group)",
    "attributeMapping": {
      "username": "sAMAccountName",
      "email": "mail",
      "firstName": "givenName",
      "lastName": "sn",
      "displayName": "displayName",
      "employeeId": "employeeNumber"
    }
  }
}

Configuration Fields

host
Domain controller hostname or IP address
port
LDAP port (389 for LDAP, 636 for LDAPS)
useSsl
Enable SSL/TLS encryption (recommended)
baseDn
Base distinguished name for searches
bindDn
Service account distinguished name
bindPassword
Service account password (use secrets)
userSearchBase
Base DN for user searches
userSearchFilter
LDAP filter for user objects
groupSearchBase
Base DN for group searches
groupSearchFilter
LDAP filter for group objects

Microsoft Entra ID Configuration (Coming Soon)

Prerequisites

  • Azure AD tenant with appropriate licensing
  • App registration in Azure AD with required API permissions
  • Client ID and client secret from app registration
  • Tenant ID (directory ID)

Configuration Example

{
  "type": "entra-id",
  "name": "Azure AD",
  "config": {
    "tenantId": "12345678-1234-1234-1234-123456789abc",
    "clientId": "87654321-4321-4321-4321-cba987654321",
    "clientSecret": "{{secret:azure-client-secret}}",
    "scopes": [
      "User.Read.All",
      "Group.Read.All",
      "Directory.Read.All"
    ],
    "attributeMapping": {
      "username": "userPrincipalName",
      "email": "mail",
      "firstName": "givenName",
      "lastName": "surname",
      "displayName": "displayName",
      "employeeId": "employeeId"
    }
  }
}

Required API Permissions

Grant these Microsoft Graph API permissions to your app registration:

  • User.Read.All
    Read all users' full profiles
  • Group.Read.All
    Read all groups
  • Directory.Read.All
    Read directory data

Okta Configuration (Coming Soon)

Configuration Example

{
  "type": "okta",
  "name": "Okta Production",
  "config": {
    "domain": "company.okta.com",
    "apiToken": "{{secret:okta-api-token}}",
    "scimEndpoint": "https://company.okta.com/api/v1/scim/v2",
    "attributeMapping": {
      "username": "userName",
      "email": "emails[0].value",
      "firstName": "name.givenName",
      "lastName": "name.familyName",
      "displayName": "displayName",
      "active": "active"
    }
  }
}

SQL Database Configuration

Prerequisites

  • SQL Server instance accessible from Identity Mesh
  • Database account with read permissions on the source table or view
  • A datetime2 column for delta tracking (not date which lacks time granularity)
  • A unique identifier column for each row (e.g., primary key)

Configuration Example

{
  "type": "sql",
  "name": "HR Database",
  "config": {
    "connectionString": "Server=hrdb.company.com;Database=HRSystem;",
    "importQuery": "dbo.Employees",
    "externalIdColumn": "EmployeeId",
    "objectType": "User",
    "watermarkColumn": "ModifiedDateUtc",
    "deltaColumnType": "datetime",
    "isActiveColumn": "IsActive",
    "columnsToLoad": ["EmployeeId", "Email", "DisplayName", "Department", "Title", "ManagerEmail"]
  }
}

Configuration Fields

connectionString
SQL Server connection string. For Azure SQL with token auth, omit User ID/Password.
importQuery
SELECT query or table/view name (e.g., dbo.Employees)
externalIdColumn
Column used as the unique external identifier. Default: Id
deltaColumn (alias: watermarkColumn)
Column for watermark-based delta import. Must be datetime2, bigint, or rowversion. You can use either deltaColumn or watermarkColumn in the config JSON.
deltaColumnType
Type hint: datetime, long, bigint, rowversion, or binary. Default: datetime
softDeleteColumn (alias: isActiveColumn)
Column indicating soft-deleted rows. Optional. You can use isActiveColumn as an alias — when used, the semantics are inverted automatically (IsActive=0 means deleted).
softDeleteValue
Value that indicates deletion. For SQL bit columns, use 0 or 1. Default: true. When using isActiveColumn, this defaults to 0 automatically.
columnsToLoad
Array of column names to SELECT instead of *. Reduces network I/O and memory for wide tables. The externalIdColumn, deltaColumn, and softDeleteColumn are always included automatically. Omit or set to [] for SELECT *.

Delta Column Type Matters

The delta column must be datetime2 — not date. A date column stores only the date with no time component, so multiple changes on the same day would be missed during delta imports. Use datetime2 for millisecond-level granularity.

Dynamic Target Container

Projection rules support {{attribute}} templates in the Target Container field. At projection time, tokens are resolved against the mesh object's attributes, placing objects into different OUs automatically. 

OU={{department}},OU=Users,DC=corp,DC=com

If a user's department attribute is Engineering, the resolved container becomes OU=Engineering,OU=Users,DC=corp,DC=com. Unresolved tokens (missing or null attributes) are left as-is.

Authentication Modes

SqlAuth
SQL Server authentication with username and password (default)
Integrated
Windows Integrated Authentication using the service account
AzureADClientCredential
Entra ID service principal for Azure SQL Database (requires tenantId)
AzureManagedIdentity
Azure Managed Identity for Azure SQL Database
AzureDefault
Azure DefaultAzureCredential (tries MI, CLI, environment, etc.)

Testing Your Connection

After configuring your connector, test the connection to ensure it's working properly.

Using the API

POST /api/v1/connectors/test
Content-Type: application/json
Authorization: Bearer {{api_token}}

{
  "connectorId": "conn_abc123"
}

Expected Response

{
  "status": "success",
  "message": "Connection successful",
  "details": {
    "connectorType": "active-directory",
    "usersFound": 1523,
    "groupsFound": 87,
    "latency": 145
  }
}

Next Steps

Policy Rules

Learn how to create sync policies and transformation rules

Read guide →

API Reference

Explore the complete API documentation

View API docs →

Need Help?

Schedule a call with our integration team

Contact us →