Supported Identity Providers

Written By Sam Walton (Super Administrator)

Updated at July 16th, 2026

Table of Contents

The Identity Architecture below provides an overview of the Identity connections between the various components of the IBSS Solution and the 3rd Party Identity Provider (IDP).

Identity Connections

A typical IBSS deployment has four types of connections to the Identity Provider:

  • IBSS Core – Data Digital Twin: will synchronise the users and groups that have access rights to the solution.
  • IBSS In-Building Apps: Will validate their logon credentials against the Identity Provider.
  • On-Premises Data Systems: If there is an Edge Gateway device providing control functions for the In-Building IBSS Apps, it will synchronise the users and groups that access rights to the local control points.
  • IBSS User Apps: Will validate their logon credentials against the Identity Provider.

The IBSS Solution is designed to make use of a 3rd Party Identity Provider to cleanly integrate with the corporate infrastructure. IBSS currently supports the following 3rd Party Identity Providers:

  • Microsoft Entra ID
  • Microsoft Entra ID B2C
  • Okta

Microsoft Entra ID

The IBSS Solution uses the following capabilities from Microsoft Entra ID:

  • Users and Roles synchronisation
  • Login validation
  • SCIM setup
    ⚠️ Important: To use SCIM setup, create a new Enterprise application first. If this step is not completed and you move on and create an Application Registration, you’re then blocked from going back to Enterprise apps and using SCIM users synchronisation.
    ⚠️ Important: During users mapping, it's important to change the Source attribute for externalId from the default mailNickname to objectId.

Graph API Permissions

The following are the required Graph API permissions for the IBSS platform to operate 

Permission
Why it's needed
Where
User.Read.All
Sync users from Microsoft Entra ID to IBSS.
Cloud Services
GroupMember.Read.All
Sync groups from Microsoft Entra ID to IBSS.
Cloud Services
User.Read
Allow the user to sign in via Microsoft Entra ID.
Client Apps
Calendars.ReadWrite (Delegated)
Allow the app to add calendar entries to the user's calendar.
Client Apps
Calendars.ReadWrite (Application)
Allow the back-end to sync to meeting room calendars and to manage calendar entries for auto-cancellations.
Cloud Services

DeviceManagementManagedAppsReadWrite

(Delegated)

To use Microsoft Intune app protection (MAM).  
A screenshot of a computer

AI-generated content may be incorrect.

Okta

The IBSS solution supports connection via OpenID Connect (OIDC) to Okta. The IBSS Solution uses the following capabilities from Okta:

  • Users and Roles synchronisation
  • Login validation

Constraints

Both Microsoft Entra ID and Okta support guest accounts (i.e. accounts that have a different email domain than the 'normal' users) within the scope of their identity provision, however for this to work within IBSS the following constraints must be met

  • The email address used must be a standard email address.
  • The unique name must only contain alphanumeric (a-zA-Z0-9), period/full-stop (.) and the single @ sign.
  • Every email address can only be used once, so if multiple identity providers are used, ensure that a normal account in one Identity Provider is not the guest account in another Identity Provider.

SCIM Constraints

  • On-demand provisioning of groups supports updating up to five members at a time. The on-demand provisioning request API can only accept a single group with up to 5 members at a time.
  • On-demand provisioning supports provisioning one user at a time through the Microsoft Entra admin center.
  • Restoring a previously soft-deleted user in the target tenant with on-demand provisioning isn't supported. If you try to soft-delete a user with on-demand provisioning and then restore the user, it can result in duplicate users.
  • On-demand provisioning of roles isn't supported.
  • On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users don't appear when you search for a user.
  • On-demand provisioning doesn't support nested groups that aren't directly assigned to the application.
  • Removing a user group doesn't remove users if they are part of another group. If this was the only group that users were part of, the users will be removed during the next sync cycle.