npm - @workos/mcp-docs-server - Versions diffs - 0.1.0 - Mend

@workos/mcp-docs-server 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (455) hide show

package/.docs/organized/docs/integrations/duo-saml.mdx ADDED Viewed

@@ -0,0 +1,127 @@
+---
+title: Duo
+description: "Learn how to configure a connection to\_Duo via SAML."
+icon: duo
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/duo-saml.mdx
+---
+## Introduction
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). Often, the information required to create a Connection will differ by Identity Provider.
+To create a Duo SAML Connection, you’ll need three pieces of information: an [ACS URL](/glossary/acs-url) (provide by WorkOS), an [SP Entity ID](/glossary/sp-entity-id) (provided by WorkOS), and the [Metadata URL](/glossary/idp-metadata) (provided by Duo).
+Duo is also unique in that it requires a 3rd party IdP to federate the authentication. This means that along with the three pieces of information, you’ll also need to configure a Single Sign-On Authentication Source and a Cloud Application in your Duo Workspace.
+The high level overview of the authentication flow:
+Your App → WorkOS → Duo → Your SSO IdP → Duo → WorkOS → Your App
+![A flowchart showing the authentication flow of Duo using WorkOS.](https://images.workoscdn.com/docs/integrations/sso/duo-saml/v1/duo-saml-1.png?auto=format&fit=clip&q=50)
+---
+## (1) Create a new Duo SAML Connection in WorkOS
+Navigate to the Organization in your WorkOS Dashboard under which you would like to set up this new SSO Connection. Click “Manually Configure Connection” and select Duo SAML from the list of SSO Identity Providers. You’ll want to select “Duo SAML” as the Identity Provider and give the Connection a descriptive name. Once this is filled out, click “Create Connection”.
+![A screenshot showing how to create a Duo SAML connection in the WorkOS dashboard.](https://images.workoscdn.com/images/cfd42823-38c8-4994-b05c-b7c3609d1755.png?auto=format&fit=clip&q=50)
+Take note of the Connection Details as you’ll need to enter those in Duo later on. This page is also where you’ll enter the Metadata URL in a later step.
+![A screenshot showing where to access Service Provider details in the connection settings.](https://images.workoscdn.com/images/98f72b30-9e6b-4e96-be86-176939471b6b.png?auto=format&fit=clip&q=50)
+---
+## (2) Select or create your application
+WorkOS will allow you to use any Duo supported IdP to handle the Federated authentication. Since each IdP will have different ways of setting up the SSO connection between Duo and the IdP, please refer to the [documentation that Duo provides to configure a Duo SSO Connection](https://duo.com/docs/sso#enable-duo-single-sign-on).
+---
+## (3) Create a Cloud Application in Duo
+After configuring the Duo SSO Connection with the IdP of your choice, the next step is to create a Cloud Application in Duo. This app will handle the connection between WorkOS and Duo.
+Navigate to the Duo Admin Panel and click on Applications on the left sidebar.
+Click “Protect an Application” and locate the entry for “Generic SAML Service Provider” with a protection type of “2FA with SSO hosted by Duo (Single Sign-On)” in the applications list. Click _Protect_ to the far-right to start configuring “Generic SAML Service Provider”.
+![A screenshot showing how to create a Cloud App in Duo.](https://images.workoscdn.com/images/8404f0a8-a56f-4c58-b03e-d0ec48ef66b8.png?auto=format&fit=clip&q=50)
+Next, configure the Generic Service Provider settings. There are pieces of information on this page that need to come from WorkOS and your Duo SSO Connection, and also information to copy and enter in the WorkOS Connection.
+Start by gathering the Metadata URL to enter in the WorkOS Duo SAML Connection that you created in the prior step.
+![A screenshot showing where to copy the IdP Metadata URL in Duo.](https://images.workoscdn.com/images/250ed44e-4044-441e-ab02-a045ed011cb2.png?auto=format&fit=clip&q=50)
+---
+## (4) Enter Duo SAML Settings in your WorkOS Dashboard
+Navigate to your WorkOS Duo SAML Connection and paste the Metadata URL in to the Metadata field.
+You won’t see the connection flip to Active yet as there is still some configuration to do on the Duo side.
+![A screenshot showing how to add the IdP metadata in the WorkOS dashboard.](https://images.workoscdn.com/images/73a827e1-fa4f-4399-a1e6-3589abd0874a.png?auto=format&fit=clip&q=50)
+From the WorkOS Connection page you are currently on, copy the ACS URL value from the field just above the SAML Settings.
+![A screenshot highlighting the ACS URL in the WorkOS dashboard.](https://images.workoscdn.com/images/45ce0799-449b-417e-8f2b-08cdaacdfea6.png?auto=format&fit=clip&q=50)
+Navigate to the Duo Applications Generic Service Provider configuration settings and paste the ACS URL in the Assertion Consumer Service (ACS) URL field under the Service Provider section.
+![A screenshot showing where to input the ACS URL in Duo settings.](https://images.workoscdn.com/images/d7bff970-44e9-4320-b675-53d54d2ab4c9.png?auto=format&fit=clip&q=50)
+Next, copy the SP Entity ID value from the WorkOS Connection page.
+![A screenshot highlighting the Entity ID in the WorkOS dashboard.](https://images.workoscdn.com/images/5dfd097f-1027-48af-9cdc-6ad2fd97f3d3.png?auto=format&fit=clip&q=50)
+Paste the SP Entity ID into the Entity ID field under the Service Provider section in the Duo Applications Generic Service Provider configuration.
+You may leave the Single Logout URL, Service Provider Login URL, and Default Relay State fields empty.
+![A screenshot showing where to input the Entity ID in Duo settings.](https://images.workoscdn.com/images/5938b3ee-95a7-4dcf-aa2a-9e064d8c8311.png?auto=format&fit=clip&q=50)
+Scroll down on this page to the SAML Response section. Ensure that the NameID format has the id that you’d like to use for the unique identifier selected and matches the NameID attribute that you’d like to use as the value. If you’re using email as the unique ID, the options would look like the below.
+![A screenshot showing how to configure SAML Response NameID in Duo.](https://images.workoscdn.com/images/e2ae9786-2a3f-4408-9c15-b33ba4c34f39.png?auto=format&fit=clip&q=50)
+Ensure the Signature algorithm is SHA256 and that the Signing options have both Sign response and Sign assertion selected.
+![A screenshot showing where to configure the SAML Response Signing.](https://images.workoscdn.com/images/c491cab0-5abe-4b63-89cc-c5b8dbed9657.png?auto=format&fit=clip&q=50)
+Next make sure that you are mapping the attributes which WorkOS requires: `id`, `email`, `firstName`, and `lastName`. In the Map Attributes section enter these on the right side under SAML Response Attribute. on the left side, click the empty field box and select the pre-populated values that look like `<Email Address>`. Duo will automatically grab the corresponding fields and map them to the expected values.
+You can map any values you like, but WorkOS requires that these four values are included in SAML responses. If your users don’t have a last name value for instance, you could map Display Name or any other value to `lastName`, but `lastName` still needs to be included or WorkOS will reject the SAML Response.
+Here’s an example of the attribute mappings:
+![A screenshot showing where to configure SAML Attribute Mapping in Duo.](https://images.workoscdn.com/images/dc4517d1-7f02-4199-a06e-e3d31ac56b76.png?auto=format&fit=clip&q=50)
+### Role Assignment (optional)
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.
+In the "Role Attributes" section, enter `groups` as the "Attribute name". Then map the role names to their corresponding Duo groups. In the example below, the "Admins" role is mapped to the Admins group and the "Developers" role is mapped to the Developers group.
+![A screenshot showing how to configure a groups attribute in Duo.](https://images.workoscdn.com/images/a13b9af3-65fc-4595-acd6-ecc3bc026fc3.png?auto=format&fit=clip&q=50)
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+### Save your changes
+You may leave all of the other fields as their defaults. Scroll to the very bottom of the page and click the Save button.
+![A screenshot highlighting the finished SAML Configuration in Duo.](https://images.workoscdn.com/images/dbe959a3-41eb-4dca-b1bd-69f1a389b10e.png?auto=format&fit=clip&q=50)
+---
+## (5) Verify Connection Status in WorkOS
+Navigate back to the WorkOS dashboard. After a minute or two you should see the Connection become Active as indicated by the green badge next to the connection name.
+![A screenshot highlighting active status of the Duo connection.](https://images.workoscdn.com/images/9d79fcfe-386d-4bd7-a69d-e8e0578f0352.png?auto=format&fit=clip&q=50)

package/.docs/organized/docs/integrations/entra-id-saml.mdx ADDED Viewed

@@ -0,0 +1,156 @@
+---
+title: Entra ID SAML (formerly Azure AD)
+description: Learn how to configure a connection Entra ID via SAML.
+icon: microsoft
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/entra-id-saml.mdx
+---
+## Introduction
+Each SSO Identity Provider requires specific information to create and configure a new [Connection](/glossary/connection). And often, the information required to create a Connection will differ by Identity Provider.
+To create a Entra ID SAML Connection, you’ll need the Identity Provider Metadata URL that is available from the organization's Entra ID instance.
+---
+## What WorkOS Provides
+WorkOS provides the [ACS URL](/glossary/acs-url) and [IdP URI (Entity ID)](/glossary/idp-uri-entity-id). It’s readily available in your Connection Settings in the [WorkOS Dashboard](https://dashboard.workos.com/get-started).
+![A screenshot showing the ACS URL and Entity ID in the WorkOS dashboard.](https://images.workoscdn.com/images/736aee3b-9a67-4abd-9905-f091d20fe48e.png?auto=format&fit=clip&q=50)
+The ACS URL is the location an Identity Provider redirects its authentication response to. In Entra ID’s case, it needs to be set by the organization when configuring your application in their Entra ID instance.
+Specifically, the ACS URL will need to be set as the “Reply URL (Assertion Consumer Service URL)” in the “Basic SAML Configuration” step of the Entra ID “Set up Single Sign-On with SAML” wizard:
+![A screenshot showing the location to place the WorkOS ACS URL in the Azure Dashboard.](https://images.workoscdn.com/images/ea398d8e-71a8-4f54-9b85-3c092f325bf8.png?auto=format&fit=clip&q=50)
+The [Entity ID](/glossary/idp-uri-entity-id) is a URI used to identify the issuer of a SAML request, response, or assertion. In this case, the entity ID is used to communicate that WorkOS will be the party performing SAML requests to the organization's Entra ID instance.
+Specifically, the Entity ID will need to be set as the “Identifier (Entity ID)” in the “Basic SAML Configuration” step of the Entra ID “Set up Single Sign-On with SAML” wizard:
+![A screenshot showing the location to place the WorkOS Entity ID in the Azure Dashboard.](https://images.workoscdn.com/images/55860959-b322-4098-b3d4-66d48ee73dd1.png?auto=format&fit=clip&q=50)
+---
+## What you’ll need
+In order to integrate you’ll need the Entra ID IdP Metadata URL.
+Normally, this information will come from the organization's IT Management team when they set up your application’s SAML 2.0 configuration in their Azure admin dashboard. Here’s how to obtain them:
+---
+## (1) Log in
+Log in to the [Entra ID Active Directory Admin dashboard](https://portal.azure.com/). Select “Enterprise Applications” from the list of Azure services.
+![A screenshot showing where to select "Enterprise Applications" in the Azure dashboard.](https://images.workoscdn.com/images/37f3b3d2-fcdb-4a5f-8d93-970ec0239446.png?auto=format&fit=clip&q=50)
+---
+## (2) Select or create your application
+If your application is already created, select it from the list of Enterprise applications and move to Step 7.
+![A screenshot showing where to select an existing application in the Azure dashboard.](https://images.workoscdn.com/images/a61ca1b9-4e06-4dc6-80de-eac3fea212cd.png?auto=format&fit=clip&q=50)
+If you haven’t created a SAML Application in Azure, select “New Application”.
+![A screenshot showing where to select "New Application" in the Azure dashboard.](https://images.workoscdn.com/images/3c26fec7-f77a-4757-8a04-6998ff7beb26.png?auto=format&fit=clip&q=50)
+---
+## (3) Initial SAML Application Setup
+Select “Create your own application”, then enter a descriptive app name. Under “What are you looking to do with your application?”, select “Integrate any other application you don’t find in the gallery (Non-gallery)”, then select “Create”.
+![A screenshot showing where to input the name of the new application in the Azure dashboard.](https://images.workoscdn.com/images/9f998b1b-87b4-4f1d-a50c-0a17f8bb3f98.png?auto=format&fit=clip&q=50)
+Select “Single Sign-On” from the “Manage” section in the left sidebar navigation menu, and then “SAML”.
+![A screenshot showing how to select "SAML" as the Single Sign-On method of the Azure application in the Azure dashboard.](https://images.workoscdn.com/images/f90c0d1a-ed45-4bee-b77f-dcf37a63a6bd.png?auto=format&fit=clip&q=50)
+---
+## (4) Configure SAML Application
+Click the Edit icon in the top right corner of the first step "Basic SAML Configuration".
+![A screenshot showing where to select "Edit" for the "Basic SAML Configuration" step in the Azure dashboard.](https://images.workoscdn.com/images/e7a4397c-8120-43c6-9b66-e6a2251cd5bd.png?auto=format&fit=clip&q=50)
+Input the IdP URI (Entity ID) from your WorkOS Dashboard as the “Identifier (Entity ID)”. Input the ACS URL from your WorkOS Dashboard as the “Reply URL (Assertion Consumer Service URL)”.
+![A screenshot showing where to input the WorkOS ACS URL and WorkOS Entity ID in the Azure dashboard.](https://images.workoscdn.com/images/8bf326a6-f394-4894-9630-d86cdf9b574f.png?auto=format&fit=clip&q=50)
+---
+## (5) Configure User Attributes and Claims
+Click the Edit icon in the top right corner of the second step "Attributes & Claims".
+![A screenshot showing where to select "Edit" for the "Attributes & Claims" step in the Azure dashboard.](https://images.workoscdn.com/images/6155597f-a4b8-4a3c-a7f3-a6e8d4e0865d.png?auto=format&fit=clip&q=50)
+Make sure the following attribute mapping is set:
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` → `user.mail`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname` → `user.givenname`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` → `user.userprincipalname`
+- `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` → `user.surname`
+Below is an example of how to format your claim within the Azure claim editor. Make sure the 'Namespace' value ends in `/claims`.
+![A screenshot showing the "Manage Claim" configuration in the Azure dashboard.](https://images.workoscdn.com/images/93ec5d1b-9ecd-49f5-8d2a-a718b5ea58b2.png?auto=format&fit=clip&q=50)
+![A screenshot showing the "Attribute & Claims" configuration in the Azure dashboard.](https://images.workoscdn.com/images/f41b5a7c-1842-4567-9f46-85caa7309176.png?auto=format&fit=clip&q=50)
+### Role Assignment (optional)
+With [identity provider role assignment](/sso/identity-provider-role-assignment), users can receive roles within your application based on their group memberships. To return this information in the attribute statement, follow the guidance below.
+Select "Add a group claim" from the top menu. Next, select which groups you'd like to return in the Group Claims settings. For example, in Entra ID, you could select "Groups assigned to the application" to only send groups assigned to the SAML app. Finally, select "Save" once finished configuring the groups.
+![A screenshot showing how to add a groups claim to your SAML app in the Azure dashboard.](https://images.workoscdn.com/images/4e33755c-945f-4164-873f-33482e3a2c43.png?auto=format&fit=clip&q=50)
+> Finish role assignment set-up by navigating to the SSO connection page in the _Organization_ section of the [WorkOS Dashboard](https://dashboard.workos.com/). Create SSO groups by referencing the group IdP ID. Then, assign roles to these SSO groups so group members are automatically granted roles within your application.
+---
+## (6) Add Users to SAML Application
+In order for your users or groups of users to be authenticated, you will need to assign them to your Entra ID SAML application. Select “Users and groups” from the “Manage” section of the navigation menu.
+![A screenshot showing where to select "Users and groups" in the Azure dashboard.](https://images.workoscdn.com/images/7fe69c75-311e-409b-905a-dbd6b6087394.png?auto=format&fit=clip&q=50)
+Select “Add user/group” from the top menu.
+![A screenshot showing where to select "Add user/group" in the Azure dashboard.](https://images.workoscdn.com/images/817e4d3d-7470-4e20-b9f1-af74ea8adc73.png?auto=format&fit=clip&q=50)
+Select “None selected” under the “Users and Groups”. In the menu, select the users and groups of users that you want to add to the SAML application, and click “Select”.
+![A screenshot showing where to select "None Selected" under "Users and Groups" and add a user in the Azure dashboard.](https://images.workoscdn.com/images/85f005d7-3655-46ac-9554-77fda2c44747.png?auto=format&fit=clip&q=50)
+Select “Assign” to add the selected users and groups of users to your SAML application.
+![A screenshot showing where to select "Assign" in the Azure dashboard.](https://images.workoscdn.com/images/5420b145-6086-4141-b096-9ae9f6ea8529.png?auto=format&fit=clip&q=50)
+---
+## (7) Obtain Identity Provider Details
+Select “Single Sign-On” from the “Manage” section in the left sidebar navigation menu.
+Navigate down to Section 3 of the “Single Sign-On” page, to “SAML Signing Certificate”. Copy the URL provided in “App Federation Metadata URL”.
+![A screenshot showing where to select the "App Federation Metadata URL" in the Azure dashboard.](https://images.workoscdn.com/images/c4ee0b27-ddd7-4aab-96c0-ced1019b4cd7.png?auto=format&fit=clip&q=50)
+Next, within your connection settings under "Identity Provider Configuration", select "Edit Metadata Configuration" and enter the Azure metadata URL.
+![A screenshot showing where to select "Edit Metadata Configuration" on the "SSO Connection" page in the WorkOS dashboard.](https://images.workoscdn.com/images/2ad55b55-e44f-48a6-93db-8699dcd98af6.png?auto=format&fit=clip&q=50)
+Your Connection will then be verified and good to go!
+![A screenshot showing an active Azure SAML connection in the WorkOS dashboard.](https://images.workoscdn.com/images/2116ac59-3868-4c55-aa3d-43cdefd01f1f.png?auto=format&fit=clip&q=50)

package/.docs/organized/docs/integrations/entra-id-scim.mdx ADDED Viewed

@@ -0,0 +1,218 @@
+---
+title: Entra ID SCIM (formerly Azure AD)
+description: "Learn about syncing your user list with\_Entra ID SCIM."
+icon: microsoft
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/entra-id-scim.mdx
+---
+## Introduction
+This guide outlines how to synchronize your application’s Entra ID directories using SCIM.
+To synchronize an organization’s users and groups provisioned for your application, you’ll need to provide the organization with two pieces of information:
+- An [Endpoint](/glossary/endpoint) that Entra ID will make requests to.
+- A [Bearer Token](/glossary/bearer-token) for Entra ID to authenticate its endpoint requests.
+Both of these are available in your Endpoint’s Settings in the [WorkOS Dashboard](https://dashboard.workos.com/).
+> Steps 2, 3, and 4 below will need to be carried out by the organization admin when configuring your application in their Entra ID instance.
+---
+## (1) Set up your Directory Sync endpoint
+Sign in to your WorkOS Dashboard and select “Organizations” from the left hand navigation bar.
+Select the organization you’ll be configuring a new Directory Sync for.
+Click “Add Directory”.
+![A screenshot showing where to add a new directory in the WorkOS dashboard.](https://images.workoscdn.com/images/cf3a5ae2-4add-47ca-887e-d4d78c33d786.png?auto=format&fit=clip&q=50)
+Select “Entra ID” from the dropdown, and enter the organization name.
+Then, click “Create Directory.”
+![A screenshot showing the "Create Directory" menu in the WorkOS dashboard.](https://images.workoscdn.com/images/6244ecf4-65a0-4421-b984-d513704ef882.png?auto=format&fit=clip&q=50)
+> We have support for whitelabeled URLs for Directory Sync endpoints. [Contact us](mailto:support@workos.com) for more info!
+Your Entra ID directory sync has now been created successfully with an Endpoint and Bearer Token.
+![A screenshot showing the Azure SCIM endpoint and bearer token in the WorkOS dashboard.](https://images.workoscdn.com/images/38a98a55-96fa-403d-86f8-cfb313cd51e5.png?auto=format&fit=clip&q=50)
+---
+## (2) Select or create your Azure application
+Sign in to the Entra ID Admin Center Dashboard. Select “Enterprise applications” from the list of Azure services.
+![A screenshot showing where to select "Enterprise applications" in the Azure Active Directory Admin Center Dashboard](https://images.workoscdn.com/images/25d08d2e-48b8-49b0-b8e9-d57641606b57.png?auto=format&fit=clip&q=50)
+If your application is already created, select it from the list of applications and move to Step 3.
+![A screenshot showing where to select the application of choice in the All Applications menu in Azure.](https://images.workoscdn.com/images/7430b6b1-2d16-4df1-b11a-a51d51bc4725.png?auto=format&fit=clip&q=50)
+If you haven’t created a SCIM application in Azure, select “New Application”.
+![A screenshot showing where to select a new application in the All Applications menu in Azure.](https://images.workoscdn.com/images/8e9587aa-e259-4175-952c-bebe476457a2.png?auto=format&fit=clip&q=50)
+Select “Create your own application” and continue.
+![A screenshot showing where to select "Create your own application" in the All Applications menu in Azure.](https://images.workoscdn.com/images/ef501e51-ca06-47ef-a731-f509960fbf70.png?auto=format&fit=clip&q=50)
+Give your application a descriptive name, and select the “Integrate any other application you don’t find in the gallery (Non-gallery)” option, then click “Create”.
+![A screenshot showing where to configure the name of a new application in Azure.](https://images.workoscdn.com/images/cbd435b0-2313-4922-9fa3-87de57b39de8.png?auto=format&fit=clip&q=50)
+---
+## (3) Configure your integration
+Select “Provisioning” from the “Manage” section found in the navigation menu.
+![A screenshot showing where to select "Provisioning" from the "Manage" section in Azure.](https://images.workoscdn.com/images/39c18ede-837f-4735-8fa7-6cc3eb855776.png?auto=format&fit=clip&q=50)
+Click the “Get Started” button.
+![A screenshot showing where to select "Get Started" in the "Provisioning" menu in Azure.](https://images.workoscdn.com/images/e7d7e41f-1dec-4119-a3c4-fcc349a39eb5.png?auto=format&fit=clip&q=50)
+Select the “Automatic” Provisioning Mode from the dropdown menu.
+In the “Admin Credentials” section, copy and paste the Endpoint from your [WorkOS Dashboard](https://dashboard.workos.com/) in the “Tenant URL” field.
+Then, copy and paste the Bearer Token from your [WorkOS Dashboard](https://dashboard.workos.com/) into the Secret Token field.
+Click “Test Connection” to receive confirmation that your connection has been set up correctly. Then, select “Save” to persist the credentials.
+![A screenshot showing where to configure the provisioning mode and credentials in Azure.](https://images.workoscdn.com/images/22d127dc-6834-4a84-b579-c7ae045cd339.png?auto=format&fit=clip&q=50)
+---
+## (4) Set and enable Attribute mappings
+Expand the “Mappings” section.
+![A screenshot showing where to expand "Mappings" in Azure.](https://images.workoscdn.com/images/f78bb399-3ab3-4822-a6bf-e8e96db93cdd.png?auto=format&fit=clip&q=50)
+Make sure the group and user attribute mappings are enabled, and are mapping the correct fields. The default mapping should work, but your specific Azure setup may require you to add a custom mapping.
+![A screenshot showing where to ensure User attribute mappings are enabled in Azure.](https://images.workoscdn.com/images/ab0daea3-dda3-4e3d-9199-9d30a710fdb2.png?auto=format&fit=clip&q=50)
+Make sure that you are mapping `objectId` to `externalId` within the Attribute Mapping section.
+![A screenshot showing where to ensure object ID is mapped to external ID in the Attribute Mapping section in Azure.](https://images.workoscdn.com/images/389cb8cc-9bfd-4f0b-b623-1304cf863c64.png?auto=format&fit=clip&q=50)
+---
+## (5) Assign users and groups to your application
+In order for your users and groups to be synced, you will need to assign them to your Entra ID SCIM Application. Select “Users and groups” from the “Manage” section of the navigation menu.
+![A screenshot showing where to navigate to "Users and groups" from the "Manage" section in Azure.](https://images.workoscdn.com/images/d4f01d7f-6dc4-46c6-a524-a6c5fe47cf7a.png?auto=format&fit=clip&q=50)
+Select “Add user/group” from the top menu.
+![A screenshot showing where to select "Add user/group" in the Users and groups menu in Azure.](https://images.workoscdn.com/images/68717808-6ca4-47ff-8bc0-690f3bfffe0e.png?auto=format&fit=clip&q=50)
+Select “None selected” under the “Users and Groups”. In the menu, select the users and groups that you want to add to the SCIM application, and click “Select”.
+![A screenshot showing where to select users for a SCIM application in Azure.](https://images.workoscdn.com/images/b6e2c4f6-ef9b-4881-8d9c-a23ae55a1490.png?auto=format&fit=clip&q=50)
+Select “Assign” to add the selected users and groups to your SCIM application.
+![A screenshot showing where to assign the selected users for the SCIM application in Azure.](https://images.workoscdn.com/images/e2f7221f-9789-4288-bd66-5450d150db0b.png?auto=format&fit=clip&q=50)
+---
+## (6) Turn on provisioning for your SCIM application
+In the Provisioning menu, confirm the “Provisioning Status” is set to “On” and that the “Scope” is set to “Sync only assigned users and groups”.
+![A screenshot showing where to ensure that the "Provisioning Status" is "On" and "Scope" is set to "Sync only assigned users and groups" in Azure.](https://images.workoscdn.com/images/67041f59-27dc-4026-b6a2-c43568c59dfd.png?auto=format&fit=clip&q=50)
+Begin provisioning users and groups and witness realtime changes in your [WorkOS Dashboard](https://dashboard.workos.com/).
+A detailed guide to integrate the WorkOS API with your application can be found [here](/directory-sync)
+---
+## Configuring user attribute mappings
+For any non-standard attributes used by the application, some configuration may be required in Microsoft Entra. Below is a guide on configuring user attribute mappings, so they propagate via SCIM.
+### (1) Viewing application attributes
+From your Microsoft Entra SCIM application, navigate to the Manage → Provisioning page. Expand the Mappings section and click "Provision Microsoft Entra ID Users".
+![Microsoft Entra enterprise application provisioning tab](https://images.workoscdn.com/images/cb7b0eb7-8ff7-452e-b3c5-14eede22c4da.png?auto=format&fit=clip&q=50)
+This will display a list of attribute mappings and settings:
+![Microsoft Entra attribute mapping settings](https://images.workoscdn.com/images/472657ed-812c-4f3a-b57d-601e573adf48.png?auto=format&fit=clip&q=50)
+### (2) Adding or editing an attribute
+To add a missing attribute, click the "Add New Mapping" button at the bottom left of the mappings list. To edit an existing attribute, click the "Edit" button next to the existing attribute you'd like to edit.
+![Microsoft Entra add new mapping button](https://images.workoscdn.com/images/2319dab9-6392-4a7f-9988-fe8cf5260301.png?auto=format&fit=clip&q=50)
+To configure the mapping, select the source and target attribute from the dropdowns, and ensure "Apply this mapping" is set to "Always".
+For example, to map division, the source attribute has been selected as `employeeOrgData.division` and the target attribute has been selected as `urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division`.
+![Microsoft Entra configure mapping dialog](https://images.workoscdn.com/images/984c0ffe-0d18-4f04-a69b-d4e09b4a51d3.png?auto=format&fit=clip&q=50)
+These new attribute mappings will now propagate to your application when the next SCIM push occurs.
+---
+## Provisioning on demand
+By default, Entra ID SCIM 2.0 directories sync changes on a scheduled time interval, typically every 40 minutes. For use cases where more immediate provisioning or deprovisioning of users, groups, or group memberships is needed, Entra ID provides [provisioning on demand](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on-demand?pivots=app-provisioning).
+To provision on demand, from the enterprise application navigate to the "Provisioning" tab and click "Provision on demand".
+![Entra ID provision on demand button](https://images.workoscdn.com/images/de50df7b-4088-4e95-a711-ad04e43474c5.png?auto=format&fit=clip&q=50)
+To provision a user, select the user from the dropdown and click "Provision".
+![Entra ID provision user on demand](https://images.workoscdn.com/images/121aaa24-d160-40a4-824f-44cc2a5ff84d.png?auto=format&fit=clip&q=50)
+To provision a group or group membership, select the group from the dropdown, and select "View members only". Then select the group memberships to provision and click "Provision".
+![Entra ID provision group memberships on demand](https://images.workoscdn.com/images/34167704-985a-4b0b-b110-89e19d618b37.png?auto=format&fit=clip&q=50)
+Upon clicking "Provision", SCIM requests will immediately be sent to the application. To deprovision a user, group, or group membership, remove it from the Entra application and follow the above provisioning on demand steps.
+---
+## Frequently asked questions
+### No email addresses are coming through for users from Entra. How do I get emails for my Entra users?
+For cloud-managed users, Entra ID pulls the email from the `mail` attribute in Exchange. If your customer doesn’t have this set up, they will need to configure attribute mapping in their SCIM app in Entra in order to provision users with WorkOS. They can use [this tutorial from Microsoft](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes). They’ll want to map a known email attribute, such as UPN, to the `emails[type eq “work”].value` SCIM attribute. For directories with synchronized-users, they will need to map the `userPrincipalName` attribute into the `emails[type eq “work”].value` SCIM attribute.
+### Sometimes, reactivating "suspended" users does not re-add them to their Entra groups. Why is that and how can I fix it?
+When a user is deleted from the entire directory, instead of only being deprovisioned from the SCIM app, the user may be soft-deleted (their state is set as "suspended"). Reactivating these suspended users will not send SCIM requests to re-add the user to the groups. To do so, the IT admin will need to select the "Restart Provisioning" button for the SCIM app in Azure.
+![A screenshot showing where to restart provisioning in Entra.](https://images.workoscdn.com/images/757f8920-da4b-46ac-90b0-9780b150eb62.png?auto=format&fit=clip&q=50)
+### Can profile images be accessed with Entra ID SCIM?
+Entra ID's SCIM provisioning does not support transmitting image.
+### Why do I receive a `dsync.user.updated` event after `dsync.user.created`?
+Entra ID sends a newly provisioned user over to WorkOS in two separate actions. WorkOS will then send these actions as two individual events to your app. This is expected behavior.
+### How often do Entra ID SCIM 2.0 directories perform a sync?
+By default, Entra ID SCIM 2.0 directories sync changes on a scheduled time interval, typically every 40 minutes. For more details, please refer to Entra ID's [official documentation](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user#how-long-will-it-take-to-provision-users).
+[Provisioning on demand](/integrations/entra-id-scim/provisioning-on-demand) is also available, which can sync select users, groups, or group memberships in real-time.

package/.docs/organized/docs/integrations/firebase.mdx ADDED Viewed

@@ -0,0 +1,98 @@
+---
+title: Firebase
+description: Add Single Sign-On to your Firebase application with WorkOS.
+icon: firebase
+breadcrumb:
+  title: Integrations
+  url: /integrations
+originalPath: .tmp-workos-clone/packages/docs/content/integrations/firebase.mdx
+---
+## Introduction
+In this guide, you’ll learn how to use WorkOS to add Single Sign-On (SSO) to a Firebase application. This will allow users to sign in to an existing Firebase application using WorkOS SSO Connections.
+## What WorkOS provides
+WorkOS will provide the following pieces of information: API key, Client ID, and the Issuer URL.
+- The API key can be found in your WorkOS dashboard under **API Keys**.
+- The Client ID can be found in your WorkOS dashboard under **Configuration**.
+- The Issuer URL is constructed with the Client ID. `https://auth.workos.com/sso/<client_id>`.
+## What you’ll need
+- An existing Firebase project
+---
+## (1) Configure Authentication for your Firebase project
+Log into Firebase and navigate to your project. Click on the Authentication tile to set up a new Authentication method for your project.
+![A screenshot showing where to find the Authentication tile in Firebase.](https://images.workoscdn.com/images/612ce59a-a1c8-4eb9-a209-9d0f6b6c5086.png?auto=format&fit=clip&q=50)
+Next, click **Get started**.
+![A screenshot showing where to find the Get started button in Firebase](https://images.workoscdn.com/images/bd877730-1e9a-487d-8938-10782c912d45.png?auto=format&fit=clip&q=50)
+Click on the Sign-in method tab and then select the OpenID Connect custom provider.
+![A screenshot showing where to find the OpenID Connect custom provider in Firebase](https://images.workoscdn.com/images/ee3fbc76-d94b-491e-842a-5f74eb4a2d62.png?auto=format&fit=clip&q=50)
+Enter the configuration details for the connection between WorkOS and Firebase.
+You will need the following pieces of information:
+- **WorkOS Client ID**: Found on the **Configuration** tab of the WorkOS Dashboard
+- **WorkOS API Key**: Located on the **API Keys** tab of the WorkOS Dashboard
+- **Issuer (URL)**: This will be `https://auth.workos.com/sso/` appended with your client ID, ex: `https://auth.workos.com/sso/client_123`
+- **Provider ID**: This is found in Firebase under the Name of your OIDC provider. This will be important for a later step.
+![A screenshot showing the authentication provider configuration details in Firebase](https://images.workoscdn.com/images/5eb66fe3-8cad-4555-9417-ab38924d1288.png?auto=format&fit=clip&q=50)
+---
+## (2) Configure the Redirect URI in WorkOS
+Click Next, then copy the **Callback URL** provided by Firebase.
+![A screenshot showing where to obtain the Callback URL in Firebase.](https://images.workoscdn.com/images/a33d3b63-e6f9-4a43-8108-012f54d7c7db.png?auto=format&fit=clip&q=50)
+Paste the Callback URL in the list of Redirect URI’s in the configuration tab of your WorkOS dashboard.
+![A screenshot showing where to enter the Redirect URI in WorkOS.](https://images.workoscdn.com/images/c2c6ef52-e61e-41af-9c37-1e2187bf1744.png?auto=format&fit=clip&q=50)
+---
+## (3) Create a Firebase web app and get configuration details
+On the Firebase Project Overview page, click the web icon above **Add an app to get started**, or navigate to your project settings page if your project is already set up.
+![A screenshot showing where to create a web app in Firebase.](https://images.workoscdn.com/images/777e0c57-2c9d-4516-9e3e-985460ed38b6.png?auto=format&fit=clip&q=50)
+Choose a name for your application, and then take note of the firebaseConfig from the Add Firebase SDK step.
+![A screenshot showing where to obtain the firebaseConfig details in Firebase.](https://images.workoscdn.com/images/64b62bc6-4891-4627-9a2a-9440e0d27aa7.png?auto=format&fit=clip&q=50)
+---
+## (4) Configure Firebase login in your application
+Your Firebase configuration and Provider ID can now be used along with any Organization ID from an Active WorkOS SSO connection to log users in to your Firebase app. Here is a basic example showing how this can be set up.
+Replace the `firebaseConfig` variable value with the config from your Firebase app, the `OAuthProvider` value with your Provider ID, and the organization under `provider.setCustomParameters` with the organization to target. This organization should have an active SSO connection already set up.
+> The `connection` parameter may be used in place of the `organization` parameter to target a connection.
+Finally, run the app and click the sign-in button.
+<CodeBlock
+  file="update-firebase-profile"
+  language="html"
+  title="Update Firebase Profile"
+/>
+You will now see the user signed in on the Authentication section’s user tab in Firebase. You can also view the user information by decoding the access token which is logged to the console.
+![A screenshot showing a successfully authenticated user in Firebase.](https://images.workoscdn.com/images/a4d521f9-3765-4d2d-909c-5340a462ba3e.png?auto=format&fit=clip&q=50)