Docs

Identity / Access Management

Integration setup guides for identity providers and access management platforms.

Connect your identity and access management tools to Zaun. Ember watches authentication, MFA, and identity threats; Reagent governs the OAuth grants your people hand to AI tools.

1Password

Category: Secrets & Identity Management | Auth: API Key

Required Credentials

FieldDescription
Access TokenFrom 1Password Connect Server setup
Connect Server URLYour deployed Connect Server endpoint

Setup Steps

  1. In 1Password.com > Developer > Infrastructure Secrets > Connect Servers.
  2. Create a Connect server. This generates credentials and an access token.
  3. Deploy the Connect server (Docker/K8s). Paste the Access Token and URL into Zaun.

Cisco Duo

Category: Multi-Factor Authentication | Auth: HMAC Auth

Required Credentials

FieldDescription
Integration Key (ikey)API username
Secret Key (skey)HMAC-SHA1 signing key
API Hostnamee.g. api-XXXXXXXX.duosecurity.com

Required Permissions

PermissionPurpose
Grant read informationAccount utilization
Grant read resourceUsers, devices, policies
Grant read logAuth logs, admin logs, telephony logs

Setup Steps

  1. In Duo Admin Panel (requires Owner role) > Applications > Application Catalog.
  2. Search Admin API, click Add.
  3. Record Integration Key, Secret Key, and API Hostname.
  4. Check the three read permission boxes above. Click Save.
  5. Paste into Zaun.

Google Workspace

Category: Email & Directory Security | Auth: OAuth2 / JWT

Required Credentials

FieldDescription
Service Account JSON KeyJSON key file from Google Cloud Console
Admin EmailSuper admin email to impersonate

Required Scopes (Domain-Wide Delegation)

ScopePurpose
admin.directory.user.readonlyRead user profiles
admin.directory.group.readonlyRead groups and membership
admin.directory.device.chromeos.readonlyChrome OS devices
admin.directory.device.mobile.readonlyMobile devices
admin.reports.audit.readonlyAudit log events

Setup Steps

  1. In Google Cloud Console, create a project, enable Admin SDK API & Reports API.
  2. Create a service account under IAM & Admin. Generate and download the JSON key.
  3. Copy the service account's Client ID from Advanced settings.
  4. In Google Admin Console > Security > API controls > Domain-wide Delegation > Add new.
  5. Paste the Client ID and enter the scopes above (comma-separated).
  6. Upload the JSON key and Admin Email into Zaun.

Domain-wide delegation changes can take up to 24 hours to propagate.

Microsoft Entra ID

Category: Identity & Directory via Microsoft Graph | Auth: OAuth2 Admin Consent

How It Works

Microsoft Graph uses an OAuth2 Admin Consent flow in the Zaun UI. No manual credential fields - you click a consent button that redirects to Microsoft's login page.

TierLicenseData Access
Business StandardM365 Business Standard+Users, groups, sign-in & audit logs
DefenderM365 E3/E5Above + security alerts, incidents, advanced hunting

Setup Steps

  1. On the Zaun connect page, find Microsoft Graph and select your permission tier.
  2. Click Grant Admin Consent. Sign in with a Global Administrator account.
  3. Review permissions and click Accept. You'll be redirected back to Zaun.

No manual credential entry required. Zaun handles token management automatically.

Okta

Category: Identity Provider | Auth: OAuth2 / Private Key JWT

Required Credentials

FieldDescription
Okta Domaine.g. https://yourorg.okta.com
Client IDGenerated when creating the service app
Private KeyRSA key (JWK JSON or PEM format)

Required OAuth2 Scopes

ScopePurpose
okta.users.readUser profiles and attributes
okta.groups.readGroup membership
okta.logs.readSystem Log events
okta.apps.readApplication assignments
okta.devices.readDevice inventory
okta.policies.readAuth policies

Setup Steps

  1. In Okta Admin > Applications > Create App Integration > API Services.
  2. Name it (e.g. Zaun Ember). Copy Client ID.
  3. Under Client Credentials, select Public key / Private key. Generate or supply a key pair.
  4. Download/copy the private key.
  5. Go to Okta API Scopes tab, grant the scopes above.
  6. Paste Okta Domain, Client ID, and Private Key into Zaun.

PingOne

Category: Advanced Identity (PingIdentity) | Auth: OAuth2

Required Credentials

FieldDescription
Client IDWorker application client ID
Client SecretWorker application secret
Environment IDPingOne environment identifier

Setup Steps

  1. In PingOne admin > Applications > + > select Worker type.
  2. Ensure Client Credentials grant is checked.
  3. Assign minimal roles (e.g. Identity Data Admin for user/group access).
  4. Copy Client ID, Client Secret, and Environment ID. Paste into Zaun.

Firewalls / Network Security

Integration setup guides for firewall and network security platforms.

Cloud Security

Integration setup guides for cloud security platforms (AWS, Azure, GCP).

On this page

1PasswordRequired CredentialsSetup StepsCisco DuoRequired CredentialsRequired PermissionsSetup StepsGoogle WorkspaceRequired CredentialsRequired Scopes (Domain-Wide Delegation)Setup StepsMicrosoft Entra IDHow It WorksSetup StepsOktaRequired CredentialsRequired OAuth2 ScopesSetup StepsPingOneRequired CredentialsSetup Steps