Skip to main content

Skillber v1.0 is here!

Learn more

Integration Patterns

Checking access...

IAM and PAM platforms do not operate in isolation. They must integrate with the broader enterprise toolchain — HR systems for identity lifecycle, ITSM for access requests, SIEM for logging and alerting, and DevOps tools for automated operations.

Integration Architecture

The IAM Integration Landscape

┌────────────────────────────────────────────────────────────┐
│ ENTERPRISE INTEGRATIONS │
├──────────┬──────────┬──────────┬──────────┬────────────────┤
│ HRIS │ ITSM │ SIEM │ DevOps │ Cloud │
├──────────┼──────────┼──────────┼──────────┼────────────────┤
│ Workday │ServiceNow│ Splunk │ Jenkins │ AWS IAM │
│ SAP SF │ Jira │ Sentinel │ Ansible │ Azure Entra │
│ Oracle │ Zendesk │ QRadar │ GitLab │ GCP IAM │
│ BambooHR │ Cherwell │ LogRhythm│ Terraform│ Kubernetes │
└──────────┴──────────┴──────────┴──────────┴────────────────┘
│ │ │ │
└──────────┴──────────┴──────────┴── IAM/PAM Platform
┌───────────┴───────────┐
│ Target Systems │
│ (Managed by IAM/PAM) │
└───────────────────────┘

HRIS Integration

Purpose

HRIS integration is the foundation of automated identity lifecycle management. The HR system is the authoritative source for identity attributes and employment status changes that drive provisioning and deprovisioning.

Integration TypeDirectionProtocolDataUse Case
User provisioningHRIS → IAMSCIM, REST, file feedNew hire attributes, role/group membershipCreate user accounts on onboarding
Status changesHRIS → IAMEvent-driven (webhook), batchActive → terminated, department change, manager changeDeprovision on termination, role update on transfer
Attribute syncHRIS → IAMScheduled batch, delta feedName, email, title, department, locationMaintain attribute accuracy across systems
RolesHRIS → IAMREST, SCIMJob code, cost centre, business unitRole assignment/mapping for RBAC

SCIM for HRIS Integration

SCIM (System for Cross-domain Identity Management) is the standard protocol for identity provisioning:

SCIM OperationHRIS EventIAM Action
POST /UsersNew employee record createdCreate user account in IdP, PAM, target systems
PUT /Users/{id}Employee attribute changeUpdate user attributes, trigger role recalculation
PATCH /Users/{id}Partial attribute updateUpdate specific attributes without full replacement
DELETE /Users/{id}Employee record deleted (retired)Disable user account, trigger deprovisioning workflow
POST /GroupsNew department/team createdCreate corresponding group in IAM
PATCH /Groups/{id}Group membership changeAdd/remove user from group, recalculate entitlements

HRIS Integration Patterns

PatternReal-Time?ComplexityBest For
SCIM (push)YesMediumCloud IGA/IdP with SCIM-capable HRIS
Webhook triggerYesLow-MediumHRIS with webhook support (Workday, BambooHR)
REST API pollingNear-real-time (5-15 min)MediumHRIS with REST API but no webhook
File-based (SFTP)Batch (daily/hourly)LowLegacy HRIS or air-gapped environments
JDBC connectorBatch (near-real-time)MediumDirect database integration (less common, higher risk)

ITSM Integration

Purpose

ITSM integration connects IAM access request workflows with the enterprise service desk, providing a single interface for users to request access and for approvers to review requests.

Integration PointDirectionProtocolUse Case
Access request creationITSM → IAMREST API, webhookUser submits access request in portal
Access fulfilmentIAM → ITSMREST APIIAM provisions access, updates ticket status
Certification tasksIAM → ITSMREST API, emailCreate ITSM tasks for certification reviewers
Approval workflowsITSM → IAMWebhook, API callbackApprover decision from ITSM portal

Common ITSM Integration Flow

User submits request ──> ITSM Ticket Created ──> Approver Notified
in ServiceNow (RITM/SCTASK) (via email/SMS/portal)
v
Approver Approves/Rejects
Approve ─┴── Reject
│ │
IAM provisions access Ticket closed
(via SCIM/API/connector) "Rejected"
Ticket updated: "Fulfilled"
User notified of access grant

SIEM Integration

Purpose

SIEM integration centralises IAM/PAM audit logs for security monitoring, compliance reporting, and threat detection.

Log SourceData to SendProtocolVolume (Events/Day, Typical)
IdP authentication logsLogin success/failure, MFA events, token issuanceSyslog, REST API (SIEM connector)100K - 10M
PAM session logsSession start/end, command execution, file transferSyslog, REST API10K - 500K
PAM credential eventsCheck-out, check-in, rotationSyslog1K - 10K
IGA provisioning eventsUser creation, modification, deletionSyslog, REST API5K - 50K
IGA certification eventsCampaign start/end, reviewer decisionsSyslog, REST API100 - 10K (spiky)
Directory audit logsAccount changes, group changes, password resetsSyslog (Windows Event Forwarding)100K - 5M

SIEM Log Standardisation

StandardFormatIAM/PAM SupportRecommendation
CEF (Common Event Format)Key-value pairsBroad support (ArcSight)Good for on-prem SIEM
LEEF (Log Event Extended Format)Key-value pairs with headerIBM QRadarUse if QRadar is the SIEM
JSONStructured JSONAll modern platforms (Okta, Azure AD)Preferred for cloud SIEM (Splunk, Sentinel)
Syslog (RFC 5424)Structured textAll PAM/IGA platformsUniversal standard, limited structure
Windows Event LogXMLAD, ADFS, Windows serversFor Windows-centric environments

DevOps Integration

Purpose

DevOps integration enables automated credential management, secret rotation, and policy-as-code in CI/CD pipelines.

IntegrationDirectionProtocolUse Case
Secret retrievalCI/CD → PAM vaultREST API (Vault API)CI/CD pipeline retrieves database/service credentials
Secret rotationPAM → DevOps pipelineWebhook, API triggerPost-rotation notification to update dependent systems
SSH key managementDevOps → PAMREST API, agentAutomated SSH key deployment to servers
Policy-as-codeGit → PAM/IGAGit push, API importGitOps for IAM policy management
Terraform providerIaC → IAM/PAMTerraform provider APIInfrastructure-as-Code for IAM configuration

CI/CD Secret Retrieval Flow

Developer pushes code ──> CI/CD Pipeline triggered
Build starts ──┴── Test execution
┌─────────────┘
v
Request credentials from PAM vault
┌─────────┴─────────┐
│ │
Check user/role Token validation
authorisation and expiry check
│ │
└─────────┬─────────┘
v
Temporary credential issued
(TTL: pipeline duration only)
Pipeline uses credential
Credential expires / returned

Event-Driven Integration

Integration Bus Architecture

┌────────────────────────────────────────────────────────────┐
│ EVENT BUS (Kafka/EventBridge) │
├──────────┬──────────┬──────────┬──────────┬────────────────┤
│ Identity│ Access │ Certif. │ Audit │ Anomaly │
│ Events │ Events │ Events │ Events │ Events │
├──────────┼──────────┼──────────┼──────────┼────────────────┤
│ │ │ │ │ │
│ HRIS │ IGA │ IGA │ IdP │ SIEM │
│ IdP │ PAM │ IGA │ PAM │ UEBA │
│ IGA │ IdP │ │ AD │ IdP │
└──────────┴──────────┴──────────┴──────────┴────────────────┘

Event Types

Event CategoryExample EventsConsumers
Identity lifecycleUser created, user terminated, attribute changedIGA (provisioning), HRIS (confirmation), SIEM (audit)
Access eventsRole granted, role revoked, access request approvedTarget systems (provision), ITSM (ticket update)
Authentication eventsLogin success, login failure, MFA challengeSIEM (monitoring), IdP (risk scoring)
Privileged session eventsSession started, command executed, session endedSIEM (monitoring), PAM (session record)
Compliance eventsCertification started, certification completed, SoD violationIGA (reporting), ITSM (remediation), SIEM (audit)

Key Takeaways

  • IAM/PAM platforms integrate with four primary enterprise systems: HRIS (identity lifecycle), ITSM (access request management), SIEM (logging and monitoring), and DevOps (automated credential management) — each integration type uses different protocols and patterns
  • SCIM is the standard protocol for HRIS-to-IAM provisioning — operations include POST (create), PUT/PATCH (update), and DELETE (deactivate) for both Users and Groups, enabling automated joiner/mover/leaver processes
  • ITSM integration connects IAM access request workflows to enterprise service desks — the typical flow: user request → ITSM ticket → approval → IAM fulfilment → ticket update, with the IAM platform performing the actual provisioning
  • SIEM integration requires log standardisation (CEF, LEEF, JSON, Syslog, Windows Event Log) — each IAM/PAM component generates specific event types at different volumes, from low-volume certification events (100-10K/day) to high-volume authentication logs (100K-10M/day)
  • DevOps integration enables automated secret retrieval in CI/CD pipelines — temporary credentials issued with TTL matching pipeline duration (JIT for build processes)
  • Event-driven architecture (via Kafka or EventBridge) enables real-time integration across identity lifecycle, access, authentication, privileged session, and compliance events — consumers subscribe to relevant event types for immediate action
  • The integration pattern choice (SCIM, REST, webhook, file-based, JDBC) depends on the source system’s capabilities, real-time requirements, network topology, and security constraints