RapidValue

Appearance

Connector catalog

Connectors are how RapidValue reads and writes identity data from your systems. Three families cover ~95% of the targets a mid-market or enterprise tenant needs.

Native protocols

FamilyWhat's coveredNotes
SCIM 2.0~25 SaaS vendors — Slack, Atlassian, GitHub, Okta, ServiceNow, Zoom, Workday, BambooHR, Zendesk, Smartsheet, …RFC 7643/7644 compliant. Vendor templates handle quirks (PATCH vs PUT, paging, headers).
LDAP / Active DirectoryAD on-prem, Azure AD via LDAP shim, OpenLDAP, FreeIPA, 389 Directory ServerUAC bitmask for disable/enable on AD, group membership via memberOf. Paged search, max 10k entries/page.
REST (generic)Anything with a JSON API — internal apps, custom-built systemsWizard infers field shape from a sample response.

Vendor-specific connectors

Built on top of the SCIM/REST base, with vendor-specific authentication and quirks baked in:

  • Microsoft Entra ID (formerly Azure AD) — Graph API, OAuth2 + cert
  • Salesforce — REST + Bulk API for large objects
  • Okta — SCIM 2.0 + management API for system-log ingestion
  • ServiceNow — Table API + IdentityNow-style identity attributes
  • Workday — RaaS reports for joiner/mover/leaver events (read-only)
  • SAP IDM bridge — for orgs still on classic SAP Identity Management

The wizard

Every connector type uses the same 5-step wizard — pick type, paste credentials, test connection, accept the auto-mapping, run first sync. ~5 minutes per target.

Authentication

Each vendor template lists supported auth methods:

  • Bearer token (most common for SCIM 2.0)
  • API key (header or query parameter)
  • OAuth2 client credentials (Entra, Salesforce, Slack)
  • mTLS client cert (for hardened on-prem REST APIs)
  • Basic auth (legacy, discouraged but supported)
  • LDAP simple bind (AD/OpenLDAP)

Credentials are vault-stored under vault://<backend>/<scope>/<key>/<version>. In tier-3 hybrid mode they live in the agent's local vault and never travel to the control plane.

Execution modes

Per connector instance you can choose:

  • hosted — control plane calls the target directly. Simplest, used for cloud SaaS where outbound from your tenant is fine.
  • agent — the tier-3 agent makes the call from inside your VPC. Identity data and credentials stay on your side of the network edge.

The agent path is transparent to call sites — build_engine_async() returns an AgentProxyConnector that implements the same protocol.

Custom connectors

If your target doesn't fit any of the above:

  • Write a Python class implementing the ConnectorProtocol v1 Pydantic envelope
  • Drop it under app/connectors/<your_type>.py
  • Add an entry to app/connectors/engine_dispatch.py
  • It gets the agent-proxy treatment for free

RapidValue IGA · Built in Belgium

© 2026 RapidValue. Sovereignty-first identity governance.