Skip to main content

Integrate Multiple Identity and HRIS Connections

You can connect multiple identity providers (IdPs) and HRIS systems to streamline personnel compliance management. This configuration enables consistent attribute syncing and helps designate a single source of truth for each user's name and e

Updated this week

Overview

You can connect and sync all your IdPs and HRIS systems into Drata. When the same user exists across more than one IdP or HRIS system, you can define a connection priority to determine which provider serves as the primary source of truth for attributes like name and email.

Use the Configure Identity Priority or Configure HRIS Priority option to set this order and ensure Drata references the correct provider when syncing user attributes. You can reorder the connections at any time. However, the best practice is to connect your IdPs and HRIS systems in the desired priority order, starting with the provider that holds the most authoritative user data.

EXAMPLE DIAGRAM

Prerequisites

To connect multiple identity providers (IdPs) or HRIS providers in Drata, make sure you have the following in place:

  • Plan availability: Available on all Drata plans

  • RBAC roles: You must have the Admin, Workspace Manager, or DevOps Engineer role in Drata

  • Workspace awareness: This feature is not workspace-aware. All synced personnel will appear in every workspace.

  • Identity provider or HRIS access: Make sure you meet the connection requirements so you can successfully complete the connection process in Drata. You can find these in the relevant Help Center articles.

Best Practices Before You Begin

  1. Determine your primary IdP or HRIS: Identify which provider should act as the source of truth for user attributes like name and email. Connect that first.

  2. Connect in order of importance: Add your remaining IdPs/HRIS in the order you want Drata to prioritize them. If you're unsure which one to start with, choose the provider that has the most complete and consistently updated user data.

To Avoid Duplicate Records

  • Use consistent email addresses across systems: Drata matches users by exact email. Even small differences (e.g., [email protected] vs. [email protected]) will create separate records.

  • Avoid syncing the same users from multiple systems: If possible, scope each IdP or HRIS to bring in distinct user groups (e.g., by region or department).

If there are duplicate users after you connected all of your IdPs or HRIS systems, you can mark the duplicates as out of scope and note which email is being used for compliance tracking.

End-to-End Workflow

Here’s how the full setup process works when connecting multiple providers:

  1. Connect your primary connection. Then, connect the rest of your connections.

    • For Identity connections: Sync specific user groups from each IdP connection. This helps ensure that access is clearly defined and limited to the right users, improving both security and manageability.

  2. Configure identity priority (Optional): Set the order in which Drata should reference each connection.

    • For Identity connections: The order of connections determines which IdP provides the user's name and email in Drata.

    • For HRIS connections: The order of connections determines which HRIS provides the user's name, email, start date, and employment status in Drata.

  3. Review synced personnel: After syncing, review the Personnel page to confirm users are consolidated correctly.

  4. Identify and resolve duplicates: On the Personnel page, if duplicate records exist, mark one as out of scope.

We’ll guide you through each of these steps in the sections below.

Step 1: Connect your Connections

  1. Go to the Connections page and under Available connections, search for the identity or HRIS provider you want to connect.

  2. Complete the connection flow.

  3. Connect your primary connection first. This will act as the initial source of truth for user attributes.

  4. If applicable, assign a clear connection alias to help differentiate providers.

  5. Repeat this process to connect any additional providers.

Step 2: Configure Connection Priority

After connecting your second provider, you can configure connection priority during the setup drawer step.

If priority is not manually set, Drata applies a default order based on the sequence of connections. You can update the order at any time by selecting Configure Identity Priority in the connection settings.

Example Scenario

Connection priority determines which IdP controls user attributes like name and email.

  1. Sally has an account in IdP 1 and 2.

  2. Sally's email is later updated to [email protected] in IdP 1.

  3. Drata will update her Personnel record to [email protected].

  4. Compliance tracking will continue under the new email ([email protected]), and activity under the former email will still be preserved.

If that same change were made in IdP 2, Drata would ignore it, because IdP 1 is the designated source of truth.

⚠️ Tip: Make sure external systems like your HRIS match the primary IdP.

To set the order

  1. Select the connection you already integrated with Drata. Make sure that you have multiple connections connected.

  2. Select Configure Connection Priority button near the bottom of the drawer.

  3. Drag and arrange the icons to define the hierarchy (Primary, Secondary, etc.).

  4. Drata will use the highest-priority as the source of truth for syncing name and email attributes.

    • For Identity connections: The order of connections determines which IdP provides the user's name and email in Drata.

    • For HRIS connections: The order of connections determines which HRIS provides the user's name, email, start date, and employment status in Drata.

Note: Changing connection priorities may affect personnel compliance and can result in duplicate records. Updates may take up to 24 hours to reflect in Drata.

Step 3: Verify Sync and Remove Duplicate Users

Drata matches users by exact email address only. First and last names are not used. If a user appears across multiple IdPs or HRIS systems with the same email, they are synced as a single user. If emails differ slightly, Drata creates separate records.

After connecting your identity providers or HRIS systems and configuring connection priority, verify that user records have synced correctly:

  1. Go to the Personnel page in Drata to review the full list of synced users.

  2. (Optional) Filter and select all the applicable IdP or HRIS groups.

  3. If two records refer to the same person, identify which record you want Drata to track for compliance.

  4. Then, select the duplicate record and mark it as out of scope by editing the personnel entry. This ensures only the correct user is included in compliance reporting.

Repeat these steps any time you:

  • Change connection priorities

  • Add a new IdP or HRIS

Monitor MFA Configuration (IdP Only)

Drata automatically checks each connected IdP for multi-factor authentication (MFA) coverage.

All email addresses detected across your connected IdPs must have MFA enabled on the IdP where the email is synced from. This ensures accurate personnel compliance tracking across policies, access reviews, and device monitoring.

  1. Go to the Monitoring page in Drata.

  2. Review the status for your MFA on Identity Provider Test.

  3. If the test is failing, select the test and view the Results section to identify the issue.

  4. You can also go to the Personnel Page and filter by All Not Compliant > Identity MFA and send a reminder to each user to enable their MFA.

Tip: Re-sync your IdP connections after updating MFA settings to refresh compliance status in Drata.

Troubleshoot Employment Status Resolution (HRIS Only)

When a user exists in multiple connected HRIS systems, Drata applies the following logic to determine which system serves as the source of truth:

  1. For currently employed users: Drata selects the HRIS connection with the highest configured priority (rank).

    • This ensures that the most authoritative system (aka the primary connection) provides the user's employment data, including name, email, start date, and employment status.

  2. For separated/former employees: The logic depends on separation dates across the HRIS systems.

    • If all connected HRIS systems show different separation dates for the same user, Drata selects the system with the most recent separation date (the "latter former"), provided that connection is still active.

    • This approach captures the most up-to-date employment record.

    • However, if all HRIS systems show the same separation date, Drata defaults to using the highest-ranked connection (aka the primary connection) based on your configured priority order.

This hierarchical approach ensures data consistency while accommodating scenarios where employment records may be managed across different systems during transitions, acquisitions, or regional organizational structures.

EXAMPLE DIAGRAM

Single Connection ↔ Multiple Connections

When switching between a single provider to multiple provider (or vice versa), take the following steps to maintain clean, accurate personnel records in Drata.

Single Connection to Multiple Connections

  1. Assign a primary connection to act as the source of truth for user attributes.

  2. (If applicable) Configure connection priority immediately after adding your second connection.

  3. Mark duplicate records as out of scope if users exist in multiple connections with unmatched email addresses.

What to Be Aware Of

  • Users not found in any connected IdPs will be automatically marked as former.

  • Conflicting user data across connections may lead to duplicates based on email.

Multiple Connections to Single Connection

  1. Ensure that all users from deprecated connections are present in the remaining connection.

  2. Verify that each user has one consistent email address used for compliance tracking.

What to Be Aware Of

  • Any personnel no longer found in the connected connection will be marked as former.

  • Inconsistent email addresses may cause duplicate records or loss of compliance history.

Changing the Priority Order

After setting up your connections, you can change the priority order at any time.

  • Please note that duplicates may appear if you adjust the order of your connections.

  • Depending on the size of your organization or the number of users being synced, updates may take some time to appear in Drata.

  • If you don’t see the changes reflected after 24 hours, please contact Drata Support for assistance.

Limitations

  • Please make sure to allow enough time before your audit period to address any issues that might come up during the transition.

  • CSV IdP connection currently do not support multi-domain configurations.

Related Articles
Populating and Managing Personnel Data in Drata
Personnel Overview
JumpCloud Connection for Identity provider
Connect your HRIS to Drata
Did this answer your question?