Overview
You can connect multiple identity providers (IdPs) to streamline personnel compliance management. This configuration enables consistent attribute syncing and helps designate a single source of truth for each user’s name and email.
How multiple identity providers work
You can connect and sync all your IdPs into Drata. When the same user exists across more than one IdP, you can define a connection priority to determine which provider serves as the primary source of truth for attributes like name and email.
Use the Configure Identity Priority option to set this order and ensure Drata references the correct provider when syncing user attributes. You can reorder the connections at any time. However, the best practice is to connect your IdPs in the desired priority order, starting with the provider that holds the most authoritative user data.
Prerequisites
To connect multiple identity providers (IdPs) in Drata, make sure you have the following in place:
Plan availability: Available on all Drata plans
RBAC roles: You must have the Admin, Workspace Manager, or DevOps Engineer role in Drata
Workspace awareness: This feature is not workspace-aware. All synced personnel will appear in every workspace.
Identity provider access: Make sure you meet the connection requirements for each IdP so you can successfully complete the connection process in Drata. You can find these in the relevant Help Center articles.
Best Practices Before You Begin
Determine your primary IdP: Identify which identity provider should act as the source of truth for user attributes like name and email. Connect this IdP first.
Connect in order of importance: Add your remaining IdPs in the order you want Drata to prioritize them. If you're unsure which one to start with, choose the provider that has the most complete and consistently updated user data.
Best Practices to Avoid Duplicate Records
Use consistent email addresses across IdPs: Drata matches users by exact email. Even small differences (e.g., [email protected] vs. [email protected]) will create separate records.
Avoid syncing the same users from multiple IdPs: If possible, scope each IdP to bring in distinct user groups (e.g., by region or department).
If there are duplicate users after you connected all of your IdP, you can mark the duplicates as out of scope note which email is being used for compliance tracking.
End-to-End Workflow
Here’s how the full setup process works when connecting multiple identity providers (IdPs) in Drata:
Connect your primary IdP: Begin by connecting the IdP with the most complete and accurate user data.
Recommendation: Sync specific user groups from each IdP connection. This helps ensure that access is clearly defined and limited to the right users, improving both security and manageability.
Connect additional IdPs: Add other identity providers based on your organizational needs (e.g., by region, business unit, or function).
Recommendation: Sync specific user groups from each IdP connection. This helps ensure that access is clearly defined and limited to the right users, improving both security and manageability.
Configure identity priority (Optional): Set the order in which Drata should reference each connected IdP when the same user is found in multiple sources. This determines which IdP provides the user's name and email in Drata.
Review synced personnel: After syncing, review the Personnel page to confirm users are consolidated correctly.
Identify and resolve duplicates: On the Personnel page, if duplicate records exist, mark one as out of scope.
We’ll guide you through each of these steps in the sections below.
Step 1: Connect each IdP
Go to the Connections page and search for the identity provider you want to connect.
Under Available connections, select the IdP and complete the connection flow.
Connect your primary IdP first. This will act as the initial source of truth for user attributes.
(Optional) Assign a clear connection alias to help differentiate providers.
Repeat this process to connect any additional IdPs.
Step 2: Configure Connection Priority
After connecting your second IdP, you can configure connection priority during the setup drawer step. If priority is not manually set, Drata applies a default order based on the sequence of connections. You can update the order at any time by selecting Configure Identity Priority in the connection settings.
Example Scenario
Connection priority determines which IdP controls user attributes like name and email.
Sally has an account in IdP 1 and 2.
Name: Sally Socpilot
Email: [email protected] from IdP 1 (IdP 1 is set as Primary Connection)
Email: [email protected] from IdP 2
Sally's email is later updated to [email protected] in IdP 1.
Drata will update her Personnel record to [email protected].
Compliance tracking will continue under the new email ([email protected]), and activity under the former email will still be preserved.
If that same change were made in IdP 2, Drata would ignore it, because IdP 1 is the designated source of truth.
⚠️ Tip: Make sure external systems like your HRIS match the primary IdP.
To set the order
Select an IdP connection you already integrated with Drata. Make sure that you have multiple IdP connections integrated
Select Configure Connection Priority button near the bottom of the drawer.
Drag and arrange the IdP icons to define the hierarchy (Primary, Secondary, etc.).
Drata will use the highest-priority IdP as the source of truth for syncing name and email attributes.
Note: Changing connection priorities may affect personnel compliance and can result in duplicate records. Updates may take up to 24 hours to reflect in Drata.
Step 3: Verify Sync and Remove Duplicate Users
Drata matches users by exact email address only. First and last names are not used.If a user appears across multiple IdPs with the same email, they are synced as a single user. If emails differ slightly, Drata creates separate records.
After connecting your identity providers and configuring connection priority, verify that user records have synced correctly:
Go to the Personnel page in Drata to review the full list of synced users.
(Optional) Filter and select all the applicable IdP groups.
If two records refer to the same person, identify which record you want Drata to track for compliance.
Then, select the duplicate record and mark it as out of scope by editing the personnel entry. This ensures only the correct user is included in compliance reporting.
Repeat these steps any time you:
Change connection priorities
Add a new IdP
Step 4: Monitor MFA Configuration
Drata automatically checks each connected IdP for multi-factor authentication (MFA) coverage.
All email addresses detected across your connected IdPs must have MFA enabled on the IdP where the email is synced from. This ensures accurate personnel compliance tracking across policies, access reviews, and device monitoring.
Go to the Monitoring page in Drata.
Review the status for your MFA on Identity Provider Test.
If the test is failing, select the test and view the Results section to identify the issue.
You can also go to the Personnel Page and filter by All Not Compliant > Identity MFA and send a reminder to each user to enable their MFA.
Tip: Re-sync your IdP connections after updating MFA settings to refresh compliance status in Drata.
Transitioning Between IdP Configurations
When switching between a single IdP and multiple IdPs (or vice versa), take the following steps to maintain clean, accurate personnel records in Drata.
Single IdP → Multiple IdPs
Assign a primary IdP to act as the source of truth for user attributes.
(If applicable) Configure connection priority immediately after adding your second IdP.
Mark duplicate records as out of scope if users exist in multiple IdPs with unmatched email addresses.
What to Be Aware Of
Users not found in any connected IdPs will be automatically marked as former.
Conflicting user data across IdPs may lead to duplicates based on email.
Multiple IdPs → Single IdP
Ensure that all users from deprecated IdPs are present in the remaining IdP.
Verify that each user has one consistent email address used for compliance tracking.
What to Be Aware Of
Any personnel no longer found in the connected IdP will be marked as former.
Inconsistent email addresses may cause duplicate records or loss of compliance history.
Changing the Priority Order
After setting up your connections, you can change the priority order at any time.
Please note that duplicates may appear if you adjust the order of your connections.
Depending on the size of your organization or the number of users being synced, updates may take some time to appear in Drata.
If you don’t see the changes reflected after 24 hours, please contact Drata Support for assistance.
Limitations
Please make sure to allow enough time before your audit period to address any issues that might come up during the transition.
CSV IdP connection currently do not support multi-domain configurations.