Setting Up Gateco with Your Identity Provider

AI systems that access organizational knowledge need to know who is asking. Without identity context, every retrieval is anonymous — and anonymous access cannot be governed. Connecting your identity provider to Gateco bridges this gap, giving your policies the principal attributes they need to enforce meaningful access control. Whether your organization uses Azure Entra ID, Okta, AWS IAM Identity Center, or GCP Cloud Identity, the integration follows the same pattern: connect, sync, and enforce.

Gateco supports four identity providers out of the box. Azure Entra ID connects via tenant ID and client secret, syncing users and groups from Microsoft's directory. Okta uses an SSWS API token against your Okta domain to pull users, groups, and department attributes. AWS IAM Identity Center (formerly AWS SSO) connects via the Identity Store API using standard AWS credentials and region. GCP Cloud Identity integrates through a service account JSON key using Google's Admin SDK. Each adapter normalizes users into Gateco principals with consistent attributes: email, display name, groups, department, and a stable provider_subject identifier.

The setup flow starts in the Gateco dashboard under Identity Providers. Click "Add Provider," select your provider type, and enter your credentials. Once created, click "Sync" to pull principals from your directory. Gateco imports users as principals with status "active" and maps their group memberships and department attributes. You can verify the sync by checking the principal count on the IDP detail page or browsing the Principals list. If something looks wrong, the sync result includes diagnostic information about users processed, groups found, and any errors encountered.

With principals synced, you can start building policies that reference real identities. The "Suggest Policies" button on any connected IDP analyzes your synced data and generates conservative policy starting points. If you have a group with three or more members, Gateco suggests a group-based RBAC policy. If you have departments with sufficient membership, it suggests department-scoped access rules. Deny suggestions appear when your organization has classified resources at confidential or restricted levels. All suggestions create draft policies — you review, adjust, and activate them on your own terms.

For organizations that need continuous provisioning, Gateco offers two mechanisms. Scheduled auto-sync checks your IDP at configurable intervals (15, 30, or 60 minutes) and updates principals automatically. This handles the common case where employees join, leave, or change roles. For Enterprise customers, SCIM v2 inbound provisioning provides real-time updates: your IDP pushes user and group changes to Gateco as they happen. SCIM supports full User CRUD (create, read, update, deactivate) and Group CRUD (create, read, update, delete with member propagation). Generate a SCIM bearer token from the IDP settings page and configure your provider's SCIM integration to point at your Gateco SCIM endpoint.

Once your identity provider is connected and principals are flowing, the next step is your first policy-enforced retrieval. Create a policy using one of the seven built-in templates — group RBAC and department access are the most common starting points — activate it, and run a Live Preview in the Access Simulator to see exactly which results each principal would see. The audit trail records every decision with full identity context, giving your compliance team the evidence they need. Identity integration is the foundation that makes everything else in Gateco meaningful: without knowing who is asking, you cannot decide what they should see.