Integrations overview
OnTrackio connects to the systems your organization already runs — your identity provider, your chat tool, your helpdesk, your HR system, your device management — so the register stays accurate without manual double-entry. This page explains how those connectors are organized, what each category does, and how the API and webhooks fit alongside them. The per-connector how-to guides linked throughout cover the setup steps.
You manage every connector from one place: Settings → Integrations in the admin console. A second tab, Settings → API & webhooks, holds the programmatic surface.
:::note Before you begin
- You need an admin role (
admin,it-admin, orsuper-admin) to reach Settings. - Most connectors save with the page's main Save changes button. A few open a modal with their own Test connection and Sync now actions.
- Single sign-on (SAML) and SCIM provisioning have their own dedicated pages; their cards on this tab link out to them rather than opening a modal. :::
How integrations are organized
The Integrations tab is a grid of connector cards with a row of category filter pills across the top. Selecting a pill narrows the grid to that category; All shows everything. Each card carries a status badge so you can see at a glance what's wired up.
| Category | What it connects | Examples |
|---|---|---|
| Authentication | Who can sign in, and how their accounts and roles are provisioned. | Google Workspace SSO, Microsoft Entra ID, SAML 2.0, SCIM 2.0 |
| Communication | Outbound alerts and transactional email. | Email (SMTP), Slack, Microsoft Teams |
| SaaS utilization | Pulls members from SaaS tools and mirrors them as software assignments for seat-utilization reporting. | Slack, Microsoft 365, Google Workspace, Notion, Miro, Monday.com, GitHub Copilot, Slite, Keeper, Claude (Enterprise), Visual Studio Code |
| Ticketing | Mirrors asset requests into a helpdesk. | SupportCandy (Jira Service Management is planned) |
| Device management | Per-serial hardware and warranty lookup from MDM and vendor APIs. | Microsoft Intune, Jamf Pro, Dell TechDirect, Lenovo Support |
| HRIS | Syncs your people directory — names, departments, managers, dates. | Deel, BambooHR |
The same connector can appear in more than one category with a different job. Slack, for example, has a Communication card (post alerts to a channel via a webhook) and a separate SaaS utilization card (pull workspace members to measure seat usage). They use different credentials and are configured independently.
What a connector's status badge means
Every card shows a coloured badge describing its current state. The exact wording depends on the connector, but the meanings are consistent.
| Badge | Meaning |
|---|---|
| Connected / Enabled | The connector has credentials saved and is active. |
| Not connected / Disabled | No credentials saved, or the connector is switched off. |
| Preview | An early-access connector — wired up, but expect rough edges. Microsoft Entra ID and Intune carry this. |
N IdPs / N mappings | A count, shown on the SAML and SCIM cards, of how many identity providers or group-to-role mappings you've configured. |
| Coming soon | A connector that's planned but not yet built. The card is visible so you know it's on the roadmap; it can't be configured. |
Authentication: sign-in and provisioning
Authentication connectors are the most consequential, because they decide who reaches your workspace at all. They split into two jobs that are easy to conflate but do different things.
- Single sign-on (SSO) decides how a person proves who they are at the login screen.
- Provisioning (SCIM) decides which accounts exist in the first place, created and deactivated automatically from your directory.
| Connector | Job | Where it's configured |
|---|---|---|
| Google Workspace SSO | Staff sign in with their corporate Google account, with an optional domain allowlist. | A modal on this tab. |
| Microsoft Entra ID | Sign in with Azure AD / Entra accounts; works with conditional access and MFA. | A modal on this tab. |
| SAML 2.0 SSO | Connect any SAML identity provider — Okta, JumpCloud, OneLogin, Auth0, ADFS — with multiple per-tenant IdPs, role mapping, and just-in-time user provisioning. | A dedicated page; the card links to it. |
| SCIM 2.0 provisioning | Automated joiner / mover / leaver from your IdP. Push users and groups, and map IdP groups to roles. | A dedicated page; the card links to it. |
SSO and SCIM are complementary, not alternatives: SSO covers the daily login, SCIM keeps the account list in step with HR. Many organizations run both — sign-in through Entra or a SAML IdP, account lifecycle through SCIM. The full setup steps live in the per-provider guides linked under Related.
SAML and SCIM open dedicated admin pages instead of a modal because each supports more than one identity provider and a list of role mappings — too much to fit in a single dialog. The cards on the Integrations tab exist to make those pages discoverable from one hub.
Communication: alerts and email
Communication connectors carry messages out of the platform.
- Email (SMTP) is the backbone — it sends transactional mail such as notifications, transfer-agreement PDFs, and one-time passcodes through any SMTP relay you point it at.
- Slack and Microsoft Teams post new-request and transfer alerts to a channel using that tool's incoming-webhook URL. Both open a modal with a Test connection button that sends a harmless test message so you can confirm the wiring before relying on it.
These deliver the same notification events you can also route to individual recipients — see Notifications for what triggers a message.
SaaS utilization: measuring seat usage
SaaS-utilization connectors answer a finance question: are we paying for seats nobody uses? Each one reads the member list from a SaaS tool and mirrors those members into OnTrackio as software assignments, so a SaaS subscription you'd otherwise track by hand gets real holder data feeding the utilization and reclaim reports.
The connectors share one shape: a modal where you save the credential, a Test connection action to verify it, and a Sync now action that pulls members on demand. Sync is manual in this release; the client classes are written to be safe to re-run, so an automated schedule can layer on later.
| Connector | What it pulls |
|---|---|
| Microsoft 365 | Active users from Microsoft Graph. |
| Google Workspace | Active users via the Directory API. |
| Slack — licence sync | Workspace members via the Slack Web API. |
| Notion | Workspace users. |
| Miro | Team members. |
| Monday.com | Workspace users with last activity. |
| GitHub Copilot | Copilot Business / Enterprise seats with last activity. |
| Slite | Active members, discovered by walking recent notes. |
| Keeper | Active vault users via SCIM 2.0. |
| Claude (Enterprise) | Workspace users from the Anthropic Admin API. |
| Visual Studio Code | A manual seat tracker — VS Code has no user-listing API, so you record the count yourself. |
The assignments these create flow into the same model as any other software seat, so they appear in Audits and utilization and the spend dashboard without extra work.
Device management: serial lookup
Device-management connectors enrich a hardware record from its serial number, so you don't type specs by hand. They power the Look up by serial button on the hardware form — paste a serial, and the connector fills in model, specs, and warranty.
| Connector | Resolves | Notes |
|---|---|---|
| Microsoft Intune | Any enrolled device by serial, plus a device-sync preview. | Carries a Preview badge. |
| Jamf Pro | Mac specs (CPU, RAM, storage, assigned user, warranty) from Jamf inventory. | The Apple-fleet counterpart to vendor warranty APIs. |
| Dell TechDirect | A Dell service tag into model, ship date, and warranty expiry. | OAuth2. |
| Lenovo Support | ThinkPad / ThinkBook / IdeaPad serials into model and warranty. | Requires a Lenovo Business Partner API key. |
Intune and Jamf also feed Bulk import, where you can preview and load a batch of device records from the MDM rather than one serial at a time. See MDM: Intune and Jamf and Bulk actions and import.
HRIS: people directory sync
HRIS connectors keep your user records current from the system of record for employment data. Each pulls the directory — names, job titles, departments, locations, supervisors, and start / end dates — and upserts it onto user profiles, matching on email.
| Connector | Source |
|---|---|
| Deel | The Deel employee directory and employment history. |
| BambooHR | The BambooHR employee directory. |
Like the utilization connectors, each opens a modal with Test connection and Sync now; sync is manual in this release. Connecting an HRIS is what makes department, manager, and cost center stay accurate as HR makes changes, without anyone editing user rows in OnTrackio. See Manage users and teams.
HRIS sync updates the people directory. It does not create sign-in access on its own — that comes from SSO and SCIM. An HRIS connector and SCIM provisioning solve adjacent problems: SCIM governs accounts and access, HRIS enriches the employment data on those accounts.
The API and webhooks
Beyond the packaged connectors, the Settings → API & webhooks tab gives you two general-purpose hooks for anything not covered by a built-in card: a REST API to read and write data, and outbound webhooks to react to events as they happen.
API tokens
The platform exposes a REST API at /api/*, authenticated with a bearer token you mint on
this tab. A token can be scoped to a set of abilities, so an integration only gets the access
it needs.
| Ability | Grants |
|---|---|
hardware:read / hardware:write | Read or modify hardware records. |
users:read / users:write | Read or modify user records. |
software:read / software:write | Read or modify software licenses. |
Leaving the abilities empty grants the token all permissions, shown as an All badge. You can set an optional expiry of up to 365 days; the cap forces at least an annual rotation.
A token's secret is shown once, right after you generate it. Copy it then — it's stored
only as a hash afterwards and can't be retrieved. Use it as an Authorization: Bearer header.
If you lose it, revoke the token and mint a new one.
The interactive API reference and schema live at /api/docs (Swagger UI) in your workspace.
Webhooks
A webhook subscription POSTs a JSON payload to a URL you control whenever a subscribed event
fires, so an external system can react without polling. Each delivery is signed with
HMAC-SHA256 in an X-Itam-Signature header, which your endpoint should verify to confirm the
request really came from OnTrackio.
You choose which events a subscription receives, or use * to receive everything:
| Event group | Events |
|---|---|
| Hardware | hardware.created, hardware.updated, hardware.assigned, hardware.recovered |
| Requests | asset_request.created, asset_request.approved, asset_request.rejected, asset_request.fulfilled |
| Software | software.assigned, software.revoked |
| People | user.offboarded |
A Test action fires a synthetic test.ping delivery to a single subscription so you can
confirm connectivity before a real event occurs. Full details are in
API tokens and webhooks.
Choosing the right integration
When a connector and the API both look like they'd work, the connector is almost always the better choice — it's purpose-built, maintained, and needs no code. Reach for the API or a webhook only when no packaged connector fits.
| You want to… | Use |
|---|---|
| Let staff sign in with their existing accounts | An Authentication SSO connector (Google, Microsoft, or SAML) |
| Create and deactivate accounts automatically from your IdP | SCIM 2.0 provisioning |
| Keep employment data current from HR | An HRIS connector (Deel or BambooHR) |
| Post alerts into a team channel | A Communication connector (Slack or Teams) |
| Measure how many SaaS seats are actually used | A SaaS utilization connector |
| Auto-fill hardware specs from a serial | A Device management connector |
| Mirror requests into your helpdesk | A Ticketing connector (SupportCandy) |
| Build a custom integration or pull data into your own tools | The REST API with a scoped token |
| React to events in another system in real time | An outbound webhook |
Limitations and trade-offs
| Boundary | What it means |
|---|---|
| Some connectors are Preview | Microsoft Entra ID and Intune are early-access. They work, but treat them as maturing rather than fully settled. |
| Sync is manual today | HRIS and SaaS-utilization connectors sync when you select Sync now; there's no automatic schedule yet. Run a sync after large directory changes. |
| Email is a prerequisite, not an extra | Notifications, transfer-agreement PDFs, and one-time passcodes all depend on a working SMTP connector. If email isn't connected, those won't send. |
| SSO and SCIM are separate concerns | SSO authenticates a login; SCIM manages the account. Connecting one doesn't configure the other. |
| API tokens are powerful | A token with :write abilities can change live data. Scope tokens tightly, set an expiry, and revoke any token you suspect is exposed. |