Directory Connectors
Roster separates the external system from the code that talks to it.
Terminology
Section titled “Terminology”| Term | Meaning |
|---|---|
| Provider | External source of truth such as Entra ID, Active Directory, Okta, Workday, SAP, or CSV. |
| Connector | Roster-owned integration code for one provider or provider family. |
| Resolver | Query path that uses materialized Roster data to answer routing questions. |
Authentication providers configured for human login are separate from roster data providers. In sync and resolver docs, provider means external roster data source.
Supported MVP Connectors
Section titled “Supported MVP Connectors”| Connector | Provider path | Notes |
|---|---|---|
entra | Microsoft Graph v1.0 | Microsoft Entra directory users and groups. |
ldap | LDAP v3 over LDAP or LDAPS | Active Directory or LDAP-compatible directories. |
csv | Mounted data volume, S3, or SFTP | File-based records for batch integration workflows. |
Use ldaps:// for production LDAP connectors. Plain ldap:// should be
limited to isolated directory sources that cannot present a valid LDAPS
certificate.
Connector Guides
Section titled “Connector Guides”Refresh and Storage
Section titled “Refresh and Storage”Refresh schedules use 5-field UTC cron expressions. When no schedule is set,
the worker defaults to hourly refresh with 0 * * * *.
Worker refresh is cache-only. It refreshes records that already exist in
directory_record_sources for the connector, and reconciles direct member edges
for cached group records already attached to participants. It does not enumerate
or materialize every upstream user, group, or unrelated group membership.
For self-hosted deployments, encrypted provider secrets require:
ROSTER_PROVIDER_SECRET_ENCRYPTION_KEY=<high-entropy-secret>ROSTER_PROVIDER_SECRET_KEY_ID=env:prod-2026-05Live Browse vs Cached Search
Section titled “Live Browse vs Cached Search”The Platform participant picker can search some connectors live so admins do not need to materialize a full directory before selecting a user or group:
- CSV connectors read configured CSV files directly
- Microsoft Entra ID queries Microsoft Graph directly
- primary LDAP connectors query LDAP directly
Secondary LDAP connectors remain metadata sources for now. They are searched from materialized records when matching primary connector results.
After an admin selects a user or group, Roster caches only the selected record in
directory_records and directory_record_sources. Selected groups also cache
their direct membership edges for participant resolution. Scheduled refresh
keeps those selected-group membership edges current without browsing unrelated
groups.
New records enter the cache through explicit actions such as live browse, manual association, or import flows. Scheduled worker refresh does not discover new standalone records on its own, except for direct members needed by an already-cached participant group.
API and MCP directory-record search remains cache-only. It searches Roster’s materialized records and does not call upstream connectors live.