Skip to main content
Available on Enterprise plans · SAML 2.0 + SCIM · configured for your tenant

SSO and SCIM provisioning for your team's digital business cards

Onboarding 5,000 employees should be a provisioning job, not 5,000 individual signups. Offboard one person, and their card should be gone the same minute.

NexaLink connects to Microsoft Entra ID, Okta, and Google Workspace so your team's digital business cards are created, mapped, and revoked straight from your directory. SAML for sign-in, SCIM for lifecycle, RBAC for delegation — configured for your tenant during enterprise onboarding so it passes IT and security review before go-live.

Book an enterprise demoTalk to enterprise sales

CSV onboarding and live ex-employee cards are an IT problem

A digital business card platform without identity is a shadow-IT directory you don't control. Here is what breaks when provisioning is manual.

Manual CSV chaos
Spreadsheet imports go stale the day after you run them. New hires wait for a batch upload, transfers keep their old department tag, and nobody can answer "who has a card and who doesn't" with confidence. Every roster change is a ticket.
Ex-employees with live cards
Someone leaves, but their company-branded card is still circulating — in inboxes, on LinkedIn, in a prospect's phone. That's a data-leak and a brand-impersonation risk that no offboarding checklist reliably catches when cards live outside your identity system.
No IdP means no IT approval
Security teams won't sign off on a tool that holds employee data and brand assets but can't be provisioned, audited, or shut off from the directory. "It has its own login" is a non-starter in vendor review.
Password sprawl
Yet another username and password per employee is more support tickets, more reset requests, and more attack surface. SSO collapses all of that into the identity your team already uses every day.

How provisioning works

Four steps that turn your directory into the single source of truth for every employee card. Each step is configured for your tenant during enterprise onboarding.

01
Connect your IdP (SAML)
We register NexaLink as a SAML 2.0 application in Entra ID, Okta, or Google Workspace. Sign-in flows through your identity provider with the same MFA, conditional access, and session policies your team already enforces. Configured for your tenant during enterprise onboarding.
02
SCIM auto-provisions accounts
SCIM creates and updates accounts automatically, carrying over the attributes that matter — department, title, region, manager. New hires get a ready card the moment they appear in your directory. Mapping is set up against your real attributes during onboarding, not a generic schema.
03
Employee hits the SSO URL
No separate signup, no invite email to chase. The employee opens the SSO URL, authenticates with your IdP, and their company-branded card is already there — populated with the directory data SCIM pushed. Onboarding becomes a non-event.
04
Offboard → auto-deprovision
When you disable the user in your directory, SCIM deactivates the card and revokes sharing automatically. No dangling ex-employee cards. The deprovisioning rules are built to your offboarding flow during onboarding so HR or IT remains the trigger.

Supported identity providers

If you run SAML 2.0, you're covered. We configure your specific provider during enterprise onboarding so the connection is tested against your real tenant, not a sandbox.

Microsoft Entra ID
Formerly Azure AD. SAML SSO plus SCIM enterprise-app provisioning, with conditional access and group-based assignment honored from your tenant.
Okta
SAML SSO and SCIM via the Okta integration, with group push and lifecycle automation mapped to your org. A common starting point for IT-led rollouts.
Google Workspace
SAML SSO and directory-driven provisioning for teams standardized on Google. Org-unit structure carries through to your RBAC scopes.
Ping, OneLogin & SAML 2.0
Ping Identity, OneLogin, and any SAML 2.0-compatible IdP. We confirm and configure your provider during onboarding before any employee signs in.

Attribute mapping and department RBAC

Provisioning is only useful if the right data lands on the right card and the right admins control the right people. SCIM carries your directory attributes into NexaLink, and role-based access control lets you delegate management without handing everyone the keys.

Directory attributes → card fields

Department, job title, region, office location, phone, and manager flow from your IdP into the card automatically. When someone gets promoted or relocates, the source of truth updates and the card follows — no employee has to re-type their own title. The exact attribute-to-field mapping is built against your schema during enterprise onboarding.

Department and org-unit RBAC

Global IT keeps top-level control; regional and departmental admins manage only their slice. A field that maps cleanly to your org chart means the EMEA sales ops lead can update EMEA cards without ever seeing APAC, while leadership retains the full picture. Department and org-unit RBAC is scoped on your demo and built against your plan — it's tailored to your hierarchy, not a fixed set of toggles. Brand-side controls pair with this; see brand management for locked templates and admin governance.

Auto-deprovisioning and the full lifecycle

The riskiest moment for any employee-facing tool is the day someone leaves. SCIM makes offboarding a directory event, not a hopeful checklist item.

Leaver detected
When a user is disabled or removed in your HR system or IdP, SCIM picks it up automatically. No one has to remember to log into NexaLink and turn anything off.
Card disabled, sharing revoked
The card stops resolving and active share links are cut, so an ex-employee can no longer represent your brand. The window between offboarding and revocation closes to near-zero.
Contacts retained per policy
Leads and contacts the employee captured stay with the company per your data-retention policy, so departing reps don't take the pipeline with them. Retention rules are configured during onboarding.

The result is zero dangling cards. Every active card maps to an active employee in your directory, and the audit trail shows exactly who was provisioned, when, and under whose authority.

Built to pass security review

Identity is where most card platforms fail vendor review. NexaLink is designed to clear it.

Row-level data isolation
Every tenant's data is isolated with row-level security, so no customer can read another's cards, contacts, or analytics. This is live today, not a future promise.
Who-viewed audit trail
Card views, captures, and admin actions are logged, giving your security team the audit trail they need for access reviews and incident response.
SSO removes password risk
With SAML SSO, there are no NexaLink-specific passwords to phish, reset, or leak. Your MFA and conditional access policies apply to card access too.
SOC 2-ready, GDPR handling
SOC 2-aligned controls and GDPR-compliant data handling on enterprise plans. We support your security questionnaire during onboarding.

For the full posture — data isolation, audit logging, and compliance documentation — see our security & compliance page.

What's live today vs. built for you in onboarding

We'd rather be honest than oversell a toggle. Here is the clean split.

Live today
  • Secure team digital cards with row-level data isolation
  • Who-viewed analytics and a full audit trail
  • Shared team directory across your organization
  • Lead capture, CRM sync, and no-credit contact enrichment
Built in enterprise onboarding
  • SAML SSO and SCIM auto-provisioning, configured for your IdP
  • Department and org-unit RBAC, mapped to your hierarchy
  • Auto-deprovisioning rules wired to your offboarding flow
  • Directory attribute mapping against your real schema

Enterprise identity is delivered through onboarding, tailored to your IdP — it is not a self-serve switch. That is the point: provisioning that touches your whole directory is built against your signed plan, tested, and verified before it ever logs in a real employee.

Frequently asked questions

Which identity providers do you support?
SAML 2.0 SSO with Microsoft Entra ID (Azure AD), Okta, Google Workspace, Ping, OneLogin, and SAML-compatible IdPs. SCIM provisioning is configured for your tenant during enterprise onboarding — we set up your specific provider against your signed plan rather than a generic self-serve connector. That means the attribute mapping, group rules, and sign-in flow are tested against your real directory before a single employee logs in.
Does it auto-deprovision when someone leaves?
Yes — that's the point of SCIM. When a user is disabled in your directory, their card is deactivated and sharing is revoked automatically, with captured contacts retained per your data policy. No dangling ex-employee cards still circulating on LinkedIn or sitting in a stranger's phone. We build the deprovisioning rules to your offboarding flow during onboarding, so a leaver event in your HR or identity system is the single source of truth.
Can different admins manage only their department?
Yes — department and org-unit RBAC lets each admin manage their slice while IT keeps global control. A regional sales ops lead can manage the APAC team's cards without touching EMEA; the global IT admin still sees everything. RBAC scopes are mapped from your directory attributes and scoped on your demo, then built for your org structure during onboarding.
Is this a self-serve setup I can turn on today?
No — enterprise identity is delivered through onboarding, not a self-serve button. You book a demo, we scope your IdP, attribute mapping, and RBAC, then configure SSO and SCIM for your tenant. That's deliberate: provisioning that touches your whole directory is built against your plan, tested, and verified before go-live, so the rollout doesn't break sign-in for thousands of people on day one.
How does this pass our security review?
Cards are tenant-isolated with row-level security and a who-viewed audit trail; SSO removes per-user passwords and shrinks the attack surface; SOC 2-aligned controls and GDPR handling apply on enterprise plans. We support your security questionnaire and provide the documentation your vendor-review team expects during onboarding. See our security page for the current posture.

Provision every employee card from your directory

Book an enterprise demo and we'll scope your IdP, attribute mapping, RBAC, and deprovisioning rules, then configure SSO and SCIM for your tenant during onboarding. No self-serve switches that touch your whole directory unsupervised — built against your plan, tested, verified.

Book an enterprise demoTalk to enterprise sales

Explore the enterprise platform · brand management · corporate events · security & compliance