Cloud Client Onboarding Guide
This guide walks you through connecting Surface Security to your cloud identity provider and deploying the browser extension to your workforce.
Prerequisites
Before beginning onboarding, ensure you have:
- Surface Security tenant URL (e.g.,
https://surfacesec.yourcompany.com) - Admin access to the Surface Security dashboard
- Identity provider admin access (Entra ID, Okta, or Google Workspace)
- MDM/GPO access (for managed extension deployment) -- or permission to install browser extensions manually
Step 1: Connect Your Directory
Surface Security supports multiple identity providers for user and group synchronization.
Option A: Entra ID / Okta (SCIM Push)
SCIM 2.0 push provisioning lets your identity provider automatically send user and group changes to Surface Security.
- Navigate to Settings > Directory Sync in the Surface Security dashboard
- Click Add Source and select Microsoft Entra ID or Okta
- Enter a descriptive name (e.g., "Production Entra ID")
- Surface Security will generate:
- SCIM Endpoint URL -- enter this as the Tenant URL in your IdP
- OAuth Client ID and Client Secret -- use these for authentication
- Copy these credentials (the client secret is shown only once)
Entra ID Configuration:
-
In Azure Portal, go to Enterprise Applications > Create new
-
Select Provisioning > Mode: Automatic
-
Enter the SCIM Endpoint URL and OAuth credentials from step 4
-
Click Test Connection to verify
-
Map attributes:
Azure AD Attribute SCIM Attribute userPrincipalName userName displayName displayName mail emails[type eq "work"].value objectId externalId -
Enable group provisioning under Mappings
-
Start initial provisioning cycle
Okta Configuration:
- In Okta Admin Console, go to Applications > Add
- Choose SCIM 2.0 Test App (OAuth Bearer Token)
- Enter the SCIM Endpoint URL as the Base URL
- For authentication, obtain a token using the OAuth Client ID/Secret
- Enable Push Groups to sync group membership
Option B: Active Directory (LDAP Pull)
For on-premises Active Directory without cloud federation.
- Navigate to Settings > Directory Sync > Add Source > Active Directory
- Configure connection:
- LDAP URL:
ldaps://dc01.yourcompany.com:636 - Bind DN:
CN=surfacesec-svc,OU=Service Accounts,DC=yourcompany,DC=com - Bind Password: Service account password
- Base DN:
DC=yourcompany,DC=com
- LDAP URL:
- Click Test Connection to verify LDAP connectivity
- Configure user/group filters if needed
- Click Save and then Sync Now
Option C: Google Workspace (Directory API)
- Navigate to Settings > Directory Sync > Add Source > Google Workspace
- Configure:
- Domain:
yourcompany.com - Service Account Email: From your Google Cloud project
- Service Account Key: Upload the JSON key file
- Domain:
- Ensure domain-wide delegation is enabled for the service account
- Click Test Connection and Save
Option D: Manual / CSV Import
For small deployments or environments without a supported IdP:
- Navigate to Users in the dashboard
- Click Bulk Import and upload a CSV with columns:
email, displayName, department - Or use Add User to create users individually
Step 2: Select Groups and Identification Method
After connecting your directory source:
- Navigate to Settings > Directory Sync
- Click Configure Groups on your connected source
- Choose sync mode:
- Sync All Groups -- automatically syncs all groups from the source
- Select Specific Groups -- pick individual groups to sync
- Select the Identification Method:
- Email (mail) -- recommended for most environments
- UPN -- use when email doesn't match UPN
- sAMAccountName -- for legacy AD environments
- Click Save
Groups can be viewed and managed on the dedicated Groups page.
Step 3: Deploy the Extension
Quickstart (recommended)
The fastest path to first enrollment:
- Configure SSO at Settings > SSO
- Generate a magic link at Onboarding > Deploy method > Magic Link and click Generate
- Share the link with your team via Slack, email, or wiki
Users click the link, authenticate via SSO, and their extension enrolls automatically. No MDM required.
See the Enterprise extension deployment guide for more details.
Mass rollout
For larger orgs that prefer to push the extension via MDM, use one of the following methods for centralized, zero-touch deployment:
Microsoft Intune
- In Surface Security, go to Onboarding > Step 3 > Select Microsoft Intune
- Click Generate Configuration to create an enrollment token
- Copy the generated managed configuration JSON
- In Intune admin center:
- Go to Devices > Configuration profiles > Create
- Add Chrome/Edge extension force-install settings
- Paste the managed configuration JSON
- Assign to your target user groups
Windows Group Policy
- In Surface Security, go to Onboarding > Step 3 > Select Group Policy
- Generate and copy the extension policy JSON
- In Group Policy Management:
- Edit a GPO linked to target OUs
- Navigate to Computer Configuration > Administrative Templates > Google Chrome > Extensions
- Set "Configure the list of force-installed apps and extensions"
- Add the extension ID and configuration
Chrome Browser Cloud Management (CBCM)
- In Surface Security, go to Onboarding > Step 3 > Select Chrome CBCM
- Generate and copy the configuration
- In Google Admin Console:
- Go to Devices > Chrome > Apps & extensions
- Add the extension and set to Force install
- Paste the managed configuration
Manual Installation
For testing or small deployments:
- Install the Surface Security extension from your browser's extension store
- Click the extension icon
- Enter the API Endpoint, Tenant ID, and Enrollment Token from the dashboard
- Click Enroll Device
Step 4: Verify Enrollment
- Navigate to Onboarding > Step 4 in the dashboard
- Check the status cards:
- Synced Users -- total users from directory sync
- Enrolled Devices -- devices that have completed enrollment
- Directory Sources -- configured identity providers
- Recent device enrollments will appear in the table below
- Navigate to a few websites on an enrolled device -- events should appear in the Dashboard within seconds
Test Enrollment
Before rolling out to all users:
- Deploy the extension on your own device first
- Navigate to several websites and verify events appear
- Check the Alerts page for any detected security issues
- Verify that policies are being enforced as expected
- Once confirmed, proceed with broader deployment
Troubleshooting
SCIM provisioning not working
- Verify the SCIM endpoint URL and OAuth credentials in your IdP
- Check Settings > Directory Sync for source status and error messages
- Ensure the enterprise app in your IdP has provisioning enabled
- Check the Surface Security audit log for SCIM request details
Users not appearing after sync
- Confirm the directory sync status shows "Active"
- Click Sync Now to trigger a manual sync
- Verify users are in the synced groups (if specific groups are configured)
Extension not enrolling
- Check the enrollment token hasn't expired (tokens are valid for 7 days)
- Verify the API endpoint is reachable from the device
- Check browser developer tools (extension service worker) for error messages
- For managed deployment, ensure managed storage configuration is applied
Devices showing as offline
- Check that the device has network connectivity to the Surface Security backend
- Verify mTLS certificates haven't been revoked
- Restart the browser to trigger a fresh connection
For on-premises appliance deployment, see On-Premises Onboarding.