Platform Features
Every feature built for
higher-ed IT
OnboardConnect is purpose-built around the Slate-to-directory workflow — Active Directory, Microsoft Entra, and Google Workspace, with SIS writeback. No generic iPaaS glue. No scripting. Every capability maps directly to how higher-ed institutions actually operate.
Feature 01
Slate Connection
OnboardConnect connects to Slate through Query Web Services — with no Slate API credentials, no custom development, and no vendor access required.
Each connection type is configured once in the tenant portal. Workflows run on your schedule, process each record idempotently, and log every action. Duplicate records are safely ignored.
What's included
- Slate connection types: Query Web Services and Source Format
- Processes enrollment, withdrawal, graduation, and password reset events
- Idempotent processing — re-running the same data is always safe
- Full lifecycle coverage: create, re-enable, disable, move OU, and password reset
- Results written back to Slate via Source Format API (Slate's native import endpoint, writeback only)
- File transfer in both directions — download files from Slate or upload them into Slate over HTTPS, no SFTP required
- Automated workflows run on any schedule or trigger on provisioning events
Feature 02
Three Directory Platforms
Provision to on-premise Active Directory, Microsoft Entra ID, and Google Workspace for Education — together or separately, from a single configuration interface.
On-premise AD connects through the lightweight OC Agent installed inside your network, so credentials never leave campus. Microsoft Entra connects via Microsoft Graph and Google Workspace via the Google Admin SDK — both Worker-side. All three run from the same workflows.
What's included
- On-Prem Active Directory via the OC Agent (LDAP) — read, create, update, activate/deactivate, set password, move OU, security groups, distribution lists, delete; no inbound firewall rules and credentials stay on campus
- Microsoft Entra ID via Microsoft Graph — read, create, update, activate/deactivate, set password, license, security groups, delete
- Google Workspace for Education via the Google Admin SDK — create, update, activate, suspend, set password, groups
- Provision to all three from a single Slate import — together or independently
- Each target managed as a named connection, with the OC Agent monitored for health and alerting on disconnect
- On-prem credentials carried over an encrypted WebSocket relay; cloud tokens encrypted at rest with AES-256-GCM
Feature 03
SIS Writeback
Provisioning shouldn't leave your Student Information System out of date. OnboardConnect writes student data — usernames, email addresses, account status — back to your SIS as part of the same run.
Writeback is routed through the on-prem OC Agent, so SIS credentials stay on campus. Add an SIS Read or SIS Upsert step to any workflow and map fields exactly the way your system expects them.
Supported systems
- Ellucian Ethos — covers both Banner and Colleague
- Oracle PeopleSoft Campus Solutions
- Workday Student
- SIS Read and SIS Upsert steps, available directly in the workflow builder
- Per-step field mapping so values land in the right SIS fields
- Credentials handled on-prem by the OC Agent — never stored Worker-side
Feature 04
Slate File Transfer
Move files between Slate and a folder on your on-prem OC Agent machine — in both directions — without standing up an SFTP server. Pull a document down from Slate to your network, or push a file from your network up into Slate through a Source Format.
Transfers run over authenticated HTTPS. Bytes are staged through encrypted R2 object storage and moved by the on-prem agent over a direct HTTPS connection — nothing large rides the WebSocket control channel — so the platform handles large binaries like PDFs and multi-megabyte documents without timing out. Add a download or upload step to any Slate-triggered workflow, right alongside your Query and Source Format steps.
What's included
- Slate File Download — pull a file from Slate and deliver it to a folder on your on-prem OC Agent machine
- Slate File Upload — take a file from the OC Agent machine and upload it into Slate via a Source Format
- No SFTP server to stand up or maintain — every transfer runs over authenticated HTTPS
- Handles large binaries: PDFs, documents, and multi-megabyte files
- Bytes staged through encrypted R2 storage and moved by the agent over direct HTTPS — never over the WebSocket control channel
- Drops into the existing workflow builder beside Query Service read and Source Format write steps
Feature 05
Provisioning Rules Engine
The Rules Engine answers the question: which students get an account, and when? Every provisioning decision in OnboardConnect is driven by rules you define — no hardcoded logic, no custom scripts. Rules follow a trigger → conditions → action model that maps directly to your institution's policies.
Rules are evaluated in priority order. Each rule specifies which students match, what action to take, and when to execute. Account-building details — username format, OU placement, group membership — are defined separately in Provisioning Settings.
What's included
- Trigger on any Slate lifecycle event: Enrolled, Deposited, Accepted, or custom status values
- Conditions: filter by program, campus, enrollment status, or any Slate field value
- Actions: Create, Update, Disable, Delete, or Skip — per matching rule
- Rule priority ordering — first match wins, with conflict detection
- Trigger on Provisioning Event — chain a workflow to run automatically after account creation
- Dry-run mode to preview what would execute without creating any real jobs
Feature 06
Provisioning Settings
Provisioning Settings answers the question: what does that account look like? Define exactly how accounts are built using field-based conditional rules — no scripts, no manual IT decisions. Username format, OU placement, group membership, and password policy are all driven by the data in your Slate export.
Rules are evaluated in priority order. The first matching condition determines the outcome — so a nursing student lands in the Nursing OU with the correct groups automatically, every time.
Five configuration tabs
- Username — template format using {field_name} tokens with live preview and collision handling
- Password — policy type, complexity rules, and force-reset on first logon
- OU — default OU plus ordered conditional rules driven by Slate field values
- Security Groups — additive membership rules so each student lands in the right groups
- Distribution Lists — same conditional logic for mail-enabled distribution lists
Feature 07
Visual Workflow Builder
Drag and drop the whole onboarding pipeline into one workflow — filter, transform, provision across all three directory platforms, write back to your SIS, and notify your team. Steps are ordered and branchable, with separate On Success and On Failure lanes, so a run does the right thing whether a step passes or fails. No scripts to maintain.
Map fields per step, turn on continue-on-error where a single bad row shouldn't stop a run, and let large imports process in chunks. Run from the builder and watch it execute step by step in real time — every run is kept in full history with a live run view, so you always know what happened.
What you can build
- Directory steps for all three platforms: On-Prem AD, Microsoft Entra, and Google Workspace — create, update, activate/deactivate (suspend on Google), set password, groups, OU/distribution lists, license, delete
- Slate read and writeback — pull records in and push results back in the same run
- SIS Read and SIS Upsert — sync data to Ethos, PeopleSoft, or Workday
- Flow & logic: Filter Rows to route a segment by condition, Transform Fields to compute or normalize values, and Idle / Wait to pause between steps
- On Success / On Failure lanes — branch the run based on how each step finishes
- Notifications: Email, SMS via Twilio, Chat via Slack or Microsoft Teams, and Webhook to any system you configure
- On-prem file steps — read and write files inside your network via the OC Agent
- Slate file transfer — download a file from Slate to the OC Agent machine, or upload a file from your network into Slate, over HTTPS (no SFTP)
- Continue-on-error and chunked processing for large imports, with editing locked while a run is in progress
- Run on demand with live, step-by-step visibility and full run history — record counts and the actual rows passed, with passwords masked
- Organize at scale — search and filter the workflows list by status, group, or schedule, and pin the ones you use most
Feature 08
Full Lifecycle Automation
Student identity management doesn't stop at enrollment. OnboardConnect handles every stage — from initial provisioning to eventual deactivation — across every directory you connect, based entirely on the workflows your team builds.
Each lifecycle transition maps to a configurable directory action. Your IT team defines what happens at each stage — and when. OnboardConnect ensures it happens consistently every time.
Lifecycle events covered
- Enrollment confirmed → Create directory account, assign groups, send welcome email
- Student withdraws → Disable account, log reason, retain for configurable grace period
- Graduation → Disable active account, move to graduated OU, trigger notification
- Re-enrollment → Re-enable previously disabled account, update OU and groups
- Password reset request → Execute via configured reset method, log outcome
- Account deletion → Permanently remove after retention period expires
Feature 09
Audit Trail & Compliance
Every provisioning event is recorded with a full context snapshot — who triggered it, what changed, when it happened, and what the outcome was. The log is immutable and exportable.
When your auditors, CISO, or accreditation team asks "who has access to what and how did they get it?" — you have an answer, immediately, without digging through scripts or email threads.
What's included
- Every event timestamped to the millisecond with actor, trigger, and outcome
- Immutable append-only log — no entry can be modified or deleted
- Exportable as CSV or JSON for compliance reporting
- 365-day hot retention in dashboard; cold storage archive beyond that
- Filter by student, event type, connection, or date range
- Automated alerts for provisioning failures or anomalous activity
Feature 10
Multi-Admin Role Management
OnboardConnect is designed for teams, not individuals. Multiple staff members can access the platform with different permission levels — so the right people can act without granting everyone full control.
Every action is attributed to the named user who performed it. Role boundaries are enforced at the API level — not just the UI — so there's no way to exceed your granted permissions.
Built-in roles
- Owner Full access including billing, environments, and user management
- Admin Full provisioning access; cannot modify billing or remove owner
- Technician Can run provisioning, view logs, and reset passwords; cannot modify rules
- Read-only Audit log and dashboard access only — no write permissions
All users invited by email — no shared credentials.
Feature 11
Proactive Alerts
OnboardConnect monitors your provisioning environment continuously and notifies your team the moment something needs attention — before a help desk ticket is ever filed.
Alert recipients are configurable per institution. Choose exactly which team members receive notifications, or let all active portal users receive them by default. Built-in cooldown periods prevent alert flooding during extended incidents.
What triggers an alert
- Provisioning Job Failures 1 hr cooldown
Fires when a job exhausts all retry attempts — so your team knows immediately when a student account cannot be created automatically.
- Agent Goes Offline 4 hr cooldown
Fires when an on-premise Agent stops heartbeating for more than 15 minutes — catching network or service issues before they delay a provisioning run.
- No Provisioning Activity in 24 Hours 6 hr cooldown
Fires when no successful provisioning run is processed in a 24-hour window — catching misconfigured schedules or stalled workflows before enrollment day.
Feature 12
Self-Service Password Reset
Password resets are the #1 helpdesk ticket at most institutions — and they spike hardest right when your team has the least time to absorb them. OnboardConnect lets students reset their own passwords from a branded portal you control, with identity verified through the recovery email or phone already on file in your directory.
Disabled by default. Each tenant decides when to enable the flow, which connection executes the reset, and which groups (Domain Admins, IT Staff, service accounts) are excluded from self-service entirely.
What's included
- Admin-defined routing — you pick which connection (On-Prem AD, Microsoft Entra, or Google Workspace) executes the reset, by priority
- Bring-your-own messaging — point email at your own SMTP-over-HTTP provider (Mailgun, SendGrid, Resend) and SMS at your own Twilio account, so end-users see your domain
- Privileged accounts excluded by group — Domain Admins, IT Staff, and any group you flag never see a self-service flow
- Dedicated Reset Log with masked PII, attempt counts, IP / country, and three built-in pattern alerts (repeat resets, failed-verify spikes, reset-then-privilege-change)
- Rate-limited and Turnstile-protected on every public entry point — bot-resistant out of the box
- FERPA-aware retention — reset log defaults to 1-year retention, tenant configurable up to 7 years
Master kill switch is off by default. Admins control enablement, connection priority, and group exclusions from the tenant portal.
Learn moreGet Started
Ready to see it live?
We'll walk you through a live provisioning cycle using your own Slate export structure. No commitment required.
90-day free trial — no credit card required.