Event Callback
An event callback is a real-time notification mechanism provided by BambooCloud IDaaS. Application developers can register callback events through HTTP interfaces. When organization or user data in IDaaS changes, the system automatically pushes change information to the callback address specified by the application.
Applicable Scenarios
When IDaaS serves as the identity center to manage user data, and downstream applications need to keep their own user data synchronized, event callbacks can avoid application polling queries and achieve efficient, real-time data synchronization.
Typical Scenarios
- New employee onboarding: after IDaaS creates a user, automatically push to OA, mail, IM, and other applications
- Employee transfer: after organization structure changes, automatically sync to business systems
- Employee resignation: after the account is disabled, automatically notify all related applications to recover permissions
Event Callback Flow

Step Details
Configure callback address
Application developers fill in the callback URL in the application synchronization configuration of the IDaaS console.
Verify callback address
IDaaS pushes a "verify callback address" event data packet to the configured callback address. The data is encrypted using the signature key and encryption key filled in when the application was created, and signed using the security token.
Application verification response
After receiving the push, the application needs to:
- Verify the signature to ensure the data source is trustworthy
- Decrypt the data packet
- Return an encrypted
successstring to BambooCloud IDaaS
Enable event push
After IDaaS verifies the
successdata, it confirms the callback address is valid. Thereafter, whenever organization or personnel changes occur, the system automatically pushes relevant event data to this callback address.
Security Guarantees
Event callbacks involve sensitive identity data flow. BambooCloud IDaaS provides multi-layer security guarantees:
| Security Mechanism | Description |
|---|---|
| Signature verification | Prevent data tampering |
| Encrypted transmission | Prevent data from being stolen during transmission |
| Security token | Ensure push requests come from a trusted IDaaS platform |
| IP whitelist | Restrict the callback address to only receive requests from specified IP ranges |
It is recommended that when handling event callbacks, the application side must perform signature verification and decryption, and never trust unverified data.