I'm working with OneLogin for Single Sign-On, but we have around 25-30 applications that don't support SAML or OIDC federation. These include vendor portals that only use basic authentication, as well as older tools, custom in-house applications with local login, and some departmental purchases made outside of IT's control.
The main challenge here is offboarding. Our automated deprovisioning via OneLogin doesn't cover these systems, so we have to rely on sending manual tickets to the application owners. During a recent audit, we found accounts still active for staff members who had left 4-8 months ago.
For anyone managing similar situations, how do you take care of identity lifecycle management for applications that are outside your federated systems? Are you using any tracking tools, or is it mostly a manual process accompanied by compensating controls? I'm looking for solutions that don't necessitate these applications to support SSO, as that's unlikely to change anytime soon.
6 Answers
If you're dealing with web applications, one workaround is using a reverse proxy like Apache with SSO authentication. While it isn't a perfect integration and lacks full authorization capabilities, it adds an additional layer of control.
It sounds like we're in similar boats! What worked for us was a combination of automated inventory scans, HR-triggered deprovisioning workflows, and routine manual audits to keep track of rogue apps that SSO can't manage.
This is pretty common with mixed environments. To manage these non-federated apps effectively, consider keeping an updated ownership and access register for all of them. If each app has a documented owner and a list of user accounts, it makes offboarding much more straightforward. Additionally, create automated offboarding triggers that generate tickets to app owners whenever someone is terminated, ensuring it’s less reliant on memory.
Regular access reviews are also key. Even without automation, quarterly or semi-annual attestations from app owners confirming active accounts can serve as a useful control measure.
A strong offboarding workflow paired with consistent auditing is essential. Automate ticket generation with checklists for offboarding so that it’s easier to track. Exporting user lists can also help automate audits, making it practical to review accounts often.
One approach we found helpful is implementing a manual checklist along with regular audits. We also push for getting access to those manual apps ourselves when possible to decommission accounts directly rather than relying on app owners since we have a low churn rate.
One fairly effective technique is to utilize a browser extension through MDM that pulls up login data across SaaS apps used by employees. This way, you can monitor accounts connected via Google OAuth or similar without needing SSO directly on every app. We’ve had luck with using Primo for workflows too!
I completely agree! Plus, implementing password vaulting for apps that use shared accounts can help too. This way, you manage access through the vault, which simplifies offboarding since you just need to revoke vault access.