In our organization, we use Google Workspace SSO for volunteers to create accounts on various third-party platforms. When a volunteer leaves, we disable or delete their Google Workspace account, which stops them from logging in via SSO. I'm trying to figure out if we just need to remove their access on the third-party platform, or if we should also delete their account there entirely. Is it okay to leave the account orphaned when the Google identity is gone, or is that seen as a security issue? What's the usual protocol for offboarding in situations like this?
3 Answers
You definitely need to remove the orphaned account, trust me. Session cookies can last a long time. For example, if someone logs into Slack with their Google account and then you delete their Google account, Slack won't know that person is gone until they try to reauthenticate. This is why having SCIM provisioning is crucial, as it can automatically handle account deactivation across platforms.
It really depends on how the platform handles identity. If they strictly use the Google login for access, disabling the Google account usually cuts off access. But if they allow logging in through other methods or account recovery options, things can get more complicated. You should check how the specific platform operates regarding user accounts.
That's a good point. I think it might be safer just to delete the account on the platform to avoid any potential issues down the line.
I’m a bit confused by your question. It sounds like you have admin access on the platform to manage user accounts. If so, shouldn't you remove their account completely? I’d suggest centralizing the account management process for better control.
There are several reasons for how we currently manage accounts, but I’m referring to removing the user role for volunteers. Once they’re removed as a user, I’m just weighing whether to delete their account or leave it orphaned. I'm curious about best practices here.
Exactly! Making sure to revoke access on the platform and deleting the account after that is crucial for security.