How are small IT teams handling cross-platform offboarding verification?
Posted by vp_1312@reddit | sysadmin | View on Reddit | 18 comments
Offboarded someone last month. IdP suspended, ticket closed, moved on.
Was doing a license audit a few weeks later and noticed her Salesforce account was still active. Dug a little deeper. Slack session still live. Couple of OAuth grants hanging around.
Nothing malicious, she’d been gone, but it made me realize I had no idea how common this is. We assume offboarding is done when the IdP is done but that’s clearly not the whole picture.
Anyone doing systematic cross-platform checks after offboarding or is everyone just hoping for the best? For context it’s me and 2 other people so we’re pretty limited on time and resources.
Next_Special_6784@reddit
Had the exact same issue last quarter. Hud io lets you run cross platform checks after offboarding so you spot stuff Okta misses. Has saved me more than once already.
thalianai@reddit
That’s actually exactly what Thalian.ai handles, and it’s made for small to mid-market IT teams -
https://thalian.ai - we have a demo if you’re interested in poking around
AggravatingAmount438@reddit
Usually it comes from HR, so we create a ticket and slap the info in it.
Then we add a check-off list template into the main part of the ticket. We run the automation, and then go down the check-list after the termination automation to make sure every part of the automation has been completed, and that we contact the right people to disable third-party accounts.
In a time where we keep trying to change and optimize everything, nothing beats a simple check-list.
PhLR_AccessOwl@reddit
Sounds familiar. I've dealt with this myself in the past and we see the same thing at plenty of companies we work with.
Classic examples are Slack (infinite session time by default, so users basically never get logged out) and any SaaS app where enforcing SAML or OAuth login sits behind the enterprise plan. Everyone else just signs up with username and password and keeps access.
The most useful first step imho is shadow IT discovery, just to uncover every account a user has actually touched. The free version is checking your Google OAuth logs to see what apps they connected. There's also free tooling out there. We have a free shadow IT scanner you can use here: https://www.accessowl.com/scan
Full disclosure, I'm the co-founder of AccessOwl. What you described is basically our focus, connecting to any SaaS app regardless of SCIM or SAML support for automated provisioning, and covering every app an employee ever used so offboarding doesn't leave gaps.
Happy to chat either way. DM or email me (pe@accessowl.com) and I can share some best practices from customers and other orgs around your size, no matter whether AccessOwl makes sense for you or not.
ErrorID10T@reddit
Automatic offboarding, in my experience, is at best mostly reliable. I usually handle this with a couple scripts, because identify governance solutions are needlessly expensive, but there are identify governance solutions you can buy for exactly this reason.
vp_1312@reddit (OP)
What kind of scripts are you using?
ErrorID10T@reddit
Primarily software installation, patching, bitlocker, and system configuration, but also a number of auto remediation scripts for alerts, and some API work with our VPN server. We basically just install the agent and it fully provisions and configures computers and alerts us for anything we might want to know for preventative maintenance.
LeidaStars@reddit
Honestly, a lot of small teams are still doing partial offboarding and hoping SSO covers more than it does. A simple checklist plus quarterly audits usually goes a long way. Even basic reports for active users, tokens, and app access can catch a lot without huge tooling.
vp_1312@reddit (OP)
I’ve thought about this problem in depth because I feel like it’s a theme no matter where I work, but especially at the small companies and startups I’ve been apart of. I’m trying to make the detection part easier. I feel like the build vs buy conversation with ai tools could make a solution more accessible
Powerful_Lifeguard96@reddit
SCIM provisioning where possible and monthly audits
vp_1312@reddit (OP)
Company cant afford SCIM at the current price tag companies have it at unfortunately
tarkinlarson@reddit
Sso as much as possible to automate.
Using checklist as part of offboarding. Update them every time something like this happens.
Regular manual access reviews of those applications.
Automated disabling accounts not used in 45 days.
Making offboarding notifications and tickets to IT HRs responsibility.
vp_1312@reddit (OP)
I feel like a lot of applications are limited with SSO unless you pay an arm and a leg for enterprise versions
Hairy-Marzipan6740@reddit
you're not paranoid, this is super common. the pattern i've seen is teams treat IdP disable as the finish line when it's really just the first checkpoint. okta off, laptop back, ticket closed. then 2 weeks later somebody finds slack still logged in, salesforce still active, some random oauth token still alive, and now everyone's doing archaeology.
for small teams, the thing that seems to work is a short "post-offboarding verification" pass that happens after the account disable, not at the same moment. usually 24 hours later or end of week. just a fixed list of the stuff that bites you most: email, slack, salesforce, github, cloud consoles, password vault, oauth grants, and whatever shadow IT your company always forgets about. if it's not on the checklist, it doesn't count as done.
the other shift is treating offboarding like a workflow with two stages, not one. stage one is suspend access fast. stage two is verify the long tail and sign it off. that's where a lot of small teams get burned, because the ticket closes after stage one and nobody owns stage two anymore.
worth saying, i'm with ClearFeed, and the part we'd fit in is the workflow side, not the discovery side. we can help run the request, approvals, reminders, Slack-side coordination, and even some Okta actions from Slack, but we wouldn't pretend that's enough to find every lingering SaaS account or oauth grant. if you've got a lot of app sprawl, the real fix is some mix of checklist discipline, app-owner signoff, and a second-pass verification step. :)
vp_1312@reddit (OP)
The two-stage framing is exactly it. Stage one has a ticket and an owner. Stage two is just vibes and hope. We added a next-day verification pass to our process after this happened and it’s already caught two more things we would have missed
chickibumbum_byomde@reddit
quite common offboarding “feels done” once the IdP is handled, but SaaS sprawl breaks that assumption.
for a smaller team, my approach is, keep a simple offboarding checklist plus some system inventory (what apps exist, do periodic audits (licenses, active users, tokens), automate whenever possible, don’t aim for perfection instead for functionality.
Also helps to have visibility across systems, a good solid reliable monitoring will save you ton of headache and tons of time, so “forgotten” accounts don’t stay invisible.
igiveupmakinganame@reddit
end all sessions when offboarding
tensorfish@reddit
Okta disablement closes the front door, not every side door. Small-team version is boring: keep a list of non-SSO apps and service-account exceptions, revoke refresh tokens and OAuth grants, then run a next-day 'does this ex-user still own anything?' check across the admin consoles that matter. If you can't show the revocation in logs, they're not actually offboarded yet.