Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SSO deprovisioning in offboarding: where access removal breaks down


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Employee offboarding is a significant security threat for 76% of executives, and 58% say COVID-19 made offboarding harder, with SSO session persistence and incomplete deprovisioning driving the risk, according to Zluri. That makes offboarding a governance problem across identity, data retention, and application access, not just an HR workflow.

NHIMG editorial — based on content published by Zluri: SaaS Management Employee Offboarding for IT & HR

By the numbers:

Questions worth separating out

Q: What breaks when offboarding only disables the SSO account?

A: A disabled SSO account can still leave active application sessions, cached tokens, and application-owned data in place.

Q: Why do offboarding workflows need more than HR approval?

A: HR confirms the employment change, but it does not automatically close every access path.

Q: How do security teams know if deprovisioning actually worked?

A: They should check application sign-in logs, audit logs, and access logs after the offboarding event.

Practitioner guidance

  • Build a SaaS offboarding checklist that spans identity, license, and data handoff Define the exact steps for disabling access, removing licenses, preserving business data, and transferring account-owned content to a named owner before the leaver process closes.
  • Require proof of session termination after deprovisioning Do not rely on directory disablement alone.
  • Tie offboarding to application audit evidence Use sign-in logs, audit logs, and access logs to verify that the account stopped acting in each application after the offboarding event and that no residual activity remains.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

  • A step-by-step walkthrough of the offboarding workflow from access removal to data backup and license reclamation.
  • The survey breakdown showing how IT leaders ranked offboarding threats, remote work impact, and access management priorities.
  • A direct look at how Zluri monitors sign-in logs, access logs, and audit logs during deprovisioning.
  • The platform-specific SaaS discovery and integration details used to automate offboarding across applications.

👉 Read Zluri's case study on employee offboarding and SaaS deprovisioning →

SSO deprovisioning in offboarding: where access removal breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Offboarding exposed a governance gap, not just a workflow gap. The article shows that removing a user from SSO is not the same as removing their ability to act across the SaaS estate. Session persistence, app-level entitlements, and data ownership transfer all sit outside a simple directory-disable event. The practitioner lesson is that offboarding must be governed as a cross-application identity closure process, not an HR checklist.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who should own access and data cleanup during employee offboarding?

A: Ownership should be shared across HR, IT, IAM, and the application business owner, because each controls a different part of the exit. HR confirms the departure, IT and IAM remove access, and the business owner confirms data transfer or retention. Clear ownership prevents gaps between systems.

👉 Read our full editorial: Employee offboarding exposes the limits of SSO deprovisioning



   
ReplyQuote
Share: