Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There's a very common problem with systems that use SSO, where the 3rd parties that accept SSO logins cache the login information, sometimes indefinitely. A user can leave the company but their login placeholder account stays in the 3rd party, and active login sessions are maintained basically indefinitely. So you can leave the company and lose your AD account, but still access the 3rd party. As Rachel says it's kind of a hard problem to solve (but not that hard).


In most cases wouldn't that session info be tied to physical hardware to which the employee no longer has access? Sure, tick all of your boxes, but I would think that losing the company laptop/phone/VPN would be a pretty significant barrier to maintaining access to other systems.


Not worth 3rd party vendors with basic SSO. They have no idea when the user leaves the company because there's nothing updating the vendor's sessions.


Not with BYOD


I refuse to BYOD, so I am not familiar with the nuances, but wouldn't the corporate controlling entity wipe/reset/deauthenticate the corporate partition of the device?


That entirely depends on how it's implemented. At least Windows, Android and iOS have the functionality to delete Work accounts / profiles.

But I've also seen companies with no MDM at all, so YMMV.


The answer to this is SCIM, which allows an app to sync the user state with the identity/directory system.

IT admins call this "User Lifecycle Management" and it's typically a required feature for enterprise-scale customers.

(I work at WorkOS and we help developers with this: https://workos.com/directory-sync)




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: