Blog

What does deprovisioning mean? Top benefits and IdP strategies

April 5, 2024

Learn the meaning of being deprovisioned, best practices for the process, and how various identity providers handle it.

Every employee account left active post-employment, or role change is a potential backdoor for unauthorized access, data leaks, or security breaches.

That’s why deprovisioning is extremely important — this process revokes users’ access when they no longer need it.

In this article, we'll discuss:

  • What is deprovisioning and what are its benefits
  • How automated provisioning systems simplify deprovisioning
  • How various identity providers handle deprovisioning
  • Best practices for secure and effective deprovisioning

First, let’s clarify what being deprovisioned means.

What does deprovisioned mean?

Deprovisioning means removing access from users when they no longer need it. It involves disabling user accounts and access to applications and data.

The meaning of deprovisioning is the exact opposite of another component of user lifecycle management, provisioning, which means granting users access to apps or services.

Why bother with deprovisioning accounts?

Deprovisioning benefits both you, the SaaS provider, and your end customers.

For your customer, deprovisioning means:

  • Increased security: By immediately revoking access for former employees, organizations reduce the risk of data breaches or account takeovers. Whether it’s an email inbox that could contain sensitive information or system permissions tied to critical infrastructure, deprovisioning ensures access ends when it's no longer needed.
  • Cost savings: When organizations correctly deprovision users, they stop paying for things like user licenses and storage that nobody is using – they save money by only paying for what they actually use.
  • Compliance: Regulations like GDPR require organizations to keep personal data only for as long as necessary. Deprovisioning and account wiping help companies meet these requirements and avoid penalties.

For you (the service provider), deprovisioning means:

  • Improved security: Removing inactive user accounts reduces the risk of breaches and narrows your system’s attack surface. By eliminating unused credentials, you protect against exploits that leverage old passwords.
  • Easier to close deals: Supporting deprovisioning, especially if automated, in your app addresses critical operational, security, and compliance needs for potential clients. It’s much easier to close deals if your app doesn’t add significant admin overhead for your customers’ teams and demonstrates a commitment to security.
  • Lower support costs: Effective deprovisioning can also reduce the volume of support requests related to access management and security issues. Fewer support incidents mean lower support costs and a better overall customer experience, as customers encounter fewer problems related to unauthorized access or compromised accounts.

What are automated provisioning systems?

Deprovisioning can be handled manually or automatically using automated provisioning systems.

Manual deprovisioning involves admins manually disabling logins and revoking permissions and access for each system and application one by one. Unsurprisingly, this is extremely time-consuming and notoriously error-prone. By contrast, automated provisioning systems connect directly to each system and app in a company’s IT estate via API integrations and make all these changes automatically.

Identity providers (IdPs) like Okta, Ping Identity, and Microsoft Entra (formerly Azure AD) offer automated deprovisioning.

Disabling access

When an admin disables the account in the IdP, the IdP communicates the deprovisioning event to connected systems (Service Providers or SPs) via APIs or the SCIM protocol. This triggers account deactivation or deletion in those downstream systems.

Revoking permissions

The user’s credentials (e.g., passwords, tokens, session cookies) are invalidated or marked as inactive. If Single Sign-On (SSO) is used, session tokens for the SSO session may also be invalidated. Plus, if the user belongs to specific groups (e.g., admins, managers), deprovisioning will remove them from those groups, revoking all inherited permissions.

Some of the main benefits of automated provisioning include:

  • Increased accuracy: By eliminating the need for manual intervention, automated systems decrease the likelihood of errors, such as forgotten account deactivations.
  • Scalability: As a company grows, its employees and apps multiply, making manual access management inefficient and error-prone. Automated provisioning systems can effortlessly handle these growing numbers without overburdening admins.
  • Security: Automated provisioning systems respond quickly to changes in access rights – you don’t have to worry about employees having access to critical resources long after they’ve left the company or switched roles.

Best practices for deprovisioning

To effectively deprovision users, follow these best practices:

  • Have clearly defined deprovisioning policies and procedures that cover various scenarios like employee termination, role changes, or extended leave.
  • Use automated IAM solutions to enforce deprovisioning policies. Automation reduces errors and ensures rapid account revocation.
  • Regularly audit deprovisioned accounts to confirm that access remains revoked. These reviews should be conducted at regular intervals and whenever significant changes occur within the organization, such as restructurings or mergers.
  • To properly deprovision users, be sure to cut off access at the system level, delete or disable all accounts, and review and revoke any leftover permissions.
  • Keep records of all deprovisioning events for auditing purposes. Records should include who performed the deprovisioning, when, and which access was revoked.

How do different IdPs handle deprovisioning?

Many IdPs use the System for Cross-domain Identity Management (SCIM) protocol to enable deprovisioning. SCIM defines a common user schema for user attributes (like names, email addresses, roles, etc.) and specifies HTTP methods for exchanging user profile data between IdPs and SPs.

It allows the IdP to communicate with many SaaS apps and push or pull user profile changes. With SCIM deprovisioning, when an admin disables an account in the IdP, the IdP makes a deprovisioning request to your app, which responds by deactivating the user’s account.

While the SCIM protocol is standardized, it still leaves room for interpretation, meaning different IdPs may approach user deprovisioning differently.

Below are some common approaches.

Changing user attributes from active to inactive

Some identity providers, like Okta, deprovision users by setting their active attribute from true to false. In this case, the user account is disabled, effectively preventing the user from logging in while retaining the account data for audit or reactivation purposes.

Removing users from groups

Groups are collections of users who share the same rights. Users assigned to groups automatically inherit the permissions associated with that group. During de-provisioning, IdPs will remove the user from the group to ensure they no longer have access or permissions associated with those groups.

Deleting user account data

Some IdPs like JumpCloud allow permanent deletion of user accounts during deprovision. This process removes all traces of the user's account and data.

Note that instead of SCIM provisioning, some companies may also use Just-in-Time (JIT) provisioning. When a user logs in, their attributes are included in the SAML assertion sent by the IdP, and the SP creates or updates their account. The issue with JIT is it doesn’t handle updates after the initial setup, so it can’t be used for deprovisioning. SCIM is the better choice for this.

For more info on the differences between the SCIM implementations of identity providers, see SCIM challenges: navigating the idiosyncrasies of different providers.

Next steps with automatic deprovisioning 

Deprovisioning is a key part of managing user identities and access in your customer’s organization. By automating the process, they save tons of admin time and minimize security risk compared to manual approaches.

To connect to your customers’ identity providers and allow them to automatically deprovision users from your app, use Directory Sync by WorkOS.

  • Get started fast: With SDKs for every popular platform and Slack-based support, you can implement Directory Sync in minutes rather than weeks.
  • Events-based processing: WorkOS’s Events API means every SCIM request is processed in order and in real time. You’ll never miss a provisioning request again.
  • Pricing that makes sense: Unlike competitors who price by monthly active users, WorkOS charges a flat rate for each company you onboard — whether they’re syncing 10 or 10,000 users with your app.

Explore Directory Sync by WorkOS.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.