A Practitioner’s Guide to Identity Security: One Challenge, Many Paths
Identity security has one universal challenge: bringing consistency across a messy, diverse application landscape.
Some applications integrate smoothly with out-of-the-box connectors. Others advertise SCIM or SAML but only partially implement them. Many expose APIs that look different from each other, and some don’t expose APIs at all. Shadow IT adds even more complexity by introducing apps that bypass IAM entirely.
For practitioners, this isn’t a single problem with a single solution. It’s a spectrum of challenges, each requiring a different path. The measure of success isn’t how many apps you’ve onboarded or how deep the integration goes. The real north star is risk reduction:
- Every app behind SSO.
- Reliable disable paths everywhere.
- Applying the right strategy for each app type to shrink risk quickly, even when integrations vary in depth.
This guide lays out practical patterns that practitioners can apply to make identity security real — tackling one challenge at a time, across many paths.
Step 1: Establish the Security Baseline
Identity programs need a strong foundation before they try to scale. That foundation is simple but non-negotiable:
SSO for every app
- Use SAML or OIDC to bring authentication under IdP control.
- Enforce MFA, device posture, and conditional access at login.
JIT (Just-in-Time) account provisioning where supported
- The fastest way to bootstrap accounts.
- Keep claims minimal (
uid,email,displayName,groups/roles). - But remember: JIT alone doesn’t cover leavers.
Disable-only connectors
- Pair JIT with a disable-only connector so every app has a termination path.
- Implement disable using
active=false, suspend endpoints, or group removal. - Always perform a read-back check.
This baseline ensures authentication and termination controls across the estate. Even if nothing else is in place, you’ve materially reduced risk.
Step 2: Extend with Thin Provisioning (Update + Disable)
Once the baseline is in place, layer in a thin provisioning model — enough to keep lifecycle data trustworthy without drowning in entitlement sprawl:
- Update profile attributes (email, manager, department).
- Disable accounts (must-have).
- Create if JIT isn’t supported.
- Group/role assignments if they drive direct authorization.
Keep it lean: 5–10 canonical attributes (uid, userName, email, displayName, managerId, active, groups).
This thin layer keeps your identity data fresh and ensures disables always work — the two most important levers for security.
Step 3: Prioritize by Risk, Not Quantity
Too many IAM programs track “apps onboarded” as the primary success metric. That’s the wrong game.
The right question is: Which risky apps are behind SSO and have reliable disable paths?
Build a simple risk × deployability matrix:
Risk factors
- Compliance scope (SOX, HIPAA, PCI).
- Business criticality.
- Privileged surface (admin roles, production data).
- External exposure (internet-facing).
Deployability factors
- Integration surface (SCIM = easy, custom API = medium, file/manual = hard).
- Schema complexity (light vs. heavy customization).
- App owner readiness (engaged vs. absent).
- Security dependencies (MFA exemptions, IP allow lists).
Score, sort, and focus. High-risk + high-deployability apps first.
📊 Measure success by risk reduction, not counts:
- % of high-risk apps behind SSO.
- % with reliable disable paths.
- Time-to-disable (p95).
Step 4: Patterns for Rapid Onboarding
Different app types demand different strategies. Here’s how practitioners can approach each.
🔹 Pre-Built Connectors (OOTB)
Some connectors are truly plug-and-play. Others only cover CRUD. Custom-heavy apps (Salesforce, SAP, Workday) always stretch timelines.
What to do:
- Prioritize apps where the connector really is 100% OOTB.
- For partial connectors, don’t wait — go live with SSO + CRUD, add entitlements later if they reduce risk.
- Run a quick customization assessment with app owners before starting.
🔹 Standards-Based (SCIM, SAML, OIDC)
Standards are inconsistently implemented. SCIM endpoints often lack disable or group operations. SAML/OIDC claims frequently miss group or role data.
What to do:
- Always start with SSO.
- Pair JIT with a disable-only connector so lifecycle gaps are closed.
- Normalize quirks with a SCIM wrapper (see my deep dive on the SCIM Acceleration Gateway).
- Use claim templates for consistency.
- Tier rollout: SSO → SCIM update/disable → entitlements later.
🔹 Non-Standard APIs (REST, GraphQL, SOAP)
Every app is a new dialect: auth, schemas, pagination, error codes. Lifecycle is often incomplete (create but no disable).
What to do:
- Use a SCIM-lite facade: expose only the minimum ops IAM really needs — Create, Update, Disable, Group assign. Think of it as a translator.
- Keep attribute mappings lean.
- Define a single disable strategy (endpoint, status flag, or group removal) and verify with a read-back.
- Normalize errors:
404= not found,409= conflict,429/5xx= retryable. - Roll out in tiers: SSO + CRUD first, entitlements later.
🔹 No-API / Isolated Systems
Some apps don’t expose APIs, or policy forbids integration. Historically handled with CSV/SFTP or manual changes.
What to do: Agent-first approach: Deploy a dedicated agent machine to act like a human admin.
- With CLI/SDK apps: run vendor CLIs (e.g., Oracle, SAP) or SDKs.
- With DB-backed apps: execute approved stored procedures for create/disable.
- With thick-client apps: use COM/ODBC automation hooks.
- As a last resort: controlled RPA platforms (UiPath, Power Automate) to drive UIs.
- Orchestration frameworks (Rundeck, Airflow, SaltStack) can also serve as IAM-connected agents.
If agents aren’t possible → file + ticket: Integrate IAM with ITSM so lifecycle events auto-generate tickets. App admins perform the change, close the ticket, and IAM reconciles next cycle.
Last resort: Manual tickets directly to admins. Not fast, but auditable.
Agents turn “no-API” systems into something that behaves like an API target. When not possible, file + ticket workflows at least keep lifecycle changes governed.
🔹 Unmanaged SaaS (Shadow IT)
Business units adopt apps outside IAM. IAM discovers them only after usage is entrenched.
What to do:
- Discover early with CASB, MDM, SSO logs, and proxy/firewall telemetry.
- Enforce a baseline policy: no app goes live without SSO.
- Provisioning can follow later — authentication and visibility must come first.
Step 5: Guardrails for Sustainable Speed
Speed is only valuable if it’s safe. Build these guardrails into every integration:
- Verification: Always read-after-write.
- Reconciliation: Scheduled jobs for high-risk apps; auto-open exceptions when drift is found.
- Secrets & identity: Vault credentials, use service principals, enforce least privilege.
- Change safety: Canary rollouts, rate limits, circuit breakers.
- Auditability: Log every transaction with correlation IDs; record before/after states (non-PII).
Step 6: Metrics That Matter
Success = risk reduced, not vanity counts. Track:
- % of high-risk apps behind SSO.
- % with reliable disable paths.
- Time-to-disable (p95).
- Drift rate (orphaned/over-entitled accounts).
- Change failure rate.
Step 7: Anti-Patterns to Avoid
- Waiting for “perfect” entitlements before shipping SSO + disable.
- Over-normalizing schemas.
- Depending on fragile UI bots without policy support.
- Ignoring disable semantics.
- Counting “apps onboarded” as success.
Closing Thought
Identity security is not one problem with one solution. It’s a collection of challenges, each requiring a different path:
- SSO + JIT + disable-only connectors to secure the environment fast.
- Thin provisioning (update + disable) to keep lifecycle trustworthy.
- Risk-based prioritization to focus effort where it matters most.
- SCIM wrappers, SCIM-lite facades, and agents to extend IAM’s reach across inconsistent app landscapes.
- File and ticket workflows as the fallback when nothing else is possible.
The programs that succeed don’t chase app counts. They focus on whether the riskiest apps are behind SSO and have reliable disable paths. That’s what reduces risk.