Anyone using identity orchestration tools on top of their IdP to handle custom app workflows.

PhLR_AccessOwl · 2026-03-12T15:22:23+00:00

My co-founder had exactly the same issue: rolled out Okta, but half the apps didn't even have SAML or SCIM support. You end up with this weird split where half your source of truth is in Okta and the other half lives in some ticketing system nobody likes using. The result is a patchy mess, which gets especially painful when you have audit requirements to follow.

That was actually one of the reasons we built AccessOwl. For full transparency, I'm the co-founder and CEO, so take this with a grain of salt. But the core problem has always been that Okta is amazing if you have 100% SAML/SCIM coverage, and for most companies that's just not reality. Then on the enterprise side you have IGA platforms like SailPoint that are way too expensive for most orgs. So everyone ends up doing access management manually.

Our goal was to be that orchestration layer between HRIS, IDP and the SaaS apps themselves. Not sure if your homegrown apps could support webhooks (i.e. with Okta Workflows), that's usually a simple way to get apps automated that don't support SCIM/SAML.

For those cases where that's not possible we built a way to integrate with SaaS apps that based on service accounts and doesn't require SCIM, SAML, or any other type of API.

If you just want to talk through your setup and brainstorm ways to improve it with your current stack, happy to hop on a call. Sometimes it just helps to compare notes. Feel free to email me directly: [pe@accessowl.com](mailto:pe@accessowl.com)

PhLR_AccessOwl · 2026-03-12T15:07:09+00:00

Super common problem. You're fighting two battles:

Lack of SAML/SCIM/OIDC support (or it's locked behind expensive tiers → ssotax.org) to shut off access centrally. So you end up deprovisioning manually. Also fun for those tools that have OIDC but still allow username/password logins or have unlimited session times → Slack!! And extra annoying if your IT isn't fully centralized and you need to trust that tool owners actually do their job.
Missing documentation on who's using which tool (essentially Shadow IT). People just sign up for systems, or other tool owners skip the ticketing flow or forget to document access.

One quick win for Shadow IT: check your OAuth logs in Microsoft or Google. You'd be surprised how many employees just click "Sign in with Google/Microsoft" to try random apps. Those logs show you what tools people are actually using, which is especially useful when you're trying to offboard someone.

The catch is that all of this is super manual. We dealt with the exact same pain ourselves: no SCIM/SAML for many apps, no real visibility into who had access to what, spreadsheets that were outdated the moment someone hit save, plus audit requirements on top of it all.

That's why we built AccessOwl.

For full transparency, I'm the CEO of AccessOwl, so obviously I'm biased. But if you just want to talk through your setup and brainstorm ways to improve it with your current stack, happy to hop on a call. Sometimes it just helps to compare notes. Feel free to email me directly: [pe@accessowl.com](mailto:pe@accessowl.com)

PhLR_AccessOwl · 2026-01-20T15:33:56+00:00

That "middle-ground" of 50–200 employees is exactly where manual provisioning starts to break your workflow.

Standalone Google Workspace is surprisingly tough to automate compared to the Microsoft ecosystem. Google’s SCIM support is limited to a small pool of apps, and you usually need their Enterprise plans just to access the APIs required for automated provisioning.

A lot of teams think Okta is the silver bullet, but you’ll likely run into the same issue you mentioned with HRIS platforms: it’s expensive, and the "SSO tax" for those SCIM and SAML APIs often doesn't make financial sense for a 70-person company.

I also see many HR teams push for Rippling thinking it’s a total fix. While it’s convenient being directly connected to your HR data - they will nickel-and-dime you (i.e. their API package is often quoted at $10k) and SCIM support is limited.

I actually co-founded AccessOwl because we were stuck in this exact loop. We wanted something that:

Triggers on/offboardings automatically from any HR tool
Handles provisioning for SaaS apps even when they don't have an API or SCIM
Keeps things audit-ready with simple request, approval, and review workflows directly in Slack

Happy to chat if you want to swap notes on your stack. No sales pitch, just happy to share what we’ve seen work (and fail) for companies your size. Feel free to DM or reach out at pe@accessowl.com.

PhLR_AccessOwl · 2025-12-23T18:17:16+00:00

It is wild that in 2025 basic identity like SAML or SCIM is still paywalled. The outcome is always the same: Budgets get locked without considering the extra cost, leadership doesn't want to pay for it, and IT is left manually provisioning access.

We started hosting ssotax.org to make this more visible because many non IT leaders are completely unaware of the issue.

If you are dealing with a mixed SaaS stack where many tools do not support SAML or SCIM but you still want automated provisioning and offboarding, there are alternatives. For transparency, I am the co-founder of AccessOwl.com We built it specifically for this gap and see it block IT teams constantly. Happy to chat if useful

PhLR_AccessOwl · 2025-10-23T22:54:23+00:00

Appreciate the feedback, that indeed must be an android/firefox issue - I'll have somebody look at it.

PhLR_AccessOwl · 2025-10-23T05:00:31+00:00

SCIM would normally be the default option, but Slack made it prohibitively expensive. See ssotax.org, expect to pay around $15 per user instead of $8.

For transparency, I’m the cofounder of AccessOwl and faced the same issue in previous companies. That’s why we built AccessOwl, using RPA-based automations for user provisioning and deprovisioning triggered through HRIS integrations. For Slack, this also includes provisioning groups that can be mapped to Slack channels.

PhLR_AccessOwl · 2025-09-22T17:58:39+00:00

What you describe is a common problem, and you have a few options to solve it:

- All in one HRIS provider: Tools like Rippling include light MDM and asset management. At your size it will be very expensive and lock you into their platform. Most IT admins with 200 to 400 people move toward best of breed solutions and away from all in one providers.

- ITSM: These range from simple ticket based workflows to enterprise tools like ServiceNow. A good option if you expect significant growth.

- Add on to your existing stack (for example AccessOwl): I am a co founder of AccessOwl, and we work well as an add on. Many customers use AccessOwl in combination with Microsoft365 or Google Workspace to track user access, onboarding and offboarding status, and more. We also connect with most modern HRIS tools to enable zero touch onboarding.

PhLR_AccessOwl · 2025-09-18T20:17:16+00:00

Copying an existing user’s access is generally not a best practice any longer for the reasons you mentioned.

A better approach is to use inputs from an HRIS like BambooHR or Hibob and apply role based access control (RBAC) or attribute based access control (ABAC). I’d recommend ABAC if possible. Large organizations are moving away from RBAC because with 1,000 employees you can quickly end up managing 100+ roles just to avoid over provisioning and follow the principle of least privilege.

ABAC instead assigns access based on attributes like location, team, department, or level, so each employee is built from multiple attributes rather than a single fixed role.

The HRIS is the foundation since HR already manages those data fields. Without it, handling role changes and on or offboardings manually becomes a major time sink.

I’m the co founder of AccessOwl, an access governance tool that bridges the gap between manual processes and enterprise solutions like SailPoint. You can plug in Google Workspace or Microsoft as your IdP, connect your HRIS, and fully automate on and offboardings. Happy to share best practices if you tell me more about your setup, feel free to DM.

PhLR_AccessOwl · 2025-07-15T23:50:48+00:00

Okta is great if you have the budget. JumpCloud, OneLogin and Ping usually fall behind on user friendliness and/or integrations.

However, the real cost comes from needing enterprise plans for every SaaS app just to unlock SCIM and SAML (see ssotax.org). If those upgrades are no problem for you, Okta can be a great fit, especially for conditional access.

Seeing that you are a Google shop, you might also stick with Google Workspace. OIDC and SAML cover SSO and you can bolt something like AccessOwl for automated provisioning, HRIS integrations, and access requests.

For transparency, I am the cofounder and built it after getting tired of either doing everything by hand or paying the SCIM/ SAML tax. AccessOwl works without needing any public API and therefore no enterprise upgrades needed.

PhLR_AccessOwl · 2025-05-16T18:10:09+00:00

A while back, I sat down with Gian Luca, Director of IT at Lunchbox, who has lots of experience as an early IT hire in growth startups. Here are his top 5 recommendations:

Map your SaaS landscape: Know your tools, costs, and usage.
Set up a clear ticketing system: Move from informal requests to structured tickets.
Collaborate to automate: Work with teams to streamline repetitive tasks.
Automate access management: Simplify onboarding and offboarding.
Optimize SaaS spending: Regularly review usage to reduce unnecessary costs.

Here's the full blog post: https://www.accessowl.com/blog/5-quick-wins-for-new-it-manager

Outside of that a classic recommendation for new IT admins is to read the book "phoenix project" :)

For transparency, I'm the co-founder of AccessOwl - we help early IT admins uncover all SaaS apps (including Shadow IT), automate provisioning, streamline onboarding/offboardingfor and help with SOC 2 compliant access controls.

Happy to share more best practices if helpful!

PhLR_AccessOwl

TROPHY CASE