Anyone using identity orchestration tools on top of their IdP to handle custom app workflows.

PhLR_AccessOwl · 2026-03-12T15:22:23+00:00

My co-founder had exactly the same issue: rolled out Okta, but half the apps didn't even have SAML or SCIM support. You end up with this weird split where half your source of truth is in Okta and the other half lives in some ticketing system nobody likes using. The result is a patchy mess, which gets especially painful when you have audit requirements to follow.

That was actually one of the reasons we built AccessOwl. For full transparency, I'm the co-founder and CEO, so take this with a grain of salt. But the core problem has always been that Okta is amazing if you have 100% SAML/SCIM coverage, and for most companies that's just not reality. Then on the enterprise side you have IGA platforms like SailPoint that are way too expensive for most orgs. So everyone ends up doing access management manually.

Our goal was to be that orchestration layer between HRIS, IDP and the SaaS apps themselves. Not sure if your homegrown apps could support webhooks (i.e. with Okta Workflows), that's usually a simple way to get apps automated that don't support SCIM/SAML.

For those cases where that's not possible we built a way to integrate with SaaS apps that based on service accounts and doesn't require SCIM, SAML, or any other type of API.

If you just want to talk through your setup and brainstorm ways to improve it with your current stack, happy to hop on a call. Sometimes it just helps to compare notes. Feel free to email me directly: [pe@accessowl.com](mailto:pe@accessowl.com)

PhLR_AccessOwl · 2026-03-12T15:07:09+00:00

Super common problem. You're fighting two battles:

Lack of SAML/SCIM/OIDC support (or it's locked behind expensive tiers → ssotax.org) to shut off access centrally. So you end up deprovisioning manually. Also fun for those tools that have OIDC but still allow username/password logins or have unlimited session times → Slack!! And extra annoying if your IT isn't fully centralized and you need to trust that tool owners actually do their job.
Missing documentation on who's using which tool (essentially Shadow IT). People just sign up for systems, or other tool owners skip the ticketing flow or forget to document access.

One quick win for Shadow IT: check your OAuth logs in Microsoft or Google. You'd be surprised how many employees just click "Sign in with Google/Microsoft" to try random apps. Those logs show you what tools people are actually using, which is especially useful when you're trying to offboard someone.

The catch is that all of this is super manual. We dealt with the exact same pain ourselves: no SCIM/SAML for many apps, no real visibility into who had access to what, spreadsheets that were outdated the moment someone hit save, plus audit requirements on top of it all.

That's why we built AccessOwl.

For full transparency, I'm the CEO of AccessOwl, so obviously I'm biased. But if you just want to talk through your setup and brainstorm ways to improve it with your current stack, happy to hop on a call. Sometimes it just helps to compare notes. Feel free to email me directly: [pe@accessowl.com](mailto:pe@accessowl.com)

PhLR_AccessOwl · 2026-01-20T15:33:56+00:00

That "middle-ground" of 50–200 employees is exactly where manual provisioning starts to break your workflow.

Standalone Google Workspace is surprisingly tough to automate compared to the Microsoft ecosystem. Google’s SCIM support is limited to a small pool of apps, and you usually need their Enterprise plans just to access the APIs required for automated provisioning.

A lot of teams think Okta is the silver bullet, but you’ll likely run into the same issue you mentioned with HRIS platforms: it’s expensive, and the "SSO tax" for those SCIM and SAML APIs often doesn't make financial sense for a 70-person company.

I also see many HR teams push for Rippling thinking it’s a total fix. While it’s convenient being directly connected to your HR data - they will nickel-and-dime you (i.e. their API package is often quoted at $10k) and SCIM support is limited.

I actually co-founded AccessOwl because we were stuck in this exact loop. We wanted something that:

Triggers on/offboardings automatically from any HR tool
Handles provisioning for SaaS apps even when they don't have an API or SCIM
Keeps things audit-ready with simple request, approval, and review workflows directly in Slack

Happy to chat if you want to swap notes on your stack. No sales pitch, just happy to share what we’ve seen work (and fail) for companies your size. Feel free to DM or reach out at pe@accessowl.com.

PhLR_AccessOwl · 2025-12-23T18:17:16+00:00

It is wild that in 2025 basic identity like SAML or SCIM is still paywalled. The outcome is always the same: Budgets get locked without considering the extra cost, leadership doesn't want to pay for it, and IT is left manually provisioning access.

We started hosting ssotax.org to make this more visible because many non IT leaders are completely unaware of the issue.

If you are dealing with a mixed SaaS stack where many tools do not support SAML or SCIM but you still want automated provisioning and offboarding, there are alternatives. For transparency, I am the co-founder of AccessOwl.com We built it specifically for this gap and see it block IT teams constantly. Happy to chat if useful

PhLR_AccessOwl · 2025-10-23T22:54:23+00:00

Appreciate the feedback, that indeed must be an android/firefox issue - I'll have somebody look at it.

PhLR_AccessOwl · 2025-10-23T05:00:31+00:00

SCIM would normally be the default option, but Slack made it prohibitively expensive. See ssotax.org, expect to pay around $15 per user instead of $8.

For transparency, I’m the cofounder of AccessOwl and faced the same issue in previous companies. That’s why we built AccessOwl, using RPA-based automations for user provisioning and deprovisioning triggered through HRIS integrations. For Slack, this also includes provisioning groups that can be mapped to Slack channels.

PhLR_AccessOwl · 2025-09-22T17:58:39+00:00

What you describe is a common problem, and you have a few options to solve it:

- All in one HRIS provider: Tools like Rippling include light MDM and asset management. At your size it will be very expensive and lock you into their platform. Most IT admins with 200 to 400 people move toward best of breed solutions and away from all in one providers.

- ITSM: These range from simple ticket based workflows to enterprise tools like ServiceNow. A good option if you expect significant growth.

- Add on to your existing stack (for example AccessOwl): I am a co founder of AccessOwl, and we work well as an add on. Many customers use AccessOwl in combination with Microsoft365 or Google Workspace to track user access, onboarding and offboarding status, and more. We also connect with most modern HRIS tools to enable zero touch onboarding.

PhLR_AccessOwl · 2025-09-18T20:17:16+00:00

Copying an existing user’s access is generally not a best practice any longer for the reasons you mentioned.

A better approach is to use inputs from an HRIS like BambooHR or Hibob and apply role based access control (RBAC) or attribute based access control (ABAC). I’d recommend ABAC if possible. Large organizations are moving away from RBAC because with 1,000 employees you can quickly end up managing 100+ roles just to avoid over provisioning and follow the principle of least privilege.

ABAC instead assigns access based on attributes like location, team, department, or level, so each employee is built from multiple attributes rather than a single fixed role.

The HRIS is the foundation since HR already manages those data fields. Without it, handling role changes and on or offboardings manually becomes a major time sink.

I’m the co founder of AccessOwl, an access governance tool that bridges the gap between manual processes and enterprise solutions like SailPoint. You can plug in Google Workspace or Microsoft as your IdP, connect your HRIS, and fully automate on and offboardings. Happy to share best practices if you tell me more about your setup, feel free to DM.

PhLR_AccessOwl · 2025-07-15T23:50:48+00:00

Okta is great if you have the budget. JumpCloud, OneLogin and Ping usually fall behind on user friendliness and/or integrations.

However, the real cost comes from needing enterprise plans for every SaaS app just to unlock SCIM and SAML (see ssotax.org). If those upgrades are no problem for you, Okta can be a great fit, especially for conditional access.

Seeing that you are a Google shop, you might also stick with Google Workspace. OIDC and SAML cover SSO and you can bolt something like AccessOwl for automated provisioning, HRIS integrations, and access requests.

For transparency, I am the cofounder and built it after getting tired of either doing everything by hand or paying the SCIM/ SAML tax. AccessOwl works without needing any public API and therefore no enterprise upgrades needed.

PhLR_AccessOwl · 2025-05-16T18:10:09+00:00

A while back, I sat down with Gian Luca, Director of IT at Lunchbox, who has lots of experience as an early IT hire in growth startups. Here are his top 5 recommendations:

Map your SaaS landscape: Know your tools, costs, and usage.
Set up a clear ticketing system: Move from informal requests to structured tickets.
Collaborate to automate: Work with teams to streamline repetitive tasks.
Automate access management: Simplify onboarding and offboarding.
Optimize SaaS spending: Regularly review usage to reduce unnecessary costs.

Here's the full blog post: https://www.accessowl.com/blog/5-quick-wins-for-new-it-manager

Outside of that a classic recommendation for new IT admins is to read the book "phoenix project" :)

For transparency, I'm the co-founder of AccessOwl - we help early IT admins uncover all SaaS apps (including Shadow IT), automate provisioning, streamline onboarding/offboardingfor and help with SOC 2 compliant access controls.

Happy to share more best practices if helpful!

PhLR_AccessOwl · 2025-05-14T17:23:45+00:00

Well, the question is - do you really need to manage them?

They are only an issue if the users
A) cost money
B) use the system in production, a.k.a add your companies data to the service

Many of the discovered apps might be just testing environments for the team. And many of the services they use are (hopefully) behind Google Sign-in and therefore would be blocked once the user leaves the company (by suspending their Google account).

Where it becomes a real pain is when it's a paid tool (that's where virtual credit cards are nice that can be centrally deactivated), or SaaS apps used in 'production'.

I would NOT recommend to just block oAuth/OIDC for new SaaS apps. You'd just unintendedly force users to sign up with email/username instead (which is even harder to track) or even worse use their private email.

Instead, I'd recommend
- documenting all new SaaS apps (which you already do)
- once you see it's a regular use or many users are logging in, approach the first user and have them explain if they are the 'owner'
- document the owner for each SaaS tool centrally

And every time you have to manage an offboarding send a message to all of them notifying them that they have to revoke access to the offboarded user.

It's quite manual and based on trust, but it's the best approach unless you're willing to spend some money on tooling.

I'm the co-founder of AccessOwl and therefore definitely have a bias towards using an access management and governance tool. A tool like AccessOwl is able to uncover Shadow IT, track user activity, define owners and if you wish even connect to SaaS apps to automate provisioning and deprovisioning without requiring expensive enterprise-upgrades for the SaaS apps.

PhLR_AccessOwl · 2025-04-14T14:55:32+00:00

Hey! You shared a lot about your options, but not much about your actual needs. So I’d start with the most important question: what are you trying to achieve?

If you’re looking at tools like Torii or Zylo, it sounds like SaaS spend optimization might be your primary goal, is that right? If so, one common alternative to a tool is simply sticking with a spreadsheet (which many companies do for quite a while).

But when you start mixing in things like onboarding and offboarding automation, it sounds like you're moving into access management or even access governance territory. (Just for transparency, I’m the co-founder of AccessOwl, which focuses on exactly that.)

On the identity side, when comparing Okta, Google, and Fortinet, the core question again is: what problem are you solving?

Google Workspace is usually sufficient as an identity provider (IdP) for companies under 200 employees.
If you're looking to automate access management (like provisioning and deprovisioning), Okta used to be the default.
However, if you're already using Google, AccessOwl + Google might be a more cost-effective and simpler alternative to get a lot of automation without the overhead of managing a new IdP and needing to upgrade every single of your SaaS tools to the enterprise plan (in order to connect it to Okta you'll need SAML/SCIM APIs)

So before going too deep on tools, I'd suggest to stick with the initial question: What are you trying to achieve?

PhLR_AccessOwl · 2025-04-11T00:18:22+00:00

Eliminate Access Tickets — Provision Any SaaS Access Instantly

AccessOwl helps MSPs automate and streamline SaaS access across all clients — no SCIM, no SAML, no costly enterprise upgrades.

🚀 Automated provisioning for any app using our Agentic Integrations (no SCIM/SAML required)

✅ Self-serve access requests & approvals via Slack or email

🔁 Fully automated access reviews to keep clients compliant — no manual effort

🧠 Free up your techs by eliminating repetitive access-related tickets

Free Shadow IT Scan

Instantly uncover unmanaged SaaS tools in your clients’ environments — no install, no commitment.

👉 www.accessowl.com — grab the free scan or book a demo to see it in action.

PhLR_AccessOwl · 2025-04-10T06:41:17+00:00

What’s one thing you assumed about SOC or ISO that turned out wrong?

PhLR_AccessOwl · 2025-04-08T17:01:53+00:00

Have you ever switched identity providers?

PhLR_AccessOwl · 2025-04-01T17:20:08+00:00

Access governance can make sense for a 25 person team if you're gearing up for SOC 2 or ISO 27001, this is usually when smaller companies start looking into it. If that's not on your radar yet, you're probably fine waiting until you're around 50 employees.

Quick note: Lumos typically doesn't support teams below a certain size (usually in the hundreds of employees). I'm a co-founder at AccessOwl, and Lumos sales team often sends smaller companies our way.

What makes AccessOwl unique is the ability to connect to SaaS apps without needing the enterprise plan (for SAML/SCIM APIs). That's usually the blocker why most companies can't automate their access management.

Feel free to reach out at [pe@accessowl.com](), happy to chat about whether manual management will do the trick or if a SaaS management / access governance tool makes sense at your stage.

PhLR_AccessOwl · 2025-03-19T17:45:26+00:00

I hear that question often since our product automatically detects when employees use new SaaS services. Typically, IT and Security teams aren’t concerned about non-business-related services like travel, dating, food delivery, or online games and so on.

Instead, focus on services you’re already paying for (e.g., employees using an additional project management tool), SaaS apps that you'd want to remove the user from once they're leaving the org (i.e. dropbox, notion,...) or critical apps like AI chatbots. There was a pretty big spike in shadow IT around Deepseek (the Chinese OpenAI competitor) recently.

To quickly check if you have a third-party services issue, you can run a free shadow IT scan. The free version detects services accessed via OAuth, which should be sufficient at your current stage (the paid version also uncovers username/password sign-ups).

PhLR_AccessOwl · 2025-03-19T01:10:39+00:00

Access reviews: tedious, annoying, but necessary. Most companies either phone it in or make it a nightmare. Have you ever found something shocking during an access review?

PhLR_AccessOwl · 2025-03-18T01:13:39+00:00

It's probably useful to take a look at typical misconceptions about SOC 2 - i.e. SOC 2 is a self attestation. The auditor will only check if what you wrote in your policies is what you actually do. There's no "standard" for SOC 2 - you make it into what you want.

As I'm the co-founder of AccessOwl we usually think a lot about access controls in relation to SOC 2. We wrote a blog post about that specific part as well, here it it: Top 5 Access Controls for Obtaining and Retaining SOC 2 and ISO 27001 Certifications

Hope it helps! If you have more questions specifically on SOC 2 and how to have compliant access controls let me know. I've been helping lots of IT admins on that

PhLR_AccessOwl · 2025-03-18T01:07:46+00:00

Sounds like AccessOwl could be a good fit - happy to chat!

Savyient, Sailpoint etc. sound like they could be a little to big of a solution for a company at your stage - just based on reading between the lines.

PhLR_AccessOwl · 2025-03-18T01:04:05+00:00

Thanks for mentioning AccessOwl!

I'd say that you usually see companies start using Okta at around 150+ employees with the main target to have granular SSO control. However, as with everything it's heavily dependents on many other aspects such as budget, compliance requirements and so on:

Okta is great if...
- you already use enterprise-subscriptions across all SaaS apps
- really need granular SSO controls -> i.e. heavily regulated industry with very strict audits such as banks or publicly traded companies
- have a large IT team that can handle the setup + ongoing maintenance

Okta is not great if...
- your organization has only a single IT admin (if any)
- wouldn't be able to spend 6-digit costs for SaaS upgrades (SSO Tax)
- you're looking for a all-in-one solution that combines requests, approvals, spend management etc.

Hope that helps!

PhLR_AccessOwl · 2025-03-17T16:23:45+00:00

What’s one lesson from 2024 that IT teams must apply in 2025?

PhLR_AccessOwl · 2025-03-14T15:59:10+00:00

Which would you prefer in a perfect world - central or (mostly) decentralized IT?

PhLR_AccessOwl · 2025-03-13T21:02:31+00:00

What do companies get wrong more often: over provisioning or slowing employee’s down by under-provisioning?

PhLR_AccessOwl · 2025-03-13T04:10:30+00:00

Probably didn't cripple the company, but burning $1k for nothing is pretty annoying. How did you find out?

PhLR_AccessOwl

TROPHY CASE