Comment by scarface_74

Comment by scarface_74 4 days ago

There are some 3rd party accounts that can be accessed via your SSO or via your personal credentials once you leave. The main ones I can think of is your brokerage account containing your 401K and vested RSUs and your payroll provider like ADP and Paylocity. You still need to have access to past paystubs and end of year tax documents.

anon84873628 4 days ago

SSO should stop working when the IdP org is disabled/deleted. IdPs should not allow the org to be resurrected based solely on domain ownership alone. And if a new org is created with the same domain, the SP will need to be reconfigured with new OAuth client creds, and should be relying only on the `sub` claim anyway.

Any accounts you need after leaving a company should be tied to your personal email.

Reply View 2 replies

scarface_74 4 days ago

My brokerage account could be accessed by both. I agree that is how it should work. But my brokerage account provider is never told to disable access via my IdP. It’s up to my former IdP to not do something stupid like giving someone else my old email address.

Reply View | 1 reply
- necovek 4 days ago
  
  It's not IdP's responsibility to "fix" the internet.
  Just like someone can buy a home and will get mail targeting a previous owner, the same happens with domain names and emails.
  Domains are, however, much cheaper and more abundant, so it happens more often.
  
  Reply View | 0 replies