BCEL1014c: What Is My Offboarding Trigger for OneLogin?


Why Select OneLogin?

If OneLogin is your source of truth and your IdP, you’ll very likely want to start your offboarding process with a OneLogin trigger. Your available triggers can be seen below:




 User Status Changes

   Status is Deactivated

 User added to Group


 Group is [enter Group name]

In the sections that follow, you’ll find a breakdown of the pros, cons, use cases, and things to keep in mind when selecting your trigger for OneLogin!

OPTION: User Status Changes  + Status is Deactivated (BetterClouders Most Common Method)

Deactivating a user in OneLogin immediately cuts access to all applications downstream. Meaning that, as an IdP, OneLogin is able to stop access to Slack, Zoom, 365, GitHub and any additional applications that may be integrated with the platform. However, while this is a great first step to offboarding, it is important to note that offboarding goes beyond cutting access. Ensuring data is transferred properly, passwords are reset, backend housekeeping is completed properly and ultimately the user is deleted entirely are not part of simply disabling a user in OneLogin. These additional, advanced Actions is where BetterCloud comes in and ensures the security of your organization, both from an access as well as a DLP standpoint.

If you’re considering different triggering options, here’s a list of pros and cons when it comes to offboarding users via deactivation in OneLogin:




 Access to apps cut instantly


 Possible impact on other apps

 May not alter your current process much



 Can be taken by any OneLogin admin


Do keep in mind that deactivating a user in OneLogin can have downstream effects on your other applications. For example, deactivating a user in OneLogin may also suspend them in Google, preventing the user from getting emails forwarded and having their inbox delegated to their manager. Before selecting this as your trigger, please ensure you understand what deactivation does in all integrated applications.

OPTION: User Added to Group + Group is [Offboarding Group]

Instead of disabling the user in OneLogin, you may want to consider adding the user to a Group. This would allow you to keep track of all users who are in the offboarding workflow, ultimately moving them to a different group when the Workflow is completed. You'd have granular insight into where users are in the process.




 Granular views into user's status


 Delay in cutting access to apps

 Can delay deactivation if required


 May need to create new Groups


Why Wouldn’t You Select OneLogin?

If there is another application closer to your source of truth, such as an HRIS, you'll likely want to use this as your starting point. Whatever either is your source of truth, or pushes from your source of truth to the application, if what you should select.



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request