Most companies today use an identity provider (IdP) like Okta, Entra ID, or Google Workspace to handle user authentication and enable single sign-on (SSO), so IdPs are a common starting point for automating access provisioning. They offer a convenient way to manage account creation and basic user access via group assignments for SCIM-enabled apps, which for cloud-native companies using a small number of SaaS tools is usually sufficient.
But for growing and larger companies with more complex environments, the limitations of an IdP-only approach to provisioning can create both security gaps and productivity bottlenecks. While it’s not necessary for these companies to ditch IdP-based provisioning altogether, it’s critical that they add more flexible provisioning tools to their belt.
Let’s break down where IdP-based provisioning falls short and how ConductorOne can help you expand beyond it.
The limits of IdP-based provisioning
IdPs typically use a group-based model for provisioning app accounts and entitlements. When users need access to an app, they are added to a group—usually based on their role, department, or a similar attribute—that’s mapped to the app, and granted access based on that group membership.
While useful in simple environments, group-based access leads to compounding issues as the number of apps and users in an organization grows:
- Group sprawl: Over time, hundreds or even thousands of overlapping groups can accumulate. Managing them becomes unwieldy and error-prone.
- Overpermissioning: Group-based provisioning is coarse-grained—users often receive more access than they need, increasing risk.
- Lack of visibility: It’s hard to understand what permissions a user actually has, especially when groups map to broad roles and link to additional groups that grant further access downstream.
- Limited coverage: Many critical systems—especially internal tools, databases, or infrastructure—don’t support group provisioning or SCIM at all. In an IdP-based provisioning model, IT teams and app owners are left to manage these systems manually.
The result? Gaps in security posture, limited auditability, and a painful provisioning experience for both IT and end users.
Want to dig deeper? Watch our on-demand webinar on how to tame group sprawl → Lock & Key: Closing the Door on Group Sprawl
Expanding your provisioning toolset
ConductorOne is built to give you more provisioning flexibility and address the security and automation shortfalls of an IdP-based approach to provisioning. The platform seamlessly integrates with your IdP and all your cloud and on-prem apps to extend your provisioning capabilities, enabling fine-grained, flexible access control across your entire environment—not just for the systems your IdP connects to.
Here are all the ways you can provision access using ConductorOne:
Fine-grained entitlement provisioning: ConductorOne’s out-of-the-box connectors centralize and orchestrate fine-grained access data from every app in your environment, allowing you to directly provision individual users with specific permissions within apps. This helps you detangle the web of group-based access and implement much more precise and dynamic role-, attribute-, and policy-based access controls suited to your business and security needs. And in ConductorOne, you can implement self-service requests and just-in-time (JIT) access for any entitlement level in any app, for additional automation and security.
Provisioning for non-SCIM-enabled apps: Connect directly with non-SCIM-enabled apps, including on-prem and homegrown systems, to automate fine-grained provisioning for tools your IdP can’t talk to. ConductorOne has integrations for most legacy and on-prem tools and a robust connector SDK that allows us to quickly build custom integrations for homegrown apps.
Provisioning via your service desk: For systems you want to provision through your service desk or ITSM tool, ConductorOne can handle the access request and approval processes and then automatically open and monitor provisioning tickets. All ticket status changes are logged in the platform for easy auditing.
Webhooks provisioning: Do you have a custom provisioning workflow you’d like to continue using? ConductorOne allows you to trigger provisioning via webhooks, so you can automate the access request and approval process and then kick off your preferred provisioning workflow directly from the platform.
Direct account provisioning: In many cases, it’s convenient to continue using your IdP to create new user accounts within apps. But ConductorOne also gives you the flexibility to create new app accounts directly from the platform. Use direct account provisioning to streamline lifecycle management from end to end, as well as increase protection for sensitive environments with just-in-time account provisioning—the platform will create a new account when access is granted and delete it automatically when the granted access expires.
Your IdP is a critical piece of your identity stack—but it isn’t designed to handle the complexity of modern access provisioning and governance. ConductorOne is. Book a demo to learn more and see ConductorOne’s flexible provisioning options in action!
