← All Problems

Chapter 5

Emma Woodhouse Handles a Hostile Offboarding

Emma Woodhouse, IAM Specialist at Highbury Networks, gets a 4:55 p.m. call from HR: a senior systems engineer named Frank Churchill is being terminated for cause, effective immediately. Frank has accounts in roughly forty systems — Highbury's on-prem Active Directory, two cloud tenants, the customer support tool, the source code repository, the secrets vault, and a dozen SaaS apps onboarded over the years through the company's identity provider.

Emma's nightmare: Highbury never finished cleaning up the IAM landscape after last year's acquisition, so some apps still use local accounts that were never wired to the IdP. Frank also held a long-lived API token for the deployment pipeline and has SSH keys cached on at least two laptops.

Emma needs to revoke access cleanly, prevent Frank from re-authenticating with cached credentials, ensure none of his automation accounts continue running with his identity attached, and produce an audit-ready record for legal. She also wants to use this incident to push leadership toward closing the structural gaps — federation coverage, secrets rotation, and a real PAM rollout — before the next termination.

Walk through Emma's offboarding playbook by selecting the correct option for each step.

Emma's first action is to disable Frank's account at the , which acts as the single source of truth for any application connected via federation. For applications that remain SAML- or OIDC-federated, this single change effectively kills new sessions because each app trusts assertions issued by that source.

However, federated logout does not invalidate that may already be sitting in Frank's browser or device. To kill those, Emma triggers a global session/token revocation in the IdP and the SaaS apps that support it.

For the long-lived deployment-pipeline token, Emma must perform an immediate — and going forward, Highbury should adopt so that no human-owned credential lives longer than the human's tenure.

The SSH keys cached on Frank's laptops are best handled by removing his public key from the on every server he could reach. Long-term, Emma will route all SSH access through a , which brokers session-by-session credentials and records keystrokes for high-privilege sessions.

For the local accounts on un-federated legacy apps, Emma must disable each one manually; this is a textbook failure of . To prevent recurrence, Emma will propose , the standard for automating provisioning and deprovisioning across SaaS.

Finally, to give legal a defensible timeline of every revocation action, Emma exports the from the IdP, PAM, and source repo.