HomeHow it works
Solutions
Pricing
Resources
Sign in
Try LicenceOne
How it works
Solutions
Pricing
Resources
Sign in
Talk to sales
Try for free

Why direct app integrations don't work for SMEs

A straight talking guide to the industry bullshit jargon
6 min read · Updated 20 May, 2024
Table of contents
IntroductionSo it's technically possible?But my SMP has direct app integrationsSSO will do the job, right?How can SMEs manage SaaS on/off-boarding?SummaryFAQs

Everybody’s experienced it. Someone exits the company, and you realise that removing the team member from their access to company tech isn’t as simple as handing in their laptops and phones.

No, today each employee depends on tens, hundreds of different online apps, each of them with their own accesses. Some you’ve managed to close up with a password manager, some are managed with “Sign in with Google” buttons, some might be on SSO, and some just common accounts with passwords shared on a post-it.

Identifying those apps is one thing. Ensuring that everyone is correctly removed from all of them, and that you’ve subsequently cancelled the subscription for each of their SaaS is a whoooole different kettle of fish.

Naturally, savvy IT and Finance leaders turn to employee #2: Google, and fall into the rabbit hole of SaaS Management, Identity Access Management (IdP), and the smoke-and-mirrors presented by overzealous marketing teams. If you’re reading this, you’re probably at that point now.

If you don’t read further, remember this: No SaaS Management tool can automatically create or delete users for you automatically unless all of your apps are on enterprise plans, and all of your apps offer SCIM provisioning. So if you’re an SME, prepare to x4-x10 your SaaS spend.

If you’re curious and want to know why, keep reading.

So it’s technically possible?

For sure. It’s the best friend of any IT team in large corporations or organisations with strict regulatory requirements. They simply plug in their SaaS Management Platform (SMP) with each of their SaaS apps then set up automated workflows to decide when users should be automatically created or deleted on those SaaS.

But…

The way that they do so is by harnessing a technical standard known as SCIM provisioning, or System for Cross-domain Identity Management [provisioning]. This is the only known secure method to connect with your SaaS (via API) and create or delete those users for you.

Great for large companies. Hell, we bet they’d be willing to pay tons to solve a problem that big.

That’s exactly what SaaS executives think, too. That’s why most, if not all, SaaS apps only allow you to access their SCIM API if you’re on their “Enterprise” pricing plan. If you don’t want to head to the Pricing page and Ctrl + F for “Provisioning” and “SCIM”, we’ve collected a few examples 👇

Pricing plans comparison for Notion, displaying four tiers: Free, Plus, Business, and Enterprise. The Free plan, costing €0, offers unlimited blocks for individuals and basic features. The Plus plan, priced at €7.50 per user/month, includes everything in Free along with unlimited file uploads and 30-day page history. The Business plan costs €14 per user/month, providing advanced features like SAML SSO, private teamspaces, and advanced security. The Enterprise plan requires contacting sales for pricing and includes all Business features plus user provisioning (SCIM), audit logs, and advanced security & compliance integrations. The image highlights user provisioning (SCIM) in the Enterprise plan.
Comparison table of Asana's project management software features across various plans including Personal, Starter, Advanced, Enterprise, and Enterprise+. The table lists several features such as unlimited tasks, custom onboarding, admin announcements, and SAML. The image highlights "User and group provisioning and deprovisioning (SCIM)" which is available starting from the Enterprise plan. Enterprise and Enterprise+ plans offer the most advanced features, marked with checkboxes.
Comparison of Slack's pricing plans, detailing features for Pro, Business+, and Enterprise Grid tiers. The Pro plan, at €6.75 per person/month billed yearly, offers unlimited message history, apps and integrations, and voice/video calls with up to 50 participants. The Business+ plan, costing €11.75 per person/month billed yearly, includes all Pro features plus 99.99% guaranteed uptime, SAML-based single sign-on, and user provisioning and deprovisioning. The Enterprise Grid plan, with pricing available upon contact, offers comprehensive security and compliance features, enterprise key management add-on, large-scale collaboration for up to 500,000 users, and centralized controls. The image emphasizes the user provisioning and deprovisioning feature available in the Business+ plan.
Calendly pricing plan comparison table detailing various features and their availability across different plans. Features listed include routing form analytics, routing by HubSpot or Salesforce assignments, and SAML single sign-on (SSO). The image highlights "Advanced user provisioning via SCIM," which is only available in the highest tier plan. The table also mentions other features such as domain control and account oversight, activity (audit) log, and monitoring across organization and user levels.
Comparison table of pricing plans for Airtable, detailing features available in Free, Team, Business, and Enterprise Scale tiers. The table includes sections for admin controls and security and compliance. Features listed under admin controls include federated organization with associated domains, Enterprise Hub, organizational units, and SCIM user provisioning. The image highlights "SCIM user provisioning," available in the Business and Enterprise Scale plans. Security and compliance features listed include SAML-based single sign-on (SSO), data loss prevention (DLP), and audit logs, with advanced features such as Enterprise Key Management available as add-ons.
Comparison of monday.com's pricing plans, highlighting features available in Free, Basic, Standard, Pro, and Enterprise tiers. The table focuses on sections for Administration & Control and Enterprise Reporting & Analytics. Features listed under Administration & Control include board administrators, audit log, session management, and SCIM provisioning. The image highlights "SCIM provisioning," which is available only in the Enterprise plan. Enterprise Reporting & Analytics features include work performance insights, dashboard email notifications, and pivot analysis & reports.
DocuSign's pricing plans comparison table, highlighting features available in Personal, Standard, Business Pro, and Enhanced Plans. The comparison includes sections on Team Management and Streamlined Workflows & Documents. Features listed under Team Management include user & group permissions, team reports, shared templates, and document signing. The image highlights "Access management & SSO" and "Organization management," which are only available in the Enhanced Plans and require contacting sales for pricing. The Streamlined Workflows & Documents section lists features like locked templates, form fields, drawing fields, and bulk send capabilities.

Not on enterprise plans, like the majority of SMEs? Tough luck. You’ll have to onboard and offboard your users manually.

But my SaaS Management Platform has direct app integrations...

Humorous meme image showing a person in a flooded basement using a dustpan to try and remove water, with washing machines in the background. The person is wearing a Viking helmet with horns and glasses. The top text reads, "AUTOMATICALLY ON/OFF-BOARD USERS THEY SAID," and the bottom text reads, "WE DIRECTLY INTEGRATE WITH APPS THEY SAID," implying that the promises of easy automation and integration have led to a chaotic and ineffective situation.

They do, but SaaS Management Platforms (SMP) aren't the problem. The issue is that as soon as you try to connect your SMP to any one of your SaaS with priced-off SCIM, you’ll hit an error and have to resort to manual offboarding.

That might not be an issue, so long as your SaaS Management Platform is reasonably priced and allows you to set up SaaS on/off-boarding processes that don’t depend on SCIM. Unfortunately though (noticing a trend?), just like SCIM access, SaaS Management Platforms with direct app integrations and automatic SaaS user provisioning features tend to be high-cost solutions, as the folk that want those features are big corporations.

Single-Sign-On (SSO) will do the job, right?

Meme image based on the "Distracted Boyfriend" format, depicting a man looking at another woman while his girlfriend looks at him in disbelief. The labels added to the image are: "SaaS Vendors" on the boyfriend, "Adding SSO to Enterprise Plans" on the other woman, and "Providing SSO at a Reasonable Price" on the girlfriend. The meme humorously comments on SaaS vendors prioritizing adding SSO (Single Sign-On) to expensive enterprise plans over offering it at a reasonable price.

Just like SCIM provisioning, when SaaS vendors hear the word “SSO” in a demo call, they start salivating. Because yet again, this is the type of requirement that large organizations have, so they’ll also price that off on their enterprise plans.

For a long list of SaaS vendors that price off SSO (sometimes referred to as SAML), check out SSO.tax, but for convenience, we’ve also selected a few apps to demonstrate 👇

Notion's pricing plans comparison chart, detailing features for Free, Plus, Business, and Enterprise tiers. The Free plan, offered at €0, includes unlimited blocks for individuals and basic features like collaborative workspace and basic page analytics. The Plus plan, costing €7.50 per user/month billed annually, adds features like unlimited file uploads and 30-day page history. The Business plan, priced at €14 per user/month billed annually, includes everything in Plus and additional features such as SAML SSO, private teamspaces, and advanced security. The Enterprise plan requires contacting sales for pricing and provides all Business features plus advanced controls like SCIM provisioning, audit logs, and advanced security & compliance integrations. The image highlights the SAML SSO feature included in the Business plan.
Asana's plan comparison table, detailing features across various subscription levels including Premium, Business, and Enterprise. The table includes sections for security, team collaboration, and admin controls. Key features listed include Google SSO, private teams, custom onboarding, admin announcements, and advanced project controls. The image highlights "SAML" as a feature available in the Business and Enterprise plans. Additional Enterprise-exclusive features include user and group provisioning and deprovisioning (SCIM), service accounts, mobile data controls, and advanced administrative and security controls.
Slack's pricing plans comparison table, illustrating features for Pro, Business+, and Enterprise Grid tiers. The Pro plan, costing €6.75 per person/month billed yearly, includes unlimited message history, unlimited apps and integrations, and voice-first huddles for up to 50 participants. The Business+ plan, priced at €11.75 per person/month billed yearly, provides all Pro features plus 99.99% guaranteed uptime, user provisioning and deprovisioning, SAML-based single sign-on, and unlimited canvases with 90 days of version history. The Enterprise Grid plan requires contacting sales for pricing and includes comprehensive security and compliance features, a built-in employee directory, and support for up to 500,000 users. The image highlights the SAML-based single sign-on feature included in the Business+ plan.
Calendly's plan comparison table, detailing features across different subscription levels: Free, Standard, Teams, and Enterprise. The table includes features under categories such as routing options, security, and management. Key features listed include locking and syncing managed events, routing by HubSpot or Salesforce assignments, and form analytics. The image highlights "SAML single sign-on (SSO)" as an add-on feature available only in the Enterprise plan. Other Enterprise-exclusive features include advanced user provisioning via SCIM, domain control and account oversight, activity (audit) log, and monitoring success on an organization- and user-level.
Comparison table of pricing plans for Airtable, detailing features available in Free, Team, Business, and Enterprise Scale tiers. The table includes sections for Admin Controls and Security and Compliance. Features listed under Admin Controls include federated organization with associated domains, admin panel, organizational units, and SCIM user provisioning. The image highlights "SAML-based single sign-on (SSO)," which is available in the Business and Enterprise Scale plans. Security and Compliance features listed include data loss prevention (DLP), audit logs, and Enterprise Key Management, with some features available as add-ons in the Enterprise Scale plan.
monday.com's plan comparison table, outlining features available in Free, Basic, Standard, Pro, and Enterprise plans. The table focuses on sections for Security & Privacy and Administration & Control. Features listed under Security & Privacy include SOC 2 Type II Compliance, two-factor authentication, private boards and docs, and Google authentication. The image highlights "Single Sign-On (SSO)" for Okta, OneLogin, Azure AD, and Custom SAML, which is available only in the Enterprise plan. Other features under Administration & Control include board administrators, SCIM provisioning, audit logs, and session management.
DocuSign's pricing plans comparison table, outlining features available in Personal, Standard, Business Pro, and Enhanced Plans. The Personal plan, at $10 per month, includes 5 templates per month and access to 900+ partner integrations. The Standard plan, priced at $25 per month, adds features such as shared templates, collaborative commenting, and customized branding. The Business Pro plan, at $40 per month, includes all Standard features plus advanced fields, bulk send, and payments. The Enhanced Plans offer additional benefits and require contacting sales for pricing. The image highlights the "Single sign-on (SSO)" feature, available only in the Enhanced Plans. Other Enhanced Plan benefits include managing data across accounts, 24/7 live support, and customized integrations.

Oh, and let’s not forget, adding an SSO solution (Okta, OneLogin etc.) is another subscription to add to your budget.

Single-sign on (SSO) doesn't on/off-board users

Nope, that’s SCIM (Getting sick of the jargon yet?). SSO just means that once you delete the user from your SSO solution, the user will not be able to log in and access the applications you have SSO enabled for (unless, of course, you also have SCIM - see above).

That means that you’ll still be paying for their seats on your subscription. And in some cases, even if you’ve removed their “seat” from your subscription, you’ll still need to log into the billing section of your apps to reduce the number of licences you’re paying for.

Ah, yes - because some SaaS vendors don’t automatically update that according to the number of users on your account. They just consider that your licence hasn’t been attributed to a user, despite that user being removed of their access.

How can SMEs manage SaaS on/off-boarding?

Meme image featuring the "This is fine" dog cartoon. The dog is sitting in a burning room, calmly saying, "This is fine." Various labels are added to the image: "ENGAGED IN A CONTRACT WITH AN ENTERPRISE SMP," "SSO TAX," "ALREADY CHOSE TO SWITCH TO OKTA," and "ON-OFF/BOARDING NEED ENTERPRISE PLANS." The meme humorously illustrates the stress and complications of dealing with enterprise software and service plans, despite attempting to stay calm.

Unfortunately, there’s no magic wand, but there are ways to optimise your SaaS user onboarding and offboarding without breaking the bank.

First, let’s lock down security. Implement some sort of company-wide password manager and ensure that users know the most up-to-date information on good password practices (the NIST password guidelines are a great starting point). That way, should someone leave the company, you can be reasonably sure that they can’t log into any of their (now ex-) apps.

If your SaaS offers it, encourage team members to only login via “Sign in with Google” / “Sign in with Office 365” buttons. That way, you can block all those accesses via your Google or Microsoft admin portal. You’ll still need a password manager as backup for the apps that don’t have that option, though.

Now let's talk about SaaS on/off-boarding for SMEs

The best-in-class process for SMEs is deploying a semi-automated workflow.

As soon as an employee joins or leaves the company, you create a task list for the on/off-boarding tasks and delegate each task to each of your application managers. If Claire is responsible for Asana, she’s responsible for adding and removing everyone there; if Ian is responsible for Notion, he’s responsible for adding and removing everyone from there, etc.

To optimize that process, you’ll first need to have an updated inventory of all your apps and the employees who have access to them. For that, you have two choices:

  1. Use a SaaS Tracker spreadsheet/Notion template, trigger task workflows by integrating your spreadsheet with some sort of task management tool (Asana, Trello, Notion etc.), then relaunch the app managers who haven’t completed tasks after x days
  2. Use an SME-compatible SaaS Management Platform to automatically keep an updated SaaS inventory, then trigger optimized on/off-boarding processes via that platform. As an added plus, those SaaS Management Platforms will consistently monitor and remind your app managers who forget to complete their tasks

In LicenceOne, for example (we have to toot our own horn at some point 😛), you’d head to the employee profile you want to offboard, begin an offboarding process, then your application managers will constantly be reminded until your (now-ex) employee is fully offboarded.

Screenshot of the LicenceOne application, displaying the "Tasks" section. The left sidebar includes navigation options such as Dashboard, Tasks, Applications, Employees, Processes, Renewals, and Data sources. The main section lists tasks with filters applied, showing tasks that are "To do," "Upcoming," and "Complete." Highlighted is a task to "Remove Rémy Neuter from Notion," with detailed information on the right: - Task type: Offboarding - Assigned to: Emilien Potin - Due date: 07/10/2021 - Postpone until: 09/10/2021 - Task status: To do - Linked app: Notion - Linked process: Offboarding Rémy Neuter The task was created automatically by LicenceOne. Further comments indicate issues with access rights for the assigned personnel.

Summary

If you want to onboard and offboard users for your SaaS apps as an SME, either:

  1. x4-x10 your SaaS budget to switch all your SaaS apps to enterprise plans and get SCIM & SSO access, then take an enterprise SaaS Management Platform
  2. Use a SaaS tracker spreadsheet, pray it’s up-to-date, and launch manual on/off-boarding workflows from there
  3. Use LicenceOne, optimize your SaaS onboarding and offboarding, and pay a reasonable price for SME-compatible SaaS Management features

If you have questions after reading this article, feel free to shoot us a message in our chat tool on this page. We’re in the business of selling the right tool to the right buyer, not over-selling unusable features and engaging companies in 12-month contracts.

SaaS Onboarding and Offboarding FAQ

My SaaS Management Platform still says they can automatically on/offboard

Can SSO solutions like Okta and OneLogin automatically on/offboard users?

My SaaS Management Platform automatically on/offboards users for my Google Workspace/Microsoft 365

Ready to take back control?
Take a 30-day trial of LicenceOne.
Don’t worry - you won’t be automatically charged if you don’t cancel, because that would be too ironic.
How it works
Get started with LicenceOne
logo linkedin
English
Product
How it worksPricingIntegrations
Features
App discoveryCost optimizationSpend managementManage renewalsApp usage trackingUser offboarding
Use cases
Finance teamTeam managers
Resources
Help centerSecurityProduct updatesChrome extensionGoogle workspace app
Guides
What is SaaS Management?Why SaaS integrations don't work for SMEsHow to combat SaaS sprawl5 ways to reduce your company's SaaS spendShadow IT: Definition, risks, and concrete solutions
Free tools
SaaS savings calculatorSaaS Tracker Google Sheets TemplateSaaS Advent
Company
About usMedia kitContact usLegal imprintTerms of ServiceData Processing Agreement
Contact
LoginCreate accountRequest a demo
Made with ❤️  in La Rochelle - Design by @mazette.co