Disabling someone in your IdP doesn't end their access in apps that keep their own authority. Passage runs the two-step leaver — remove the seat and revoke the OAuth grant/token — and won't let the run close while a token is still live. Every account, license, group, and laptop, in one tracked run, proven and audit-ready.
Create accounts, grant least-privilege access, assign a device — from a role template.
Role or department change: grant the new access and revoke the old — the step most tools forget.
Disable the account, remove every SaaS seat and revoke its OAuth tokens, reclaim licenses, demand the laptop back — and prove access actually ended.
At the price of a checklist app, Passage gives an SMB real deprovisioning, device return, and an audit trail an assessor will accept.
For every non-federated SaaS app, the leaver removes the seat AND revokes the OAuth grant/token — because disabling the IdP alone leaves working tokens behind. Access ends only when both halves are done.
Edge vs BambooHR & OktaOAuth-grant discovery queries each app for the user's actual grants — surfacing self-authorized apps and personal tokens no template anticipated, so a shadow integration doesn't keep access after you "offboarded" them.
Nobody else surfaces thisThe closure gate hard-blocks if a seat was removed but its OAuth token is still live — plus device return and every critical step. Closing emits hashed, tamper-evident proof that access was ended, not just that the IdP was disabled.
Nobody else closes this loopEvery paid seat the role carried becomes a reclaimable license; the evidence rolls up the monthly/annual dollars freed. Plus device return enforced via Cairn — no SSO tax, no impl fee, BYO-key AI.
The market wedgeof cloud breaches in 2024 involved misuse of dormant credentials — many tied to orphaned accounts that offboarding never disabled. The HR action ("Jane is leaving Friday") and the IT action ("disable Jane's accounts") live in separate systems, on separate timelines. That gap is where former-employee access lingers.
Passage runs the leaver as a single tracked run: accountEnabled=false → revokeSignInSessions → for each SaaS app, remove seat + revoke OAuth token → reclaim licenses → device return → evidence. A critical step can't be skipped — and the closure gate won't let the run finish while a seat was removed but its OAuth token is still live.
Roughly 40% of departed employees keep access to at least one app — because non-federated SaaS keeps its own authority, and any OAuth grant the user authorized keeps issuing working tokens long after the IdP disable.
To truly end access in a non-federated app — GitHub, Salesforce, Atlassian, Zoom, Slack — a leaver needs both: seat removal (no interactive login) and OAuth grant/token revocation (no programmatic access via already-issued tokens). Role templates emit both for every app the role used.
A template only assumes which grants a person holds. Discovery queries each app for the user's actual authorized grants — surfacing a personal automation tool or API token no template planned to revoke. A discovered grant is flagged covered or uncovered so nothing slips through.
An "Access ended" panel shows, per app, seat removed ✓ + OAuth token revoked ✓ → access ended, or flags residual access risk. The result, with each call's method/endpoint and before/after, is written into the closed run's hashed evidence as saasAccessEnded.
Passage builds and orchestrates the provider-correct calls and captures the evidence; in this build the live connector calls are simulated behind a boundary (the API shapes are wire-accurate, the live execution is on the roadmap). Discovery returns realistic fixtures, including a planted shadow grant, rather than querying live. See the two-step deprovisioning docs.
One completed run, evidence across every framework — collected once, satisfies many.
§164.308(a)(3)(ii)(C) termination procedures — the access-removal proof your Security Officer needs.
CC6.2 / CC6.3 — logical access provisioned and de-provisioned, with timestamped action logs.
3.1.1 / 3.5.6 account management and least privilege — straight into your Bastion SSP & SPRS narrative.
PR.AA identity & access — posture flips green in Sightline with Passage as the evidence source.
A.5.18 access rights & A.5.11 return of assets — device-return enforcement on the record.
Hash-anchored, signed, exportable. Take it with you — no renewal-escalation lock-in.
Passage isn't a separate system your team has to remember. It syncs with your HRIS, is triggered by HR events, drives your identity provider to disable accounts and revoke sessions, ends access in your non-federated SaaS (seat + OAuth-token revoke), and opens and closes tickets in your ticketing system — then tells your team in Slack. One run, across the tools you already pay for.
A hire or term-date in Workday or BambooHR auto-drafts the joiner or leaver run — the HR action and the IT action finally on one timeline.
Triggered by HR eventsMicrosoft 365 / Entra, Google Workspace, Okta, JumpCloud — provider-correct disable, session-revoke, license and group steps. JumpCloud app access handled through group membership, the right way.
Real deprovisioningOpens a deprovisioning ticket in ServiceNow or Jira Service Management when the run starts, and closes it with the evidence attached when the run completes.
Opens & closes ticketsGitHub, Salesforce, Atlassian, Zoom, Slack keep their own authority — so Passage removes the seat and revokes the OAuth grant/token, and surfaces shadow grants. Notify in Slack; a generic webhook covers the long tail.
Ends access for realIT managers, MSP leads, and fractional CISOs who have to prove the door closed.
"We used to offboard off a spreadsheet and pray the assessor didn't ask for proof. Now the run produces the evidence and the laptop can't fall through the cracks."
"The closure gate is the whole thing. A leaver run literally can't finish until the critical deprovisioning is done or waived with a reason. That's the control I was faking in a checklist."
"Same offboarding evidence satisfied our SOC 2 and our 800-171 line items. Collected once, reused across frameworks — that alone paid for it."
Early-access voices — representative of our design-partner program. Named case studies on the way.
Annual billing −15%. The free tier actually disables accounts.
Local-first / privacy-first
Core SMB · min $150/mo
Compliance-driven
Volume, annual
The same $6–$13 band — but device return, portable evidence, and no SSO tax are included, not extra. Compared at a typical 100-managed-user team.
| Capability | Passage Pro / Team |
Rippling (IT) | Okta Lifecycle | BambooHR + IT |
|---|---|---|---|---|
| Entry price for real JML | $7.50–$13/user/mo · no base | ~$8 base+ $7–$8 device/app modules | $4 add-onbut requires ~$14 base (SSO tax) | $17 Pro+ IT-onboarding add-on |
| Implementation fee | None | $2k–$20k+ | Pro services common | 5–15% of annual |
| Free tier that actually disables accounts | Yes | No | No | No |
| Real deprovisioning (disable + revoke sessions) | Yes | Yes | Yes | Checklist only |
| Ends access in non-federated SaaS (seat + OAuth token revoke) | Yes — both halves | Uneven | Federated only | No |
| OAuth-grant discovery — finds shadow apps | Yes | No | No | No |
| Residual-token closure gate | Yes — hard block | No | No | No |
| Human-task orchestration in the same run | Yes | Partial | No | Yes (no real provisioning) |
| Device-return enforced as a closure gate | Yes (Cairn) | Device mgmt, not gated | No | No |
| Mover diff — revoke stale access on role change | Yes | Role-based | Partial | No |
| Hash-anchored, portable audit evidence | Yes — exportable | Logs in-platform | Logs in-platform | No |
| Cross-framework compliance push (SOC 2 / HIPAA / 800-171) | Yes — built in | No | No | No |
| No SSO tax / no platform fee | Yes | Platform fee | SSO tax | HR platform required |
| MSP multi-tenant console | Yes — $6/user | Limited | Enterprise | No |
Rippling charges $2k–$20k+ and BambooHR 5–15% of annual to onboard. Passage is self-serve from the free tier.
Okta's $4 Lifecycle add-on rides on a ~$14/user Core base. Passage's $7.50 Pro has no base to buy first.
Device-return enforcement and portable audit evidence are in the price — not separate modules or unavailable at all.
Competitor pricing reflects publicly reported 2026 list pricing (PeopleManagingPeople, AccessOwl, costbench) and stacks modules/base fees as documented; vendor pricing changes — verify current terms directly. Full comparison & sources →
Run your first offboarding in minutes — local-first, no card, no implementation call.
Start free