If a user is disabled in Clutch or OKTA, is their access terminated immediately?
- If the user loses access to the Clutch app in OKTA (without changes in the Clutch systems), they stay logged in until the end of their session (12 hours max).
- If the user is modified inside Clutch, it depends on how they were modified. We check the SSO token for every request, so if we remove someone from the Cluch Portal and remove all their SSO sessions from the DB, they would lose access immediately (removed explicitly by a dev in the DB itself). But if the process in Clutch only modifies certain rows (i.e. through our normal user mgmt UI), it’s also possible they stay logged in for up to 12 hours.
- If someone is suspected of fraud, Clutch should be notified immediately, that should be escalated to our tech team and the user will be hard removed from the DB of users, resulting in immediate access termination.
- If the user is not a bad actor threat, then normal disabling of use in User Management would result in session expiration within about 12 hours. This is also how OKTA operates.
- Note that once the IdP (OKTA) authorizes a user, the session doesn’t get invalidated with the SP (Clutch) if the user gets suspended.
How do I create a new user in Clutch, when we have a SAML 2.0 integration?
- This would need to be done internally with your system admins.
- The new Clutch user would need to be authorized by your team and have a profile generated that allows Clutch access through your SAML integration
- Once this happens your new user can access Clutch via your SSO platform.
- Once created the user will “clone” your templated Clutch user and will need to have their permission schema updated if they need more access then the templated user allows (refer to our setup docs to understand more about your templated user).
