When a user should no longer have access to your program (such as separated employees), the user must be blocked and demoted in the Firstup platform in order to terminate their access to the program. This block and demotion requirement applies to all programs, including programs with SSO that manage users in their IdP or AD.
- Blocking a user terminates any active experience sessions with Firstup, and will not allow the user to sign back in (even if they are still active in your SSO IdP).
- Demoting a user changes the role of a Studio user from Studio-level to Member - even if unblocked, the user will not have permission to sign into Studio unless they are re-promoted to a Studio-level role.
"Deprovision" means "block AND demote" in this article. Block and demote will terminate access for all users to both the experience and Studio.
Option 1: Deprovision via Users Page
Individual users can be manually blocked and demoted via the Users page in Studio, as outlined in the article Manage Studio and Experience Access. Both Email Registration and SSO programs can leverage this option to cut off access for a user immediately.
Option 2: Deprovision with File via SFTP
One or more users can be deprovisioned using File via SFTP. This option is easy to automate. One advantage of using File via SFTP is that you can also reprovision (unblock) users. File via SFTP can be used by both Email Registration and SSO programs.
To set up deprovision with File via SFTP, please talk to your Customer Success Manager.
If your program is using deprovision with file via SFTP now, you can contact Firstup Support to confirm your deprovisioning configuration and troubleshoot any issues.
Option 3: Deprovision Via API Call
Users can be deprovisioned using the Deprovisioning API Call. Only one call can be issued per user, but your IT may be able to configure the Deprovisioning API Call to occur automatically via a script. There is no Reprovision API Call. Users that are deprovisioned via API call can only be reprovisioned (unblocked) manually.
To set up Deprovisioning API Calls, please reach out to your Customer Success Manager.
If you are already sending Deprovisioning API Calls, then you can contact Firstup Support to troubleshoot any issues such as unfamiliar errors or unexpected behavior.
For programs configured to have users register and sign in via SSO, removing a user from your Identify Provider (IdP, sometimes referred to as AD) will NOT terminate access to your program. To terminate access to the experience and Studio, SSO users must be deprovisioned with Firstup.
The user must be deprovisioned with Firstup because Firstup only communicates with your IdP when the user signs into the platform. After successful authentication users can remain signed in for 30 days or more. Therefore, if access is only terminated within the IdP then users may continue to have access for 30 days or more.
Most SSO programs prefer to script Deprovisioning API calls, but can leverage any one of the 3 options outlined above.