In this article: When modern, automated identity governance and administration (IGA) systems work well, it's a dream — fast, efficient, and safe.With a few clicks of an administrator's mouse, a new employee quickly gains access to the systems and applications they need to do their job. If the employee moves to another position, the IGA system reconfigures their access profile to fit the new role.And when the employee leaves the company, IGA smoothly logs them out of the email system, revokes access to apps and makes sure their domain login no longer works.But some 40% of applications aren't compatible with the application-program interfaces (APIs) or protocols that make this possible. IT teams instead have to manage those apps with cumbersome, clunky workarounds. These manual, error-prone processes lead to higher risks of security compromise and compliance failure.However, there are solutions that make it possible to extend automated lifecycle management and the other benefits of IGA to all applications, even those lacking the proper APIs and connectors. Here's what these solutions provide and how they work. "The standards make it much easier to integrate," says Aaron Yee, Head of Product Marketing at Cerby. "If the apps themselves do not support standards and every single app is a one-off, it becomes very expensive for identity providers and IGA vendors to try to build custom connections, if they can at all, to those apps."Speaking of expensive, there's also what identity professionals call the "SSO tax" — the extra fees than some application providers charge clients so that their apps will work with the single sign-on schemes offered by modern identity and access management (IAM) systems, as well as with IGA systems."These vendors realize that they can charge a premium for having SAML and SCIM support," says Repishti. "The premium is oftentimes upwards of five figures, sometimes six figures."Those extra charges may deter many smaller organizations from opting for the more expensive, but safer, versions of applications.Beyond those protocols, individual application developers and providers may include specialized APIs to interact with Okta, Microsoft Entra ID, or other widely used identity-management systems. But again, there may be an upcharge, even if the APIs or connectors are part of a larger bundle of options."What the vendors typically do is they're not charging just for SAML and SCIM," says Repishti. "They're bundling in other features as well that may not even be security-related."
- IGA systems' limited reach: While automated identity governance and administration (IGA) tools streamline user onboarding, access changes, and offboarding, about 40% of applications can’t integrate with them, forcing IT teams to rely on manual workarounds that increase the chance of compromise and compliance failures.
- Security and compliance risks: Apps without API or SCIM compatibility often require shared credentials, manual provisioning, and inconsistent deprovisioning, leading to lingering access for ex-employees and audit headaches.
- Extending IGA coverage: Platforms like Cerby bridge this gap by creating APIs and automating UI interactions for "disconnected" apps, enabling IGA management across all applications, strengthening security and compliance, and freeing IT teams from tedious manual access management.
Why IGA tools don't work with all apps
The applications most likely to work with modern IGA systems are newer, cloud-based and enterprise-focused. Those least compatible with IGA tend to be consumer-focused, older, and/or installed on-premises.For example, many online social-media services can't interface with IGA systems because they were designed for single users as personal services. That's great for the consumer, but a huge hassle for an organization that uses social media for marketing and publicity.Marketing teams must share a single set of credentials for each app, passwords and password updates may be stored on unsafe spreadsheets or cloud-based text files, and multi-factor authentication becomes a needless complication rather than a necessary safeguard."One account holder tends to share access by sharing those credentials directly with other employees or perhaps a third-party partner like an ad agency or a social media partner," says Bora Repishti, Vice President of Marketing at Cerby."One thing we want to make IT and security teams aware of is that these apps are business-critical and they present real risks, even though they don't have sensitive data that hackers might want to get to."Many modern applications use one or more of four common standards to interact with IGA and IAM systems:- SCIM (System for Cross-domain Identity Management), which applies mostly to cloud-based and SaaS applications
- SAML (Security Assertion Markup Language), which is best for enabling SSO
- OIDC (OpenID Connect), an authentication protocol based on the OAuth 2.0 authorization protocol
- WS-Federation (or WS-Fed), an older protocol that enables SSO and federated identity in Microsoft environments





