Lifecycle Management
This article explains how administrators can manage the full user lifecycle in Secret Double Octopus, including user onboarding, enrollment, authentication readiness, changes during employment, and offboarding.
Audience
This article is intended for Secret Double Octopus administrators, helpdesk teams, IT operations teams, and identity administrators responsible for managing users and authentication lifecycle processes.
Overview
Lifecycle Management refers to the process of managing users from the moment they are created or assigned to use Secret Double Octopus, through enrollment and active usage, and finally through removal or deactivation when access is no longer required.
A well-managed lifecycle helps ensure that users are enrolled correctly, have the right authentication methods, remain synchronized with organizational identity sources, and are removed from access when they leave the organization or no longer require authentication services.
User Lifecycle Stages
| Stage | Admin Objective | Typical Actions |
|---|---|---|
| 1. User Provisioning | Make the user available in SDO. | Sync user from directory, assign to relevant group, validate user attributes. |
| 2. Enrollment | Allow the user to register their authenticator. | Send enrollment invitation, guide user through registration, verify successful enrollment. |
| 3. Active Usage | Ensure the user can authenticate successfully. | Monitor authentication activity, review failed attempts, validate policy assignment. |
| 4. Change Management | Support user changes during employment. | Reset enrollment, replace device, update group membership, change policy assignment. |
| 5. Offboarding | Remove access when the user no longer requires it. | Disable user in directory, remove from SDO groups, revoke authentication access. |
Prerequisites
Before managing user lifecycle tasks, verify the following:
- You have administrator access to the Secret Double Octopus Tenant Manager.
- The user directory integration is configured and synchronized.
- Relevant user groups are available and mapped to the correct policies.
- Enrollment settings and authentication policies are configured.
- The user has access to the required device or authenticator for enrollment.
1. User Provisioning
User provisioning is the first stage of lifecycle management. In most deployments, users are synchronized from an external identity source such as Active Directory, LDAP, or another supported directory service.
Admin Checklist
- Confirm that the user exists in the organization’s identity source.
- Confirm that the user is included in the correct directory group.
- Verify that the directory synchronization completed successfully.
- Search for the user in the SDO Tenant Manager.
- Confirm that the user appears with the expected username, email address, and group assignment.
2. User Enrollment
Enrollment allows users to register their authentication method and become ready to use passwordless authentication.
Typical Enrollment Flow
- The administrator confirms that the user is available in SDO.
- The user receives an enrollment invitation or begins the enrollment process through the configured flow.
- The user registers their authentication method.
- The system validates the enrollment.
- The user becomes ready for authentication.
What Admins Should Validate
- The user is assigned to the correct authentication policy.
- The user completed enrollment successfully.
- The user’s device or authenticator is active and available.
- The user can complete a test authentication if required.
3. Active Usage and Monitoring
After enrollment, administrators should monitor user authentication activity to confirm that users are successfully authenticating and that there are no repeated failures.
Recommended Checks
- Review successful authentication events.
- Check for repeated failed authentication attempts.
- Confirm that the user receives authentication prompts as expected.
- Validate that the correct policy is applied.
- Confirm that the user’s directory status is active.
4. Change Management
During the user lifecycle, administrators may need to perform updates when users change devices, roles, groups, or access requirements.
Common Change Scenarios
| Scenario | Admin Action |
|---|---|
| User changed phone or workstation | Reset or restart enrollment according to the organization’s process. |
| User moved to a different department | Update directory group membership and confirm the correct SDO policy is applied. |
| User is not receiving authentication prompts | Validate device status, network connectivity, policy assignment, and authentication service availability. |
| User fails enrollment | Confirm user setup, device compatibility, enrollment link validity, and restart enrollment if needed. |
| User access requirements changed | Review policy, group assignment, and application access configuration. |
5. User Offboarding
Offboarding ensures that users who leave the organization or no longer require access cannot continue to authenticate through SDO.
Recommended Offboarding Process
- Disable or remove the user in the organization’s primary identity source.
- Remove the user from SDO-related directory groups.
- Confirm that directory synchronization completed successfully.
- Validate that the user no longer has active authentication access.
- Review audit logs if required by the organization’s security process.
Troubleshooting Common Lifecycle Issues
| Issue | Possible Cause | Recommended Action |
|---|---|---|
| User does not appear in SDO | Directory sync issue, missing group membership, or directory filter. | Verify user in source directory, confirm group membership, and check synchronization status. |
| User cannot enroll | Incomplete setup, expired invitation, device issue, or network issue. | Restart enrollment, verify device compatibility, and confirm network connectivity. |
| User is enrolled but cannot authenticate | Policy mismatch, device issue, or authentication service issue. | Review policy assignment, check authentication logs, and confirm the user’s device status. |
| User does not receive authentication prompt | Device offline, notification issue, or authentication request not triggered. | Confirm device connectivity, trigger a new authentication attempt, and validate policy configuration. |
| Offboarded user still appears in SDO | Directory sync has not completed or user still exists in a synced group. | Confirm removal from source group and run or wait for the next directory synchronization. |
Best Practices
- Manage user access through directory groups whenever possible.
- Use clear naming conventions for SDO-related groups and policies.
- Validate enrollment status during rollout and expansion phases.
- Monitor authentication activity to identify users who may require assistance.
- Document the internal process for enrollment reset, device replacement, and offboarding.
- Coordinate lifecycle actions with HR, IT, and identity management teams.
- Review logs before escalation to provide support teams with the required context.
When to Escalate
Escalate the issue to the Secret Double Octopus support team if:
- The user exists in the directory but does not appear in SDO after synchronization.
- Multiple users are failing enrollment or authentication.
- Authentication prompts are not being generated for multiple users.
- Policy assignment appears correct but users still cannot authenticate.
- Directory synchronization errors are observed.
Information to Include When Escalating
- Username or user identifier
- User group membership
- Enrollment status
- Authentication policy assigned to the user
- Description of the issue
- Relevant timestamps
- Any error messages or screenshots
- Steps already performed by the administrator or helpdesk team
Summary
Lifecycle Management is a key administrative process for maintaining a secure and reliable Secret Double Octopus deployment. By properly managing provisioning, enrollment, active usage, change events, and offboarding, administrators can reduce authentication issues, improve user experience, and maintain strong security controls.