Fixed Support Center Header - Freshdesk Template
Lifecycle Management - Secret Double Octopus
?

Lifecycle Management

This article explains how administrators can manage the full user lifecycle in Secret Double Octopus, including user onboarding, enrollment, authentication readiness, changes during employment, and offboarding.

Audience

This article is intended for Secret Double Octopus administrators, helpdesk teams, IT operations teams, and identity administrators responsible for managing users and authentication lifecycle processes.

Overview

Lifecycle Management refers to the process of managing users from the moment they are created or assigned to use Secret Double Octopus, through enrollment and active usage, and finally through removal or deactivation when access is no longer required.

A well-managed lifecycle helps ensure that users are enrolled correctly, have the right authentication methods, remain synchronized with organizational identity sources, and are removed from access when they leave the organization or no longer require authentication services.

User Lifecycle Stages

StageAdmin ObjectiveTypical Actions
1. User ProvisioningMake the user available in SDO.Sync user from directory, assign to relevant group, validate user attributes.
2. EnrollmentAllow the user to register their authenticator.Send enrollment invitation, guide user through registration, verify successful enrollment.
3. Active UsageEnsure the user can authenticate successfully.Monitor authentication activity, review failed attempts, validate policy assignment.
4. Change ManagementSupport user changes during employment.Reset enrollment, replace device, update group membership, change policy assignment.
5. OffboardingRemove access when the user no longer requires it.Disable user in directory, remove from SDO groups, revoke authentication access.

Prerequisites

Before managing user lifecycle tasks, verify the following:

  • You have administrator access to the Secret Double Octopus Tenant Manager.
  • The user directory integration is configured and synchronized.
  • Relevant user groups are available and mapped to the correct policies.
  • Enrollment settings and authentication policies are configured.
  • The user has access to the required device or authenticator for enrollment.

1. User Provisioning

User provisioning is the first stage of lifecycle management. In most deployments, users are synchronized from an external identity source such as Active Directory, LDAP, or another supported directory service.

Admin Checklist

  1. Confirm that the user exists in the organization’s identity source.
  2. Confirm that the user is included in the correct directory group.
  3. Verify that the directory synchronization completed successfully.
  4. Search for the user in the SDO Tenant Manager.
  5. Confirm that the user appears with the expected username, email address, and group assignment.
Important: If the user does not appear in the SDO Tenant Manager, verify the source directory, group membership, synchronization status, and any directory filters configured for the integration.

2. User Enrollment

Enrollment allows users to register their authentication method and become ready to use passwordless authentication.

Typical Enrollment Flow

  1. The administrator confirms that the user is available in SDO.
  2. The user receives an enrollment invitation or begins the enrollment process through the configured flow.
  3. The user registers their authentication method.
  4. The system validates the enrollment.
  5. The user becomes ready for authentication.

What Admins Should Validate

  • The user is assigned to the correct authentication policy.
  • The user completed enrollment successfully.
  • The user’s device or authenticator is active and available.
  • The user can complete a test authentication if required.

3. Active Usage and Monitoring

After enrollment, administrators should monitor user authentication activity to confirm that users are successfully authenticating and that there are no repeated failures.

Recommended Checks

  • Review successful authentication events.
  • Check for repeated failed authentication attempts.
  • Confirm that the user receives authentication prompts as expected.
  • Validate that the correct policy is applied.
  • Confirm that the user’s directory status is active.
Best Practice: During rollout, monitor enrollment and authentication activity daily to quickly identify users who are not fully enrolled or are failing authentication.

4. Change Management

During the user lifecycle, administrators may need to perform updates when users change devices, roles, groups, or access requirements.

Common Change Scenarios

ScenarioAdmin Action
User changed phone or workstationReset or restart enrollment according to the organization’s process.
User moved to a different departmentUpdate directory group membership and confirm the correct SDO policy is applied.
User is not receiving authentication promptsValidate device status, network connectivity, policy assignment, and authentication service availability.
User fails enrollmentConfirm user setup, device compatibility, enrollment link validity, and restart enrollment if needed.
User access requirements changedReview policy, group assignment, and application access configuration.

5. User Offboarding

Offboarding ensures that users who leave the organization or no longer require access cannot continue to authenticate through SDO.

Recommended Offboarding Process

  1. Disable or remove the user in the organization’s primary identity source.
  2. Remove the user from SDO-related directory groups.
  3. Confirm that directory synchronization completed successfully.
  4. Validate that the user no longer has active authentication access.
  5. Review audit logs if required by the organization’s security process.
Security Note: Offboarding should be handled through the organization’s identity source whenever possible. Disabling the user at the identity provider or directory level helps ensure consistent access removal across connected systems.

Troubleshooting Common Lifecycle Issues

IssuePossible CauseRecommended Action
User does not appear in SDODirectory sync issue, missing group membership, or directory filter.Verify user in source directory, confirm group membership, and check synchronization status.
User cannot enrollIncomplete setup, expired invitation, device issue, or network issue.Restart enrollment, verify device compatibility, and confirm network connectivity.
User is enrolled but cannot authenticatePolicy mismatch, device issue, or authentication service issue.Review policy assignment, check authentication logs, and confirm the user’s device status.
User does not receive authentication promptDevice offline, notification issue, or authentication request not triggered.Confirm device connectivity, trigger a new authentication attempt, and validate policy configuration.
Offboarded user still appears in SDODirectory sync has not completed or user still exists in a synced group.Confirm removal from source group and run or wait for the next directory synchronization.

Best Practices

  • Manage user access through directory groups whenever possible.
  • Use clear naming conventions for SDO-related groups and policies.
  • Validate enrollment status during rollout and expansion phases.
  • Monitor authentication activity to identify users who may require assistance.
  • Document the internal process for enrollment reset, device replacement, and offboarding.
  • Coordinate lifecycle actions with HR, IT, and identity management teams.
  • Review logs before escalation to provide support teams with the required context.

When to Escalate

Escalate the issue to the Secret Double Octopus support team if:

  • The user exists in the directory but does not appear in SDO after synchronization.
  • Multiple users are failing enrollment or authentication.
  • Authentication prompts are not being generated for multiple users.
  • Policy assignment appears correct but users still cannot authenticate.
  • Directory synchronization errors are observed.

Information to Include When Escalating

  • Username or user identifier
  • User group membership
  • Enrollment status
  • Authentication policy assigned to the user
  • Description of the issue
  • Relevant timestamps
  • Any error messages or screenshots
  • Steps already performed by the administrator or helpdesk team

Summary

Lifecycle Management is a key administrative process for maintaining a secure and reliable Secret Double Octopus deployment. By properly managing provisioning, enrollment, active usage, change events, and offboarding, administrators can reduce authentication issues, improve user experience, and maintain strong security controls.

Footer - Secret Double Octopus