Skip to main content

Hello,

Twice a year we execute a user account security audit to ensure that access to all systems is valid and appropriate.  During the most recent audit, the auditors identified 2 accounts that were inactivated in our Active Directory but had a ‘Last Logged In’ date event recorded on the PERSON record several months after the AD account was inactivated.  Both of these users were configured for OIDC authentication so theoretically once the AD account was inactivated these person records should not have have any Log In/Log Out activity recorded.  The question is whether or not there are any other activities in the system that would have resulted in an incorrect Log In/Out event to be recorded?

 

Thanks,

Richard

Hi ​@RiSpence 

Did you try to log in with these credentials directly to the system? Is it possible?

Cheers!

Hi ​@Shneor Cheshin, I don’t see how we would be able to do this as it would require us to re-enable the credentials in our active directory and then complete MFA, etc. to be able to log-in.  When we changed everyone to SSO we did not provide the FSM Person Password to the users since it would be their network credentials through the active directory that would give access to FSM so there would not be anyway for the user to log-in directly.

Hope that answers the question.

-Richard

Hi ​@RiSpence 

To your original issue and question, it should not be possible. The system should not create an event.

I raised a theory that it is still possible to log in differently. If this was tested and confirmed, you are covered.

Cheers!

Hi Richard,

while I’m not sure how that happened, I would recommend setting the Person record in FSM to “inactive” state when an employee leaves the company. As you stated, if the password isn’t known to that person and you only allowing OIDC login, a login wouldn’t be possible for that person after the AD account was removed.

Best regards
Roman

Reply


Terms & ConditionsCookie settings