Comment by anon84873628
4 days ago
SSO should stop working when the IdP org is disabled/deleted. IdPs should not allow the org to be resurrected based solely on domain ownership alone. And if a new org is created with the same domain, the SP will need to be reconfigured with new OAuth client creds, and should be relying only on the `sub` claim anyway.
Any accounts you need after leaving a company should be tied to your personal email.
My brokerage account could be accessed by both. I agree that is how it should work. But my brokerage account provider is never told to disable access via my IdP. It’s up to my former IdP to not do something stupid like giving someone else my old email address.
It's not IdP's responsibility to "fix" the internet.
Just like someone can buy a home and will get mail targeting a previous owner, the same happens with domain names and emails.
Domains are, however, much cheaper and more abundant, so it happens more often.