When SSO Becomes a Headache Instead of a Help
Single sign on is supposed to make life easier. One login. One password. One place to manage security. In theory, it is brilliant.
In practice, for a lot of businesses we work with at Nepata Digital, SSO has become a recurring headache. Every 60 to 90 days when something in the SSO setup is changed or refreshed, people suddenly cannot get into the tools they need. Tickets go to IT. Work stalls. Frustration grows.
The root problem is often simple. The infrastructure team has not taken the time to script and maintain good role based profiles for users and groups. Security is treated as a technical checkbox, not as something that must support how people actually do their jobs.
Let’s talk about what that looks like on the ground.
What It Feels Like for Your People
Imagine you are a product owner, a planner, or a team lead.
Most days you log into a handful of core systems and everything is fine. Then, at the end of a sprint, you go to use a specialist tool you only touch once a month. Suddenly you get an “access denied” message.
You have not changed jobs. You have not done anything wrong. The SSO update has simply reset or broken your permissions because your profile was never properly tied to your role in the first place.
So you:
Try again a few times
Message a colleague to see if it is “just you”
Log a ticket with IT
Wait
None of that is value adding work. It is pure friction.
When this happens regularly, people lose confidence in the system. They start keeping personal shortcuts, shared passwords, or using unofficial tools just to get things done. That undermines the very security SSO was meant to protect.
The Hidden Cost Every 60–90 Days
Most organisations don’t calculate the cost of these access problems. But it adds up quickly.
Take a simple example.
You have 100 staff using several applications through SSO
After each SSO update, 20 people run into access issues
Each of those 20 people wastes around half an hour trying to fix it or waiting for IT
IT then spends about 15 minutes per person sorting out permissions
That is:
10 hours of staff time lost
5 hours of IT time lost
If you roughly cost staff time at NZ$50 an hour and IT at NZ$80 an hour, you are already close to NZ$900 in direct cost every cycle.
Add in delayed work, missed deadlines, rescheduled meetings, and the number is easily higher. Multiply this across multiple teams and four or more update cycles a year, and it becomes a genuine line item you never planned for.
And it is avoidable.
Where It Goes Wrong, Profiles and Roles
The good news is that SSO itself is not the problem.
The real issue is how user access is designed and maintained.
When infrastructure teams do not create and script clear profiles for roles and groups, they end up handling access in a one-off, ticket-by-ticket way. That might work for a handful of users. It does not scale.
Without properly mapped roles:
Some people get too much access, which is a security risk
Others get too little, which blocks them from doing their job
Every SSO update becomes a lottery of who will be locked out this time
Security remains “strict” on paper, but the day-to-day experience is chaotic.
Security and Usability Must Work Together
At Nepata Digital, we are the first to say that security is crucial. Many of our clients work in health, government, financial services and other regulated environments. Strong authentication and access control are not optional.
But security and usability are not enemies. When SSO and access profiles are designed well:
Security improves because access is consistently right sized
Users stop looking for workarounds
Audit and compliance become easier because you have a clear record of who can do what and why
The key is to treat access design as part of the business process, not just an infrastructure task.
How to Do SSO Better
Here are practical steps we often take with clients.
1. Start with the business roles
Work with business leaders and team leads to define roles clearly. For each role, list:
Which tools they need
How often they use them
What level of access they need in each tool (view, edit, approve, admin)
This becomes your access matrix.
2. Script it, don’t wing it
Use your identity platform (for example Azure AD, Okta or similar) to:
Build role based groups
Automatically assign tools and permissions based on role attributes
Connect it to your HR or user onboarding process
The goal is simple. When someone joins, changes role, or leaves, the system updates their access without manual tinkering.
3. Test before every big change
Before each SSO renewal or configuration change:
Test in a non production environment
Have a small group of real users run through their normal tasks
Confirm that role based access still works as expected
This is especially important for tools people only use at the end of a sprint, month, or quarter. Those are the ones most likely to surprise you.
4. Track the pain so you can fix it
Keep an eye on:
How many access tickets are raised after SSO changes
Which roles or tools are most impacted
How long it takes to fix them
Once you see the pattern, it is easier to justify investing a few days in proper scripting and design. Often, the savings from just one or two cycles will cover the effort.
How Nepata Digital Can Help
At Nepata Digital, we sit in the space between business and technology.
We help you:
Map out your roles and processes
Design an access matrix that reflects how your people actually work
Work with your infrastructure or vendor teams to script and automate SSO profiles
Set up simple reporting so you can see the real cost of access issues over time
Our aim is not to sell you yet another tool. It is to make the tools you already pay for easier and safer for your people to use.
If your teams groan every time there is an SSO change, or if you are noticing repeated access issues at the end of each sprint or quarter, it might be time to take a closer look at how your SSO is set up.
You do not have to live with that frustration every 60–90 days.
Get in touch with Nepata Digital and let’s design an SSO and access model that works for both your security needs and your people.
