AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS
SaaS JIT · powered by Cloudanix Agentic JIT

Prod SaaS access.
without permanent groups, without off-boarding theater, without a per-app audit hunt, in the same SSO portal you already use

Today, a user joins → Okta group → SaaS role → forever. Hubspot, Zendesk, NetSuite, Looker, Sendgrid, Google Ads — all of it, all the time, for all of them. SaaS JIT flips that: request access in Cloudanix or Slack, an approver clicks Approve, Cloudanix adds you to the right IDP group for a fixed window — then you open the same SSO tile you always use and you're in. Timer expires, you're out. Zero new tool for users.

✓ Okta · Microsoft Entra ID · JumpCloud · Google Workspace · OneLogin · Ping ✓ Hundreds of SaaS apps — anything in your IDP catalog ✓ Same SSO tile · zero learning curve for users
🟧 Request SaaS access Production
App Hubspot · Marketing Hub
Role view edit admin
IDP group Okta · hubspot-admins
Duration 30 min 1 hr 2 hr
Reason Q4 campaign export
Cloudanix · provisioning access
grant · req-4a2c91f8 · priya@cloudanix.com → Hubspot · admin · 2hr
Cloudanix JIT engine · v3.4
Approval received from alice@cloudanix.com
Connected to Okta · org: cloudanix
Added priya to group · hubspot-admins
Role mapped — Hubspot · Admin (Marketing Hub)
Access propagated · SSO ready
→ valid for 2:00:00 · auto-revoke at 17:00
app.hubspot.com · signed in via Okta
priya@cloudanix.com
ActiveCampaign · Q4 product launch · 12,184 contacts
DraftCampaign · Winter promo · 4,212 contacts
ListVIP customers · 142 entries
access via Cloudanix JIT · expires 1:58 not a permanent group
The problem

Every IT team running a SaaS stack owns four compromises.

You moved everything to SSO. You wrote group policies. You still can't answer the simple question: who has Hubspot admin right now, and why?

Permanent access by default

The pattern is the same in every org: user joins → mapped to a group → group → SaaS role → forever. They switch teams, finish the project, take a sabbatical — and the entitlement just sits there, drawing breath and license fees, waiting to be the next breach blast radius.

👥

The shared engineering group

Granular IDP groups are hard. So one big engineering group ends up wired to Datadog, PagerDuty, Sendgrid, GitHub Enterprise, Looker, Stripe and fourteen others. Every new hire gets the full set. Every departure has to be revoked from all of them.

🚪

Off-boarding theater

When someone leaves, IT removes them from the IDP — eventually. The audit gap between their last day and the actual revoke is the most dangerous window in your company. SOC 2 evidence says “we have a process.” Reality says still-in-hubspot.csv.

🧩

Audit fragmented per app

Who had NetSuite admin in Q2? You're scrolling through NetSuite's audit log and Okta and the change ticket nobody filed. Every SaaS has its own format, its own retention, its own UI. Your auditor wants one answer. You have eight tabs.

How it works

One request. One approval. One group flip. Your existing SSO.

No agent inside the SaaS app. No new portal for users. We don't replace Okta or Entra ID — we tighten what hangs off them.

  1. 1

    Ask, don't ticket

    Pick a SaaS app, pick a role, set a duration, add a reason. One click in the Cloudanix console or /cloudanix request in Slack. No three-day ticket queue.

  2. 2

    Approve where the team lives

    Slack, Teams, or auto-approve by policy. A marketing intern's 2-hour Hubspot grant can auto-fire. A finance director's NetSuite admin request goes to two humans. Multi-step where it matters.

  3. 3

    Cloudanix flips the IDP group

    We call your IDP — Okta, Entra ID, JumpCloud, Google Workspace, OneLogin, Ping — and add the user to the right group for the granted window. No standing entitlement survives.

  4. 4

    Same SSO. Same app. Same click.

    The user opens their normal SSO portal, clicks the same tile they always do, and lands in the app. Zero learning curve. No new password, no new MFA prompt, no new tool.

  5. 5

    TTL expires · access revokes itself

    When the window ends, Cloudanix removes the user from the IDP group. The next click on the SSO tile denies. The full lifecycle — request, approval, grant, SSO event, revoke — lands in your S3 bucket as one correlated audit trail.

Real-world scenarios

Same JIT. Every SaaS your team touches.

Marketing, finance, contractors, auditors — one flow for everyone who needs into your SaaS stack, with the guardrails tuned per app, per role, per requester.

scenario · Hubspot · admin · 2hr · auto-approve
priya (marketing) Need to export the Q4 campaign contacts for the agency. Two hours, then I'm done. Admin role required for the export API.
Priya · request
📣
policy auto-approve
Cloudanix JIT
Okta group flip
Hubspot · Admin
🟧
scope granted role: admin · app: Hubspot · 2h · auto-approved · ref: Q4-CAMP 
◎ added priya@cloudanix.com → group: hubspot-admins
✓ SSO login captured at 15:01:14
✓ Activity: contacts.export · 12,184 rows
✓ TTL hit at 17:00 · removed from group
✓ stamped to priya@cloudanix.com · audit → S3 ⛔ Access ended · 17:00:02
scenario · NetSuite · admin · 8h · month-end
jen (finance dir.) Month-end close — need NetSuite admin to post journal entries and run the consolidation. Scheduled for the last business day, revoked the next morning.
⚠ NetSuite admin · financials · two-step ✓ Approved by CFO + IT-sec · 11s
Jen · scheduled
📒
Entra ID flip
Cloudanix JIT
signed in via SSO
NetSuite · admin
🏢
scope granted role: admin · app: NetSuite · 8h · ref: M12-CLOSE · two-step 
◎ added jen@cloudanix.com → group: netsuite-admins (Entra ID)
✓ SSO login captured at 18:02:11
✓ Activity: journals.post · consolidation.run
✓ TTL hit at 02:00 · removed from group
✓ Every event stamped · jen@cloudanix.com ⛔ Access ended · 02:00:00
scenario · vendor · Looker analyst · 3 days
alex (vendor) Analyst from the BI consultancy needs query access for the Q4 funnel study. Three days, scoped to the marketing workspace only.
Alex · vendor
🤝
Google Wksp flip
Cloudanix JIT
SSO via Google
Looker · analyst
📊
scope granted role: analyst · workspace: marketing · 3d · SOW-204 · expires Fri 
◎ added alex@partner-co.com → group: looker-analysts
✓ SSO logins captured · 6 sessions over 3 days
✓ Activity: queries.run · dashboards.view
✓ TTL hit Fri 17:00 · removed from group
✓ Every login stamped · alex@partner-co.com ⛔ Access ended · Fri 17:00 · no access next week
scenario · SOC 2 · read-only · 8 SaaS apps
nadia (auditor) Need read-only access across the full SaaS stack for Q4 SOC 2 evidence — Hubspot, NetSuite, Looker, Slack, GitHub, Datadog, Stripe, PagerDuty. Five business days, then gone.
Nadia · auditor
📋
fan-out to 8 IDP groups
Cloudanix JIT
SSO via Okta
8 SaaS · read-only
🗂
scope granted role: read-only · apps: 8 · 5 business days · SOC2-AUD-22 
◎ added nadia@auditfirm.com → 8 read-only groups
✓ SSO logins captured · 47 sessions over 5 days
✓ Activity: list, view, export-evidence
✓ TTL hit · removed from all 8 groups in one batch
✓ Evidence bundle exported · signed ⛔ All 8 apps revoked atomically
runs the same flow on Salesforce Hubspot Zendesk NetSuite Looker Sendgrid RingCentral Google Ads Datadog GitHub Enterprise Stripe PagerDuty Slack Workday …hundreds more · anything in your IDP catalog
The model

Your user sees the same SSO tile. You keep the entitlement.

What the user sees
  • A one-click request in the Cloudanix console or Slack — no ticket queue
  • The same SSO tile in Okta / Entra ID / JumpCloud / Google Workspace they've always clicked
  • A normal SaaS login, normal MFA, normal session — zero new tool, zero new password
  • A clean revoke when the work is done — no awkward “please remove me from Hubspot” Slack DM
same SSO. zero new tool.
What security keeps
  • Zero standing entitlements in every SaaS app — Hubspot, NetSuite, Looker, all of them
  • Per-app, per-role JIT policies — auto-approve view, escalate admin
  • Automatic off-boarding the moment the TTL hits — no more still-in-hubspot.csv
  • One unified audit across every SaaS — request → approve → IDP event → SSO login → revoke, all in your S3
Governance & audit stay in your account.
Unified access timeline

One audit trail across every SaaS. Scrub any past grant end to end.

Every JIT grant becomes one correlated timeline — request, approval, IDP group change, SSO login, in-app activity (where the SaaS exposes it), TTL hit, revoke. Watch it in the Cloudanix console, download it for evidence, or send a signed URL to your auditor.

access timeline · req-4a2c91f8 · Hubspot · priya@cloudanix.com 
[15:00:14]  REQUESTED    priya@cloudanix.com → Hubspot · admin · 2h
[15:00:42]  APPROVED     by alice@cloudanix.com · via Slack
[15:00:43]  IDP EVENT    Okta · added priya to hubspot-admins
[15:01:14]  SSO LOGIN    priya@cloudanix.com → Hubspot (via Okta)
[15:14:22]  ACTIVITY     Hubspot · contacts.export · 12,184 rows
[16:58:00]  WARNING      access expires in 2 minutes
[17:00:00]  REVOKED      removed from hubspot-admins · session ended
[17:00:01]  AUDIT        written to s3://your-bucket/jit-saas/
1:14 / 2:00
stamped · priya@cloudanix.com app · Hubspot idp · Okta admin · 1 grant

  • End-to-end lifecycle, one view

    Request, approval, IDP group flip, SSO login, in-app activity, TTL, revoke — one timeline per grant. No more correlating six tabs to answer “who, what, when.”

  • 🧾

    Evidence-grade for SOC 2 · ISO · PCI

    Pull a quarterly report of every grant on every SaaS app — with approver, justification, and exact-second revoke time. SOC 2 evidence in a download.

  • 🔗

    Share with a signed URL

    Send your auditor timed access to one specific grant — or a whole quarter. The link expires. The audit stays in your S3 bucket. Nothing copied, nothing leaked.

Plugs in · doesn't replace

Your IDP. Your SaaS catalog. Our JIT in between.

Cloudanix sits between your identity provider and the SaaS apps that hang off it. The IDP stays the source of truth. The SSO tile stays the user's front door. We just make the entitlements behind it temporary by default.

Any identity provider

Okta
Microsoft Entra ID
JumpCloud
Google Workspace
OneLogin
Ping Identity
Auth0
Any SAML / OIDC IDP

Any SaaS app in your catalog

Salesforce
Hubspot
Zendesk
NetSuite
Looker
Sendgrid
RingCentral
Google Ads
Datadog
GitHub Enterprise
Stripe
PagerDuty
Anything in your IDP catalog
What you get

Everything a compliant SaaS access program requires — none of the per-app group-management hell.

Zero standing SaaS access

Every entitlement is granted on request and revoked on the clock. No more “the intern still has Hubspot admin from 2023.”

🪟

Same SSO · zero new tool

Users keep clicking the same tile in Okta / Entra ID / Google Workspace they've always clicked. No new portal, no new password, no training.

🔌

Any IDP, any SaaS

Okta, Microsoft Entra ID, JumpCloud, Google Workspace, OneLogin, Ping. Hundreds of SaaS apps in your catalog — same flow for each.

Tiered approvals

Auto-approve read-only. Escalate admin to Slack or Teams. Two-step manager + IT for financial systems. Tune per app, per role.

Time-boxed, auto-revoking

Grant 30 minutes, 2 hours, a sprint, a SOW window. Cloudanix removes the IDP group membership the second the clock runs out.

🚪

Automatic off-boarding

No more still-in-hubspot.csv on someone's last day. JIT grants expire on their own. Standing memberships never accumulate.

🧾

Unified audit in your S3

Request → approval → IDP event → SSO login → revoke — one correlated trail per grant, across every SaaS, in your bucket.

💸

License-cost discipline

SaaS billing is per active seat. JIT turns idle entitlements into freed licenses — measurable, defensible, auditable.

🌐

One JIT for humans, contractors & agents

Same policy engine, same approval flow, same audit — whether the requester is a full-time employee, a vendor, or an AI agent acting on behalf of a person.

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo