How It WorksPricingBlogStart Free Trial
All answers

How do I handle SOC 2 evidence for apps without SSO?

March 6, 20262 min readSOC 2 for Specific Tech Stacks

Is SSO Required for SOC 2?

No. SOC 2 requires that you control access to systems — SSO is one way to do that, but it's not the only way. Many startups pass SOC 2 without SSO by implementing other access controls that meet the same objectives.

What to Do Instead of SSO

SSO BenefitAlternative Control
Centralized access managementDocumented access provisioning checklist per system
Single point of revocationOffboarding checklist covering every system individually
Enforced MFAMFA enforced per-system (Google, GitHub, AWS each separately)
Reduced password fatiguePassword manager requirement (1Password, Bitwarden)
Audit trailPer-system audit logs + quarterly access review documentation

Evidence to Provide

Access Provisioning

Document your process for granting access to new hires:

  1. List every system that needs individual account creation
  2. Who creates each account (CTO, team lead, IT)
  3. What role/permission level is assigned
  4. Keep a record (ticket, checklist, Notion page) for each onboarding

Access Revocation

Document your process for removing access when someone leaves:

  1. Checklist of every system to deactivate
  2. Who performs revocation and timeline (within 4 hours, within 24 hours)
  3. Keep a record showing the completed checklist with dates

Quarterly Access Reviews

Without SSO, access reviews are more manual but still straightforward:

  1. Export user lists from each system
  2. Verify each user is still an employee
  3. Verify their access level is appropriate
  4. Document the review

MFA Enforcement

Screenshot MFA settings in each system individually:

  • Google Workspace: enforced for all users
  • GitHub: organization-level 2FA requirement
  • AWS: IAM policy requiring MFA for console access
  • Application: if your app has MFA, show enforcement settings

Planning for SSO

If enterprise customers require SSO as part of their security reviews, plan to add it. But for your initial SOC 2 audit, compensating controls are sufficient. Many startups add SSO post-audit when they have budget and customer demand.

Related Questions

SOC 2 for Specific Tech Stacks

How do I document SOC 2 evidence for GitHub access controls?

Document GitHub access controls by capturing organization member lists with roles, team-level repository permissions, branch protection settings, 2FA enforcement, and audit logs. Map GitHub's permission model (Owner, Member, Outside Collaborator) to your SOC 2 access control policy.

SOC 2 for Specific Tech Stacks

How do I get SOC 2 for a Next.js app deployed on Vercel?

Getting SOC 2 for a Next.js app on Vercel means documenting your deployment pipeline (Git-based deploys), access controls (Vercel team roles, GitHub branch protection), and data handling (API routes, database connections). Vercel's built-in security features cover many infrastructure controls. You need to prove application-level controls.

SOC 2 for Specific Tech Stacks

How do I handle SOC 2 evidence for Terraform or infrastructure-as-code?

Infrastructure as Code (IaC) with Terraform is excellent SOC 2 evidence because every infrastructure change has a code review, version history, and approval trail. Capture your Terraform state, PR history for .tf file changes, and plan/apply logs. IaC proves change management controls better than manual console changes.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.