So you're going to play IT and duplicate all the groups and all the roles manually that already are maintained and automated for on/off-boarding? And not have them be auto-offboarded when they are let go? That introduces compliance risks and imo more problems than having SSO on your password manager. Yes, keep some master password for a rainy day if you have to, but otherwise, the more "dangerous" the thing the more it should be hooked up to SSO.