top of page
Search

How to Find Identities That Bypass SSO Entirely

SSO only protects what’s connected to it. This step-by-step guide shows how to find users, apps, and integrations that bypass SSO completely.




Why SSO Blind Spots Are the Real Identity Risk

Most organizations believe SSO defines their identity boundary. In reality, it only defines the part they can see.


Any identity that bypasses SSO:

  • Isn’t governed by centralized policies

  • Often skips MFA

  • Survives offboarding

  • Breaks audit traceability


According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS apps are unknown to IT

  • < 1% of SaaS accounts enforce MFA

  • Many “SSO-capable” apps allow local credentials indefinitely


That means your identity perimeter already extends far beyond your IdP.


A 30-Minute SSO Bypass Audit

Goal: Identify every human or system identity that can access data without going through your identity provider.

This requires no new tooling — just disciplined visibility.


Step 1 (5 Minutes): Export Your IdP-Managed Applications

Start with your identity provider:

  • Okta

  • Entra ID (Azure AD)

  • Google Workspace


Export the list of:

  • Applications enforcing SSO

  • Users assigned to each app


This is your known SSO surface — not your full identity perimeter.


Step 2 (5 Minutes): List All SaaS Apps in Use

Next, pull SaaS usage data from:

  • Browser logs

  • CASB reports

  • Email domain sign-ups

  • Finance or vendor systems


Compare this list to your IdP-managed apps.


Any SaaS app not present in your IdP catalog bypasses SSO by definition — even if it “supports” it.


This mismatch is exactly what CISA highlights in its Secure Cloud Business Applications (SCuBA) guidance:https://www.cisa.gov/secure-cloud-business-applications-scuba


Step 3 (5 Minutes): Identify Local Credential Accounts

For each non-SSO SaaS app, verify:

  • Can users log in with email + password?

  • Are personal emails allowed?

  • Is MFA optional or absent?


Flag:

  • Contractor-created accounts

  • Department-owned admin users

  • Service accounts created outside IT


These identities exist entirely outside centralized enforcement.


Step 4 (5 Minutes): Enumerate OAuth & API-Based Access

Now check OAuth grants and API tokens in:

  • Google Workspace

  • Microsoft 365

  • SaaS admin consoles


Look for:

  • Apps with file, inbox, or calendar access

  • Integrations created by individual users

  • Tokens with no expiration


OAuth identities bypass SSO and MFA entirely — yet retain persistent access.


The CISA Zero Trust Maturity Model classifies this as a failure of continuous verification:https://www.cisa.gov/zero-trust-maturity-model


Step 5 (5 Minutes): Check External & Orphaned Identities

Finally, identify identities that fall outside employee lifecycle controls:

  • Former employees with SaaS-only access

  • External partners

  • Agency and vendor logins

  • Shared or generic accounts


Then ask:

  • Are these identities visible in your IdP?

  • Can they be revoked centrally?


If the answer is “no,” they bypass SSO — regardless of intent.


What You’ll Discover (Every Time)

Organizations that run this audit almost always find:

  • Active users not tied to corporate identity

  • OAuth integrations nobody remembers approving

  • SaaS admins outside IT visibility

  • Accounts that survived offboarding


These aren’t edge cases. They’re structural gaps created by SaaS adoption velocity.


Why Compliance Depends on Closing These Gaps

Frameworks like the NIST Privacy Framework and ISO/IEC 27001 require:

  • Accountability for access

  • Traceability across systems

  • Consistent revocation


Identities that bypass SSO break all three.


You can’t prove control over access you don’t govern.


From Detection to Continuous Control

Finding SSO bypasses once is helpful. Finding them continuously is necessary.


Waldo Security’s SaaS & Cloud Discovery Engine automates this process by:

  • Discovering all SaaS apps — known and unknown

  • Identifying identities outside IdP enforcement

  • Detecting OAuth tokens and shadow access

  • Mapping identity exposure across compliance frameworks


This turns SSO from a partial solution into a perimeter you can actually defend.


Conclusion: SSO Is a Boundary, Not the Border

SSO defines where identity can be enforced — not where it is enforced.

If you only defend what your IdP sees, attackers and mistakes will always find the gaps.

The real identity perimeter is everything that bypasses SSO — until you bring it into view.

👉 See how organizations are discovering and governing their full identity perimeter in the 2025 SaaS & Cloud Discovery Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By exposing identities that bypass SSO, unmanaged OAuth access, and Shadow IT, Waldo enables security teams to defend the identity perimeter that actually exists.

Comments

bottom of page