"SSO Everywhere" Is the Most Confidently False Claim in Security

You've heard it. You've probably said it. Maybe in a board meeting, definitely on a vendor call. "We have SSO everywhere." It's the security equivalent of "we have a backup strategy" or "we monitor all our endpoints." Confident. Reassuring. Almost always wrong.

Here's the test. Ask the same CISO who said it to give you the number. Not the percentage of "critical apps" — the percentage of all apps. Not "SSO-eligible" — actually federated. Then watch the answer get vague.

What the math actually looks like

The average enterprise runs north of 100 SaaS applications. The number federated to the IdP is usually somewhere between 30 and 60. So already, before we say anything about quality, "SSO everywhere" means roughly half the apps. That's not "everywhere." That's "the popular ones."

But it gets worse, because that 30-60 number is generous. It counts apps that could route through SSO. Plenty of them don't actually do that for every user. There's almost always a local-account backdoor for the admin who set the integration up. There's almost always a service account using a static password because someone needed it for an integration. There's almost always a contractor who got onboarded through email instead of the IdP because nobody had time. None of those use SSO. All of them work fine.

The OAuth detour

Now add the OAuth fun. "Sign in with Google" is technically using your Google identity. But the conditional access policies you set up in Entra? Not firing. The risk-based step-up auth you bought from your IdP? Not running. The session lifetime you carefully tuned? Different system, different rules. The user signed in once, three months ago, and the refresh token has been quietly minting new access tokens ever since.

This isn't a corner case. It's the default for modern SaaS adoption. The vendor doesn't even tell you it's happening, because from their perspective the user did authenticate.

Then there's the AI problem

Now consider the last 18 months of AI adoption. Most AI tools are signed up for from someone's personal browser, on their phone, with their work email. None of those workflows pass through your SAML federation. None of them hit your conditional access. And the OAuth scopes they request — read mail, read drive, read calendars — are exactly the scopes that make your data leave the building.

The CISA Zero Trust Maturity Model says identity is the central pillar of modern security. NIST SP 800-63B says authenticator strength only matters at points you control. The OWASP Authentication Cheat Sheet says federated auth only helps when federation is the actual path. None of that works if you don't know which apps your people are using.

The honest answer

The honest version of "SSO everywhere" is: "We have SSO on the apps we know about, mostly, with some exceptions, and we don't really know about a meaningful chunk of the apps that exist." That's a less satisfying sentence. It's also true.

If you want the percentage to be real, you have to do two things. First, count the population correctly — including the apps that aren't in the IdP catalog. Second, measure actual usage, not theoretical coverage. A short piece on finding identities that bypass SSO entirely covers the technique.

Once you have that picture, "SSO everywhere" stops being a claim and starts being a roadmap. Some apps get federated. Some get blocked. Some get tolerated with compensating controls. None of it requires you to lie to yourself.

This is the gap Waldo Security's SaaS Discovery closes — by surfacing every app, every identity, and every SSO bypass so the percentage stops being a vibe.

Curious what your real SSO coverage looks like? Book a demo. We'll measure it for you.