top of page
Search

“We Have SSO Everywhere.” No, You Don’t.

SSO coverage is not the same as SSO enforcement. Here’s why most organizations dramatically overestimate how much of their SaaS environment is actually protected.




The Sentence Every Security Leader Has Heard

“We have SSO everywhere.”

It usually comes from a place of confidence — sometimes even pride. The IdP is deployed. The core apps are integrated. MFA is enabled.

And yet, that statement is almost always false.


Not because teams are negligent — but because SSO visibility is routinely confused with SSO reality.


What Teams Mean vs. What’s Actually True

When someone says “We have SSO everywhere,” they usually mean:

  • Our main SaaS apps are integrated with the IdP

  • Employees log in through Okta or Entra ID

  • MFA is enforced on those logins


What’s actually true:

  • SSO applies only to apps IT knows about

  • Many apps allow local credentials alongside SSO

  • OAuth connections bypass SSO entirely

  • Entire SaaS categories never touch the IdP


SSO is present — but it is not universal.


The Data Doesn’t Support the Claim

According to Waldo Security’s 2025 SaaS & Cloud Discovery Report:

  • 97% of SaaS applications are unknown to IT

  • Less than 1% of SaaS accounts enforce MFA

  • 100% of organizations have unauthorized cloud accounts


If 97% of apps are unknown, they are, by definition, not covered by SSO.

That alone should end the argument.


“Supports SSO” Is Not “Uses SSO”

Many SaaS vendors advertise SSO as a feature — not a requirement.


In practice, this means:

  • Users can still log in with email + password

  • SSO is optional, not enforced

  • Admins may use SSO while users do not

  • Contractors create local accounts outside policy


From a security perspective, this creates parallel identity systems inside the same app.


One is governed. The other is invisible.


OAuth: The SSO Escape Hatch

OAuth is where the “SSO everywhere” myth completely collapses.


OAuth tokens:

  • Grant persistent access

  • Don’t require interactive login

  • Aren’t evaluated by MFA policies

  • Often outlive the user who created them


CISA’s Secure Cloud Business Applications (SCuBA) guidance explicitly warns that unmanaged OAuth permissions create durable access paths that bypass centralized authentication controls:https://www.cisa.gov/secure-cloud-business-applications-scuba


If OAuth exists in your environment — and it does — SSO is not “everywhere.”


Compliance Already Treats This as a Problem

Modern compliance frameworks don’t accept intent — they require evidence.


The NIST Privacy Framework and ISO/IEC 27001 expect organizations to:

  • Enumerate access paths

  • Demonstrate enforcement

  • Prove revocation


None of that is possible if identities exist outside SSO coverage.


Auditors don’t ask if you use SSO. They ask where it doesn’t apply.


Why the Myth Persists

The myth survives because:

  • IdP dashboards only show integrated apps

  • Security teams assume “unknown” means “unused”

  • SSO is deployed early — discovery comes later

  • SaaS adoption outpaces identity governance


SSO gives a clean view of a partial environment — which feels complete until something goes wrong.


What “SSO Everywhere” Would Actually Require

True SSO coverage would mean:

  • Every SaaS app is discovered

  • Every login path is enforced

  • Local credentials are disabled

  • OAuth grants are governed

  • External identities are visible

  • Shadow cloud accounts are identified


Most organizations aren’t failing to do this. They simply haven’t seen the full perimeter yet.


Why Discovery Comes Before Enforcement

You can’t enforce SSO where you don’t know it’s missing.

This is why identity-first security starts with discovery — not mandates.


Waldo Security’s SaaS & Cloud Discovery Engine helps teams:

  • Identify all SaaS apps connected to the organization

  • Detect identities and integrations that bypass SSO

  • Surface OAuth tokens and delegated access

  • Map real SSO coverage vs. assumed coverage


This turns SSO from a belief into a measurable control.


Conclusion: Stop Saying It. Start Proving It.

“We have SSO everywhere” is comforting. It’s also dangerous.

Because attackers don’t target the places you’ve secured — they target the ones you’ve assumed were secure.

SSO isn’t a blanket. It’s a boundary — and most organizations haven’t mapped where it ends.

👉 See how organizations are uncovering where SSO really applies in the 2025 SaaS & Cloud Discovery Report.


About Waldo Security

Waldo Security helps organizations discover, classify, and secure every SaaS and cloud service in use — known or unknown. By exposing identities that bypass SSO, unmanaged OAuth access, and Shadow IT, Waldo enables security teams to defend the identity perimeter that actually exists.


Comments

bottom of page