Are all human identities federated through SSO (no local IAM users)?
Demonstrate that all human users authenticate exclusively via federated SSO integration and no local IAM user accounts with credentials exist outside break-glass or service-specific exceptions.
Description
What this control does
This control mandates that all human user accounts authenticate through a centralized Single Sign-On (SSO) identity provider rather than using locally-created identity and access management (IAM) accounts within cloud platforms, applications, or infrastructure. Federation maps external identity provider credentials to internal authorization policies, eliminating credentials stored in target systems. This reduces credential sprawl, enforces uniform authentication policies (e.g., MFA, password complexity), centralizes audit trails, and simplifies offboarding by revoking access at the identity source rather than in each system individually.
Control objective
What auditing this proves
Demonstrate that all human users authenticate exclusively via federated SSO integration and no local IAM user accounts with credentials exist outside break-glass or service-specific exceptions.
Associated risks
Risks this control addresses
- Orphaned local accounts persist after employee termination, enabling unauthorized access by former personnel or malicious insiders
- Weak or reused passwords on local accounts bypass centrally enforced authentication policies, enabling credential stuffing or brute-force attacks
- Inconsistent MFA enforcement across local accounts creates authentication gaps exploitable by attackers who compromise primary credentials
- Decentralized credential management delays incident response due to fragmented audit logs and inability to rapidly disable compromised identities across all systems
- Local administrator accounts with static credentials become high-value targets for lateral movement after initial compromise
- Absence of centralized session management prevents security teams from enforcing adaptive authentication or terminating sessions organization-wide during active incidents
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all cloud platforms, SaaS applications, and internal systems that support human authentication.
- Export the full list of IAM users, service accounts, and identity principals from each system (e.g., AWS IAM user list, Azure AD users, application user databases).
- Review SSO/federation configuration documentation and identity provider integration settings for each system to confirm federation is enabled and enforced.
- Filter the exported user lists to identify all accounts not mapped to the centralized identity provider, excluding documented break-glass or emergency access accounts.
- For each identified local account, request creation justification, business owner approval, and periodic review records from the access governance process.
- Select a sample of federated users and trace their authentication logs to verify SSO authentication events rather than local credential usage.
- Attempt to create a new local IAM user in a representative system to verify preventive controls block local account creation without exception approval.
- Review authentication policy configurations to confirm local password authentication methods are disabled or blocked where federation is configured.