SSO coverage on Tier-1 SaaS
Demonstrate that all Tier-1 SaaS applications enforce authentication exclusively through the organization's centralized SSO identity provider, with no direct password-based login paths enabled for standard users.
Description
What this control does
This control requires that all Tier-1 SaaS applications (critical business systems such as email, collaboration platforms, CRM, HR systems, and financial software) enforce Single Sign-On (SSO) authentication through a centralized identity provider (IdP). SSO consolidates authentication to a single, hardened credential set, enabling centralized password policies, multi-factor authentication enforcement, session management, and rapid access revocation across all connected applications. By eliminating redundant credentials and authentication surfaces, SSO reduces password fatigue, shadow IT risks, and the attack surface associated with weak or reused passwords across disparate systems.
Control objective
What auditing this proves
Demonstrate that all Tier-1 SaaS applications enforce authentication exclusively through the organization's centralized SSO identity provider, with no direct password-based login paths enabled for standard users.
Associated risks
Risks this control addresses
- Credential stuffing or password spraying attacks against SaaS applications with weak or reused passwords
- Delayed access revocation when employees are terminated or change roles, due to scattered credential management across multiple platforms
- Inconsistent multi-factor authentication enforcement across SaaS applications lacking centralized control
- Phishing attacks targeting application-specific credentials that bypass organizational monitoring and password policies
- Shadow IT expansion through ungoverned SaaS accounts created with personal email addresses or weak passwords
- Increased help desk burden and operational overhead from managing multiple credential sets per user
- Audit trail fragmentation making it difficult to correlate user activity across systems during incident response
Testing procedure
How an auditor verifies this control
- Obtain the organization's official inventory of Tier-1 SaaS applications, including application name, business criticality classification, and number of licensed users.
- Export the list of active SAML or OIDC integrations from the organization's SSO identity provider (e.g., Okta, Azure AD, Google Workspace) showing connected applications and configuration status.
- For each Tier-1 SaaS application, log into the administrative console and review authentication settings to confirm SSO enforcement is enabled and local password authentication is disabled for standard users.
- Select a sample of 3-5 Tier-1 SaaS applications and attempt to access the login page directly (bypassing the SSO portal) using a test account to verify that direct password login is blocked or redirected to SSO.
- Review the SSO identity provider's audit logs for the past 90 days to identify any authentication events to Tier-1 applications that did not originate through SSO flows.
- Cross-reference the SSO integration list against the Tier-1 application inventory to identify any gaps where critical applications lack SSO configuration.
- Interview IT and application owners for any Tier-1 applications not using SSO to document approved exceptions, compensating controls, and remediation timelines.
- Examine change management records or project documentation evidencing SSO implementation for recently onboarded Tier-1 applications.
Where this control is tested