SSO enforced on all SaaS where supported
Demonstrate that all SaaS applications supporting SSO have it enabled and enforced, preventing local authentication bypass, and that any exceptions are documented with mitigating controls.
Description
What this control does
This control mandates that Single Sign-On (SSO) integration is configured and enforced for all Software-as-a-Service (SaaS) applications that offer SSO capabilities, typically via SAML 2.0, OAuth 2.0/OIDC, or other federated identity protocols. By centralizing authentication through an identity provider (IdP), organizations eliminate the need for users to maintain separate credentials per application, enabling centralized access governance, stronger authentication policies (such as MFA), and immediate access revocation upon termination. SaaS applications that do not support SSO must be documented with a compensating control or remediation plan.
Control objective
What auditing this proves
Demonstrate that all SaaS applications supporting SSO have it enabled and enforced, preventing local authentication bypass, and that any exceptions are documented with mitigating controls.
Associated risks
Risks this control addresses
- Weak or reused passwords on individual SaaS platforms enabling credential stuffing or brute-force attacks
- Failure to promptly revoke access when employees leave, allowing terminated users to retain access through orphaned local accounts
- Inconsistent multi-factor authentication enforcement across SaaS tools when authentication is not centralized
- Inability to audit authentication events centrally, obscuring suspicious login activity or compromised accounts
- Shadow IT expansion as non-SSO applications proliferate without centralized identity governance
- Increased phishing surface area as users manage numerous standalone credentials susceptible to social engineering
- Violation of compliance requirements mandating centralized identity management and auditability (e.g., SOC 2, ISO 27001)
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all SaaS applications in use across the organization, including departmental and team-level tools, from IT asset management, procurement records, and cloud access security broker (CASB) discovery logs.
- Cross-reference the SaaS inventory against vendor documentation or product feature matrices to identify which applications natively support SSO via SAML, OIDC, or other federated protocols.
- Select a representative sample of SSO-capable SaaS applications spanning critical business functions (e.g., productivity, HR, development, finance) for detailed configuration review.
- Review each sampled application's authentication settings in the admin console to verify SSO is enabled and that local username/password authentication is disabled or restricted to break-glass accounts only.
- Examine the identity provider (IdP) configuration for each sampled SaaS application to confirm active SSO integration, valid SAML/OIDC assertions, and proper attribute mapping.
- Attempt to authenticate to a sampled SaaS application using a local (non-SSO) credential, if test accounts exist, to validate that direct authentication is blocked or redirected to the IdP.
- Review exception documentation for any SaaS applications that support SSO but have it disabled, verifying the presence of a documented business justification, compensating controls (e.g., enforced MFA, privileged access management), and remediation timeline.
- Inspect centralized authentication logs from the IdP to confirm that authentication events for sampled SaaS applications are flowing through the SSO provider and not bypassing it via local login methods.
Where this control is tested