SSO Health Check

About this program

Single sign-on is only as strong as the apps it covers and the policies behind it. Quick check on coverage, MFA, conditional access and session controls.

Risks addressed

High Tier-1 apps not behind SSO u2014 separate password leakage
High IdP outage causes business-wide lockout
High No conditional access u2014 risky sign-ins not challenged

Controls (6)

SSO coverage on Tier-1 SaaS
High

SSO coverage on Tier-1 SaaS

How to test + evidence

Testing procedure: List Tier-1 SaaS; verify SSO enforced on each.

Evidence to collect: SSO config screenshots.
MFA enforced at the IdP layer
Critical

MFA enforced at the IdP layer

How to test + evidence

Testing procedure: IdP policy requires MFA on every sign-in for the workforce.

Evidence to collect: IdP policy export.
Conditional access for risky sign-ins
High

Conditional access for risky sign-ins

How to test + evidence

Testing procedure: Policies challenge / block sign-ins from anomalous IPs, impossible travel, unmanaged devices.

Evidence to collect: CA policy export + sample alerts.
Break-glass admin accounts excluded from CA
High

Break-glass admin accounts excluded from CA

How to test + evidence

Testing procedure: Two break-glass accounts exempted, hardware-key only, alerts on use.

Evidence to collect: Break-glass register + alerts.
Session timeout + reauthentication on sensitive ops
Medium

Session timeout + reauthentication on sensitive ops

How to test + evidence

Testing procedure: Sensitive flows force reauth; max session length documented.

Evidence to collect: IdP session-policy export.
IdP availability monitored
Medium

IdP availability monitored

How to test + evidence

Testing procedure: Health checks alert on auth failures / IdP downtime.

Evidence to collect: Monitoring dashboard.