SSO Security Best Practices: How to Reduce Identity Risk and Prevent Account Compromise

In October 2025, the University of Pennsylvania experienced a major data breach after attackers gained access to a single employee’s PennKey single sign on (SSO) account. That one compromised identity unlocked the university’s virtual private network (VPN) and a long chain of connected systems, including Salesforce Marketing Cloud, Qlik, SAP business intelligence tools, and SharePoint.

Before the intrusion was detected and the attacker was ejected, more than 1.2 million student, alumni, and donor records were exfiltrated. The stolen data included highly sensitive personal, demographic, and financial information. The attacker also used the access they retained to send mass emails to hundreds of thousands of recipients, showing how difficult it can be to fully contain an SSO based breach once it has begun.

Don’t let convenience become risk

Identify your critical SSO assets

Understanding why these failures cascade, and how to prevent them, is essential for any organization that relies on cloud identity platforms. Reducing SSO risk starts with knowing which assets matter most, how to harden access, and how to prepare for the failures that will inevitably occur.

The four main accounts that must be prioritized and secured:

• IdP administrator accounts: These accounts grant users complete control over your identity infrastructure. Account holders can modify authentication policies, add users, and grant application access.
• Signing certificates and keys: If attackers obtain a signing certificate or key, they can generate valid authentication tokens and impersonate any user. This can allow them to bypass MFA and access applications indefinitely.
• Open Authorization (OAuth) secrets and credentials: Leaked secrets grant attackers persistent system access without user interaction or authentication challenges. These credentials often go overlooked and are frequently stored insecurely.
• Consent grants and delegated permissions: OAuth consent flows let third-party applications access user data on an ongoing basis. When users unknowingly approve malicious or overly permissive apps, those apps can extract data silently for long periods of time without triggering alerts.

A compromise of any of these components can give attackers the ability to impersonate users, escalate access, or move laterally across your entire identity platform. You should protect these assets with the same rigor you apply to root passwords.

Harden your IdP administration security

Protecting your IdP administration starts with locking down how it is administered. Standard user accounts and basic MFA are not sufficient for protecting the system that controls access to every connected application.

Five principles you can apply to harden your IdP administration security:

• Admin privileges should never sit on day-to-day user accounts. Create separate, purpose-built administrator identities that are used only for managing the IdP. This reduces the risk of malware, phishing, or session theft on regular workstations, leading directly to privileged compromise.
• Administrative accounts should use hardware security keys or platform authenticators. Push notifications alone are vulnerable to MFA fatigue attacks and social engineering. Phishing resistant MFA ensures that even if an attacker has the password, they cannot complete the login challenge.
• Identity administration should be performed only from hardened, controlled workstations that do not allow risky browsing or email access. These privileged access workstations reduce the likelihood that attackers can pivot from a compromised laptop into the identity environment.
• Permanent administrator rights increase risk. Grant elevated privileges only when needed and for the specific time and task required, then automatically remove them. This limits the window of opportunity for attackers to exploit privileged access.
• For critical actions such as adding new global administrators, modifying MFA policies, or rotating signing certificates, require separate authorization from multiple administrators. This provides an additional checkpoint that can stop malicious or accidental changes before they take effect.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

Protect your SSO signing keys and secrets

Even strong administrative controls cannot compensate for weak protection of the cryptographic materials that your identity provider depends on. Signing keys should never be kept in configuration files, source code repositories, or unencrypted local storage. Instead, use hardware security modules, cloud key management services, or secure secrets vaults. These services provide built-in protections such as hardware backed storage, access controls, and audit logging.

Manual rotation can easily fail or be delayed due to operational pressures. It can also be a disruptive or time-consuming endeavor, which can lead to long periods where keys remain static and vulnerable. To avoid this, organizations should automate key rotation on a defined schedule. Automated rotation limits the damage that can occur if a compromise goes undetected.

Many organizations aim for quarterly rotation of signing certificates and monthly for OAuth secrets. This same approach can be applied to service credentials by using short-lived tokens that expire after a few hours or days, instead of permanent passwords or application programming interface (API) keys. Long lived API keys and service passwords create unnecessary risk, so having short-lived tokens ensures that even if a token is intercepted, the window of opportunity for attackers is very small.

It’s important to monitor for unauthorized use, unexpected token creation, signing events, or OAuth activity can indicate key misuse. Feed these logs into your security information and event management (SIEM) platform to detect suspicious behavior early.

Apply least privilege for across all connected applications

OAuth scopes and Security Assertion Markup Language attributes determine the data and actions each application can access. Default configurations often grant far more permission than necessary because it makes troubleshooting easier, but this also expands the blast radius when an account is compromised. Enforcing least privilege helps contain this risk.

Control application access with these practices:

• Limit OAuth scopes to the minimum required functionality: An expense reporting tool doesn’t need calendar read access, and a collaboration app does not need to read every user’s profile. Grant only the permissions an application requires to function properly.
• Regularly review third-party application consent: Users often approve OAuth applications without reading or fully understanding the permissions they are giving. Routine audits help identify applications with excessive access and suspicious consent patterns.
• Enforce system for cross domain identity management provisioning tied to employee lifecycle: Automated provisioning ensures new hires get access on day one, and automated deprovisioning ensures terminated employees lose access within minutes, not days.

These actions will reduce the risk of dormant accounts and unnecessary permissions lingering in your environment.

Detect SSO threats early and respond quick

Unfortunately, even the best prevention controls cannot eliminate identity-based attacks, which is why fast detection and rapid response are critical to limiting damage. The speed at which you identify suspicious activity often determines whether an attacker gains broad access or is stopped early. To boost your resilience, we recommend the following actions:

• Log all configuration changes to your IdP and route them to your SIEM for correlation with other security events. Correlating IdP logs with authentication events, network activity, or endpoint alerts helps reveal patterns that might otherwise go unnoticed.
• Monitor token issuance anomalies. Sudden spikes in token creation, authentication attempts from unusual locations, or token requests from dormant accounts can indicate that an attacker has gained access.
• Watch for unexpected consent grants, especially those occurring outside normal business hours or tied to unfamiliar application publishers. Unauthorized OAuth consent is a common method for establishing persistence without triggering MFA prompts.
• Support rapid token and session revocation. When suspicious activity is detected, the ability to immediately invalidate all active sessions for a user can prevent attackers from expanding their access. Manual revocation of workflows that require approvals or multiple handoffs gives attackers time to entrench themselves.

Build resilience and emergency access into your IdP

Your IdP can fail for many reasons, including misconfigurations, software bugs, outages, or active attacks. Building resilience into your identity environment is essential for maintaining continuity during these events, which can be achieved with the following actions:

• Maintain break-glass accounts stored in a password vault: Emergency credentials that bypass normal authentication flows allow you to recover from an IdP outage or a complete compromise. Test these accounts on a regular schedule to ensure they are functional when needed.
• Develop tested runbooks for IdP outage and key compromise scenarios: Document step-by-step recovery procedures and run tabletop exercises to reveal gaps before they cause delays during real incidents. Teams that practice recovery ahead of time respond faster and with fewer errors.
• Plan for high availability with redundant infrastructure: Deploy redundant IdP instances, geographic distribution, and automated failover. Your applications depend on authentication, so treat IdP availability the same way you would treat database availability.

How Specops helps

SSO security will continue to evolve through 2026, with the most secure options adapting in real time to changes in user behavior and device health. However, the security of SSO environments today still depends heavily on the strength of domain credentials.

Specops Password Policy helps by extending Active Directory Group Policy with more advanced controls and strengthening credentials without frustrating the user. This includes blocking compromised passwords and enforcing stronger passphrase-based policies with dynamic feedback so users know exactly how to create strong passwords. The breached password protection feature adds another layer of security by identifying exposed credentials early and alerting users to change their passwords before they can be used in a breach.

Specops Secure Access extends that protection by applying multi-factor and biometric authentication alongside device trust signals to SAML and OIDC-based applications, including those federated through third-party identity providers.

For more information about how Specops solutions can help strengthen the security of your SSO environment, speak to one of our experts today.