[TheNewsIsHere]

Normally you would expect any SSO capable application to keep its own auth logs.

It’s certainly not a SaaS-centric thing. SSO has been around once before we used it widely with HTTP.

I would also argue that the last part conflates SSO and SCIM. Usually these are kept as distinct features, even if compatible.