[7bit]

Not only password policies, but authentication policies as a while. For example, the location from where you may authenticate, or the times, the IP address ranges, the device you're using, and so on.

It is also important for user account lifecycle. If a user joins or leaves the company, IT need to be able to grant or revoke access without having to go on an individual account hunt.

If a service does not offer SSO (or a good implementation of it, because most services seem to follow some YouTube guide in how to add SSO - it's that bad) our policies forbid us from buying it.

[swaptr]

Interesting. How do you analyze if a SSO implementation is good or not?

[7bit]

Check if they follow the specs. Especially with SAML, I've found many, many implementations that are just broken. Such es logging a user out of the IdP after idling, when they should just revoke the session for their SP.

Another good one is when they INSIST on using an email address for the name-id. These things change, so let me PLEASE use an immutable I'd ... That's already close to not getting accepted because it invites problems.

Another one being Auto-Provision ing not being implemented, needing an additional user sync. This also contributes to not getting accepted.

If an SP does not implement certificate rollover, it's getting an Instant NO!

But to be fair, Microsoft's IdP side has some flaws as well, which is annoying.

[ezekg]

And people complain about an SSO tax...

[7bit]

Rightfully so.