SAML.

8 SAML IdP integrations across SaaS vendors. 3 still permit unsigned assertions. 1 accepts assertions older than 24 hours.

A SAML config you didn't harden is a back door someone else can walk through.

SA-005 · vendor X SP config UNSIGNED OK

Accepts unsigned assertions. NotOnOrAfter unset. 1d max age.

Require signed assertions, set 5min max age, rotate SP cert.