Identifying SSO on Exposed Login Endpoints

Overview

PGP automatically identifies and compares web login portals that are protected by Single Sign-On (SSO) authentication versus those that are exposed without SSO protection. This feature helps security teams understand their authentication attack surface and prioritize remediation efforts for unprotected login endpoints.

Note: SSO integration (Okta, Microsoft Entra ID, or PingOne) must be configured in PGP to enable comprehensive SSO detection. 

What PGP Detects

PGP identifies two types of login-related findings:

1. SSO-Protected Logins: Login portals that are protected by SSO providers such as:

- Okta - Detected through Okta integration and login page analysis

- Microsoft Entra ID (formerly Azure AD) - Detected through Entra ID integration

- PingOne - Detected through PingOne integration

- Other SSO providers identified through page content analysis

2. Exposed Logins Without SSO: Login portals that lack SSO protection, which are flagged as security risks because they typically:

- Rely on single-factor authentication

- Increase attack surface for credential stuffing and password spraying

- Lack centralized authentication management

- Reduce visibility into access patterns

How PGP Identifies SSO Protection

Integration-Based Detection

Note: Integration-based detection requires that the corresponding identity provider integration be configured in PGP.

PGP uses direct integrations with identity providers to identify SSO-protected portals:

Okta Integration

- PGP connects to your Okta instance via API

- Scans all active Okta applications

- Extracts application URLs (homepage, login URL, redirect URIs)

- Tags webpages associated with these URLs as SSO-protected by Okta

- Source identifier: okta-integration

Microsoft Entra ID Integration

- PGP connects to Microsoft Graph API

- Retrieves service principals with SSO enabled

- Extracts URLs from service principal configurations (homepage, login URL, reply URLs)

- Tags associated webpages as SSO-protected by Entra ID

- Source identifier: entraid-integration

PingOne Integration

- Similar integration pattern for PingOne identity provider

- Source identifier: pingone-integration

Content-Based Detection

PGP also analyzes webpage content to detect SSO providers:

- Okta Detection: Identifies Okta login pages by analyzing page titles, content, and URL patterns

- Basic Login Detection: Identifies generic login forms that lack SSO protection indicators

When a login form is detected but no SSO provider is identified, PGP flags this as an exposed login without SSO protection.

Where to Find SSO Information in PGP

1. Vulnerability Drawer - SSO Identified Pill

When viewing an Exposed Login Endpoint vulnerability in the vulnerability drawer, a pill badge labeled “SSO identified” appears in the header if single sign-on protection has been detected. To see this, navigate to the Vulnerabilities page, click on an Exposed Login Endpoint finding, and look at the header section of the drawer, where the SSO pill appears among the badges on the left. The pill is only shown when SSO is present; hovering over it reveals a comma-separated list of the SSO providers that were identified. If no SSO protection is detected, the pill does not appear. 

2. SSO Filter in Vulnerabilities Table

Use the SSO filter to quickly find vulnerabilities based on SSO protection status.

On the Vulnerabilities page, the filter toolbar includes an SSO dropdown filter that allows you to refine results based on whether single sign-on protection is present. The filter provides two options: Yes, which shows vulnerabilities where SSO protection has been identified, and No, which shows vulnerabilities where a login is detected but no SSO protection is found. This is a boolean filter with no “Select All” option, and it appears alongside the other standard filters such as Severity, Status, and Tags.

3. Asset Sitemap Tab - SSO Column

View SSO protection status for individual webpages in the asset sitemap.

You can view the SSO protection status for individual webpages directly in the asset sitemap. From the Assets page, open a web application asset and navigate to the Sitemap tab, where you’ll find a dedicated SSO column in the table (typically near the Login and Secrets columns). This column shows the per-page SSO status using three possible states: a green checkmark icon indicates that SSO protection has been identified (with a tooltip reading “SSO protection identified”), a gray X icon indicates that a login was detected but no SSO protection was found (with a tooltip reading “No SSO protection identified”), and an empty cell indicates that no login was detected and therefore no SSO status applies. This view makes it easy to understand the authentication landscape of a web application and quickly identify which specific pages are protected by SSO.

4. Exposed Login Risks

Vulnerabilities for exposed logins without SSO protection are automatically created and tracked.

All login-related findings use the same underlying risk type. PGP distinguishes between SSO-protected and unprotected logins with the "SSO Enabled" indicator. These findings are typically classified with an exposure-level severity and represent an increased attack surface, often relying on single-factor authentication, which raises the risk of credential stuffing and password spraying, reduces visibility into access patterns, and may disclose details about the underlying technology stack.

When you encounter one of these findings, you should review the login portal to confirm whether it is intended to be externally accessible. If it is not protected by SSO, the recommended action is to implement SSO through your identity provider or place the service behind a VPN or identity-aware proxy with multi-factor authentication. If the endpoint is intentionally exposed and already has sufficient compensating controls, no action may be required. You can find these vulnerabilities by navigating to the Vulnerabilities page and filtering for logins without SSO or by searching for login-related findings, then opening the vulnerability details to review the evidence and remediation guidance.

Best Practices for Using SSO Information

1. Regular Review of Exposed Logins

- Use the SSO filter with "No" to regularly review exposed logins

- Prioritize remediation based on severity and business criticality

- Document accepted risks for exposed logins that cannot be protected

2. Integration Setup

- Connect your identity provider integrations (Okta, Entra ID) to get comprehensive SSO detection

- Review integration status in Settings → Integrations

- Ensure integrations have proper API access to detect all SSO-protected applications

3. Asset-Level Analysis

- Use the Asset Sitemap tab to understand SSO coverage across web applications

- Identify patterns (e.g., all admin pages have SSO, but public login pages don't)

- Plan SSO implementation based on current state 

4. Vulnerability Tracking

- Track exposed login vulnerabilities through the standard remediation workflow

- Use Jira or other ticketing integrations to assign remediation tasks

- Update vulnerability status as SSO is implemented

Troubleshooting

SSO Pill Not Appearing When Expected

Possible Causes:

1. Integration not connected - Check Settings → Integrations

2. Integration credentials expired - Re-authenticate the integration

3. Application not in integration scope - Verify application is active in identity provider

4. Detection timing - New integrations may take time to scan and identify SSO

Solutions:

- Verify integration status in Settings

- Re-run integration sync if available

- Check that applications are active in your identity provider

- Allow time for initial scan to complete

Summary

PGP's SSO comparison feature provides comprehensive visibility into your authentication attack surface by:

- Identifying SSO-protected logins through direct integrations with Okta, Entra ID, and PingOne

- Flagging exposed logins that lack SSO protection as security risks

- Providing multiple UI indicators including pills, filters, and table columns

- Enabling efficient remediation through vulnerability tracking and filtering

Use the SSO filter, vulnerability drawer indicators, and asset sitemap to understand your authentication landscape and prioritize security improvements.