SaaS users’ identities and access privileges obtain a significant source of risk exposure. Given that most SaaS apps contain their own user identity and access privilege management system, it can be extremely challenging to keep track of who is who and who is allowed to access sensitive data in your SaaS ecosystem. Even if you federate your SaaS apps with your idP system, there can still be serious gaps in security related to identity.
Moreover, even when using idP systems, you might need to keep a few “local” accounts on your SaaS for management purposes, and to maintain access to it in case the idP is down or compromised. Such users will also usually be admins in the SaaS.
Possible security issues may involve inconsistent use of MFA or insufficient management of account lifecycles, which in turn can lead to unauthorized access and result in data breaches. Credential stuffing is another attack vector that exploits weak identity management. Once attackers are inside a SaaS app, they can engage in privilege escalation and gain greater levels of access to corporate assets.