
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog

In modern applications, authentication is rarely self-contained.
Instead of a single login system, organizations rely on federated identity, where authentication is delegated to external identity providers (IdPs) using standards such as:
SAML
OAuth 2.0
OpenID Connect (OIDC)
This enables Single Sign-On (SSO), cross-domain authentication, and integration across SaaS, internal apps, and third-party services.
From a user perspective, this simplifies access.
From a testing perspective, it significantly expands scope and complexity.
Federation allows one system (the Service Provider, or SP) to trust authentication performed by another system (the Identity Provider, or IdP).
This introduces multiple components into what was once a single trust boundary:
The application itself
The identity provider
The browser (handling redirects and tokens)
Supporting services (APIs, gateways, proxies)
Authentication becomes a multi-step, cross-domain flow involving:
Redirects
Token exchanges (JWTs, assertions)
Session establishment across domains
Each step introduces potential failure points.
Traditional testing assumes authentication and authorization are enforced within the application boundary.
Federation breaks that assumption.
Scope now includes:
Redirect handling and domain trust
Session management across domains
Authorization decisions based on external identity claims
This shifts testing from:
“Can I bypass login?” to
“Can I manipulate identity across systems?”
In practice, this requires testing end-to-end authentication flows, not just individual components.
Federation is now the default in modern architectures.
According to industry data:
Over 90% of enterprises use SSO or federated identity for at least part of their application ecosystem
More than 80% of cloud applications rely on OAuth or OIDC-based authentication flows
This means most environments already depend on:
External identity trust relationships
Token-based authentication
Cross-domain session handling
However, these systems are often:
Configured once and rarely revisited
Assumed secure if the IdP is trusted
Under-tested compared to application logic
The result is a large, high-impact attack surface that is not fully validated.
Federated authentication introduces risks that do not exist in standalone systems.
Improper validation of JWTs or assertions can allow:
Token forgery
Signature bypass
Acceptance of expired or manipulated tokens
Authentication flows rely heavily on redirects.
Misconfigurations can lead to:
Open redirect exploitation
Token leakage across domains
Unauthorized domain trust
Even if authentication is correct, authorization may fail.
Common issues include:
Over-trusting identity claims
Missing role or scope validation
Inconsistent enforcement across services
Cross-domain sessions introduce complexity in:
Cookie handling
Session fixation risks
Inconsistent logout or session invalidation
Attack data increasingly reflects this shift toward identity-centric attacks.
Microsoft reports that over 99% of identity-based attacks rely on password-based authentication weaknesses or token/session abuse
Verizon DBIR consistently shows that credential abuse is involved in over 60% of breaches
In federated environments, these risks extend beyond passwords to:
Tokens
Trust relationships
Identity assertions
This makes identity infrastructure, not just applications, a primary target.
Despite its importance, federation is frequently under-scoped in penetration tests.
This happens for several reasons:
Testing is limited to the application domain, excluding IdP interactions
Token flows are treated as “out of scope” or assumed secure
Cross-domain behavior is not fully mapped or instrumented
Time constraints prioritize application vulnerabilities over identity flows
Vendors may also avoid deep federation testing because it requires:
Specialized expertise in OAuth, OIDC, and SAML
Custom tooling and manual validation
Coordinating across multiple systems and teams
The result is incomplete coverage of one of the most critical attack surfaces.
Effective testing of federated systems requires a different approach.
It involves:
Mapping full authentication flows across domains
Intercepting and analyzing tokens (JWTs, assertions)
Testing validation logic at each trust boundary
Attempting manipulation of identity claims and scopes
Verifying authorization decisions across all integrated services
Federation introduces convenience, but also complexity.
Authentication is no longer a single control point. It is a distributed system with multiple dependencies and trust relationships.
If these flows are not explicitly tested, organizations are relying on:
Assumptions about identity providers
Default configurations
Unverified trust between systems
This creates blind spots in security assurance.
Federation expands penetration testing scope because it expands the attack surface.
Identity flows, token handling, and cross-domain trust introduce risks that cannot be captured through traditional application testing alone.
Organizations that treat federation as in-scope—and test it accordingly—gain a more accurate understanding of how attackers can move through modern systems.