Measure SSO risks across users, apps, and policies. Weight weaknesses using proven identity security factors. Export reports, track changes, and reduce compromise likelihood fast.
Score your Single Sign-On attack surface quickly. Compare controls, sessions, and identity provider settings. Get risk levels and fixes for safer access today.
| Scenario | MFA | Conditional Access | Sessions | Legacy Auth | Apps | Estimated Score | Level |
|---|---|---|---|---|---|---|---|
| Hardened enterprise IdP | Mandatory | Strong | 2h session, 7d refresh | No | 45 | 18 | Low |
| Growing SaaS portfolio | Optional | Partial | 8h session, 30d refresh | No | 160 | 52 | Moderate |
| High exposure, weak governance | None | None | 24h session, 180d refresh | Yes | 600 | 88 | Critical |
This calculator converts control gaps into weighted risk points, then sums them into a 0–100 score.
| Category | Max points | What increases risk |
|---|---|---|
| MFA & phishing resistance | 30 | No MFA, optional MFA, lack of phishing-resistant authenticators |
| Access policy | 20 | No conditional access, legacy authentication enabled |
| Token and session controls | 20 | Long sessions, long refresh lifetimes, weak device enforcement |
| Privilege & lifecycle | 25 | Always-on admin, shared admins, slow deprovisioning, untested break-glass |
| Visibility, sprawl, and resilience | 15 | Limited monitoring, many connected apps, weak availability posture |
Use the score to prioritize improvements, then validate with security reviews and testing.
A single compromised identity can unlock dozens of applications. This calculator estimates how quickly compromise can occur and how widely access can spread. Inputs capture enforcement controls, exposure paths, and blast radius assumptions. Scores are capped at 100 so results remain comparable across different environments.
Missing multifactor enforcement can add up to 20 points, while limited phishing resistant coverage can add up to 10. Enabling legacy authentication adds 10. Sessions longer than 12 hours add 10, and refresh lifetimes longer than 90 days add 10. Slow deprovisioning increases lifecycle risk up to 10, especially when access persists beyond 48 hours. Limited monitoring adds up to 5 points when alerts are missing.
Low results below 35 suggest controls are consistent and routinely reviewed. Moderate scores from 35 to 59 indicate gaps that attackers can chain across apps. High scores from 60 to 79 mean privilege, session, or legacy paths likely dominate risk. Critical scores of 80 or more warn that one credential may open regulated systems. The tool lists the five largest contributors to guide prioritization efforts.
Treat the score as a before and after metric. Moving from optional to mandatory multifactor typically removes 10 points. Blocking legacy authentication removes 10. Tightening sessions from 24 hours to 4 hours can remove 4 to 8 points, and reducing refresh lifetime from 180 days to 30 days can remove 6 points. Eliminating shared admin accounts and adopting privileged workflows can reduce the privileged controls factor by up to 10. Testing break glass accounts removes up to 5 points and improves recovery readiness.
Export CSV to build a quarterly trendline and attach evidence to change tickets. Export PDF for a shareable snapshot including inputs, score, and drivers. Track connected applications; crossing 50 and 200 triggers additional sprawl points. Availability resilience and sensitivity each add up to 5 points to reflect business impact. Review governance cadence: quarterly identity audits score better than rare reviews. Pair results with tabletop exercises, log review, and access recertification to validate operational reality.
It is a weighted estimate of SSO exposure based on your selected controls. Higher scores reflect easier account takeover, wider access, or slower containment. Use it to prioritize improvements and compare your posture over time.
The underlying factors can sum above 100, but the cap keeps reporting consistent across organizations. It prevents very large environments from producing unusable scores and makes before‑and‑after comparisons clearer.
Enforcement checks whether MFA is required. Phishing resistance measures whether authenticators withstand common credential theft techniques, especially for admins. Improving both reduces the likelihood of session hijacking and privilege escalation.
Start with mandatory MFA, block legacy authentication, tighten session and refresh lifetimes, and remove shared admin access. These controls can remove large point blocks and reduce the most common compromise paths.
App sprawl increases the chance of misconfigured SSO, excessive permissions, or risky third‑party integrations. The calculator adds more risk points when your connected app count exceeds typical thresholds, highlighting the need for review and pruning.
Use it as supporting evidence, not as a formal certification. Pair exports with policy screenshots, audit logs, access reviews, and testing outcomes. When auditors need proof, include your control implementations alongside the calculated score.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.