When I hear someone say they’ve “modernized” an application, it usually means they’ve enabled SAML or OIDC. Maybe both. In their minds, they’ve checked the box —
SSO does simplify access and reduce friction. But here’s what worries me: too many teams stop there. They implement SSO and assume the hard part’s over. But in practice, that’s when the real complexity starts to surface.
Why “we modernized” doesn’t always mean what you think
When people tell me their app is modernized, I ask what that really means. In many cases, it just means the app now supports SSO. It still uses the same internal session logic. Authorization is still coded deep in the app. It’s still brittle — just with a better login page.
What’s happening here is more common than most admit: we modernize the front door and leave the rest of the house unchanged.
And that’s a problem, because identity isn’t just about logging in. It’s about what happens after.
What modern authentication actually delivers
Modern auth protocols like SAML and OIDC were designed to solve real challenges — mainly login and federation. When they’re in place, users no longer need to juggle passwords, and IT doesn’t have to manage every credential manually.
That’s real progress. And yes, SSO through these protocols improves security posture. But let’s not confuse convenience with completeness.
Protocols are progress — but they’re not the finish line
Don’t get me wrong, adding support for OIDC or SAML is progress. You get fewer passwords, less friction, and a more consistent user experience. What they don’t provide are the other critical controls we relied on with Web Access Management (WAM) systems: centralized session control, authorization enforcement, directory integration, and consistent policy handling.
WAM systems weren’t perfect, but they gave us a consistent control layer across applications. When we removed them without replacing that layer, we lost something essential — and I’ve seen the consequences firsthand.
The app isn’t modern if identity is still hard-coded
I’ve seen apps that look slick on the surface but still rely on fragile, developer-specific identity plumbing behind the scenes. In these cases, adding SSO doesn’t address the real risk — inconsistent behavior across apps and environments.
Some teams are still using outdated session libraries. Others are hard-coding access rules in ways that make auditing a nightmare. The protocol is modern. The implementation? Not so much.
Where things fall apart: session management
One of the biggest identity blind spots in modernized environments is session management. People assume SSO takes care of it, but it doesn’t.
With WAM, session behavior — timeouts, renewals, revocations — was handled in one place. You could apply a policy change and know it’d take effect enterprise-wide. Today, session logic is embedded inside every individual app, scattered across different languages and frameworks.
I’ve worked with teams using Spring, Node.js, Rails — and even within one framework, there’s no guarantee of consistency. Each app ends up with its own config, its own quirks, and its own security gaps.
Not being able to enforce consistent session timeouts is a huge risk if they can’t revoke sessions when something suspicious happens. That’s all still up to the application — and most dev teams aren’t set up to handle that well at scale.
The cost of decentralizing session logic
When patching session libraries takes weeks or months, or no one knows where idle timeouts are defined, security becomes reactive at best. You lose the ability to revoke sessions in real time or roll out a policy change globally.
This isn’t theoretical. I’ve seen companies struggle just to track down how their session handling even works. It’s become tribal knowledge, hidden deep in app code.
That’s not sustainable — especially for enterprises dealing with compliance or Zero Trust goals.
Identity sprawl and authorization drift
The same thing that happens with session logic happens with authorization. Once it’s pushed down into application code, it becomes nearly impossible to manage centrally.
Rules get buried in business logic. Policies drift. And eventually, no one knows exactly who has access to what — or why. Even apps that support modern authentication can fail here, because AuthZ isn’t part of the protocol. It’s a separate challenge entirely, and it’s one many teams don’t fully account for.
Orchestration needs to come next
At this point, I think it’s clear: modern authentication is just one piece of the puzzle.
The benefits of using orchestration include:
- Regaining the ability to revoke sessions instantly
- Applying session and authZ policies consistently
- Managing federation keys and certs from one place
- Integrating with risk signals (like CAEP) to support Zero Trust
- And doing it all without rewriting apps or switching identity providers
Orchestration bridges the gap between “modern protocol support” and real identity modernization.
Centralization doesn’t mean going backward
Sometimes people assume that bringing identity control back into one place is a step back. But that’s not what orchestration is about.
It’s about enabling agility. About giving security teams the visibility they need without slowing down developers. About managing identity as a service — not as a series of app-specific hacks.
When you don’t have orchestration, every identity challenge becomes a one-off fix. With orchestration, you get a strategy.
If I’m talking to a security team, I’ll usually pose a question like this: “How quickly could you revoke a user’s sessions across every app in your enterprise right now?”
If the answer is anything less than “instantly,” there’s a problem worth solving.
The takeaway: don’t stop at SSO
I’ll say it plainly: modern authentication is essential, but it’s incomplete. If you stop at SSO, you’re missing the control layer that makes everything else work — securely, consistently, and at scale.
So yes, adopt SAML. Roll out OIDC. But don’t let the login box be the finish line. SSO and SAML alone do not make a
If you want real security, orchestration has to be part of the journey.
About the Author
Darren Platt has led engineering teams at Securant Technologies, Ping Identity, Simplified, RSA, and Oracle. He is now the VP of Product Management and Engineering at Strata Identity, where he is building the first distributed Identity Orchestration platform for distributed environments and contributing to the new policy orchestration standard, IDQL and its reference software Hexa.