Independent and vendor-neutral. Every figure on this site is either a source-cited published statistic or a reader-controlled bounded calculation. No vendor averages presented as fact.

ShadowITCost

Last verified April 2026

Method 2 of 4

SSO Gap Analysis: Surfacing Unauthorized Apps from Your IdP

The fastest first read on shadow IT. Export the app list from your identity provider, cross-reference against your approved catalog, catalog the gap. Half a day's work, typically 40 to 70 percent coverage.

Why this method is first

Every mid-market organization has an identity provider (Okta, Microsoft Entra ID, Google Workspace, JumpCloud, OneLogin, or similar). The IdP maintains a directory of applications it federates for single sign-on, plus a separate directory of OAuth consent grants for third-party apps users have connected. Both directories are immediately available, require no new tool procurement, and are actual evidence of use (a user had to authenticate for the entry to exist).

This method is first because it is cheap, fast, and produces a baseline you then compare everything else against. Running expense audit or CASB without the SSO gap baseline creates re-work: you end up reconciling the same apps multiple times across methods.

The step-by-step method

  1. Export your IdP's federated application list. Okta: Applications export via admin API or console. Entra ID: Enterprise Applications blade, All Applications, export. Google Workspace: Security > SAML apps.
  2. Export your IdP's OAuth consent grant list. This is often the more valuable list. Entra ID: Enterprise Applications, filter for 'Application Type: All Applications', then cross-reference with the OAuth consent report. Google Workspace: Security > API Controls > App access control. Okta: under the OAuth app grants section.
  3. Merge the two lists, de-duplicating by app name. Add a column for authentication type (SAML, OAuth, both).
  4. Load your approved application catalog from whichever source owns it (GRC tool, IT asset management system, or a spreadsheet). Normalize app names across the two sources (the IdP calls it 'Google Drive', the catalog calls it 'Google Workspace'; unify before comparing).
  5. Compare. The gap is the set of apps in the IdP list that do not appear in the approved catalog. That is your shadow IT baseline from this method.
  6. For each gap app, capture: user count, first-seen date if available, and obvious department concentration (if 80 percent of users of an app come from one department, that department owns the disposition conversation).
  7. Decide disposition per app: approve, consolidate, retire, require controls. Record in the consolidated registry template from the discovery methods overview.

What this method misses

Apps that are not configured for SSO and not integrated via OAuth. Free-tier apps where users signed up with work email but never connected to the IdP. Browser-based tools that require no account at all. Apps authenticated via passwords stored in a password manager. Apps on personal devices. These blind spots mean SSO gap alone is usually 40 to 70 percent of the total portfolio. Expense audit captures most of the remainder with a financial trail; browser inventory and survey close the last-mile gap for free-tier and hidden use.

Shadow AI angle

OAuth consent grants are the single most valuable source for shadow AI discovery in most mid-market organizations. AI assistants, meeting bots, and agent platforms typically onboard users via OAuth rather than SAML. The Entra ID or Google Workspace OAuth consent report often surfaces dozens of AI-category OAuth grants that have never been through IT review. Prioritize this export early in the sprint.

Rough time budget

  • Export SAML/OAuth app lists: 30 minutes
  • Normalize names and merge with approved catalog: 2 hours
  • Assign dispositions and owners: 2 to 4 hours (depends on gap size)
  • Document in consolidated registry: 1 hour

Method 1

CASB / network analysis ->

Method 3

Expense audit ->

Cost bucket

Observable spend ->

Frequently asked questions

What exactly is an SSO gap?+
Your identity provider (Okta, Microsoft Entra ID, Google Workspace, JumpCloud, OneLogin) maintains a directory of applications federated for single sign-on. Your IT organization maintains a separately-managed approved application catalog, usually as a spreadsheet or entries in a GRC tool. The gap is the set of apps that are connected to your IdP but are not on the approved catalog. These are apps that real users have authenticated to, which is strong evidence of actual business use, but which have never been formally approved.
How long does SSO gap analysis take?+
A half-day for the first pass in most mid-market environments. Export takes minutes; reconciling the app list against the approved catalog and assigning owners is the bulk of the work. If you have not built an approved catalog yet, that work is a prerequisite and typically takes a day or two of engagement with IT, procurement, and security to agree on what 'approved' means.
What does SSO gap miss?+
Apps that are not configured for SSO at all. Free-tier SaaS accounts users have opened with their work email but not federated. Apps that authenticate via passwords stored in a password manager rather than via SSO. Browser-based tools that require no account. Personal accounts that happen to be used on work devices. These blind spots are the reason you sequence SSO gap with expense audit, CASB, and survey.
How do I export the app list from Okta?+
In the Okta admin console, navigate to Applications. The main grid lists federated apps; export via the API (admin API endpoint for applications) or via the built-in report for app usage. The same approach works in Entra ID under Enterprise Applications, and in Google Workspace under Security > SAML apps plus the OAuth API access report for third-party connected apps. For a first pass, the admin console export is sufficient.
Should I treat OAuth-connected apps differently from SAML apps?+
Yes. OAuth-connected third-party apps (apps users grant access to via 'sign in with Google' or 'sign in with Microsoft') are a separate inventory in most IdPs and are often the bulk of the shadow IT you will find. Entra ID, Google Workspace, and Okta all surface OAuth consent grants separately. Pull both SAML and OAuth, merge, and de-duplicate. OAuth grants are particularly important for shadow AI discovery since most AI assistants onboard users via OAuth rather than SAML.
What do I do with the output?+
For each app in the gap, decide the disposition: (a) approve into the catalog, assign an owner, formalize procurement; (b) consolidate onto an existing approved alternative and retire the shadow instance; (c) retire outright, with migration if needed; (d) require additional controls (DPA, security review, MFA enforcement) before continued use. Record the decision in the consolidated registry alongside the evidence that detected the app. Over time, the SSO-to-catalog reconciliation becomes a governance control rather than a sprint activity.