You updated your app by adding OIDC or SAML, then believed you now had a modern application. But here’s the uncomfortable truth: modern authentication protocols alone aren’t enough for modern security.

When people talk about “modernizing” authentication, they usually mean adding support for protocols like OIDC or SAML. That’s a step in the right direction, without a doubt. Single sign-on (SSO) is more convenient, tightens up security, and is a welcome break from password sprawl.

The problem is, many organizations stop there. They check the box for SSO and assume the job is done. 

From the outside, everything looks sleek and up-to-date. But underneath, the foundations are shaky, and the cracks start to show as soon as you ask questions about consistency, control, and visibility across your environment.

What is modern authentication for applications?

Implementing modern authentication means enabling SSO through SAML or OIDC, in most cases. This is typically seen as a win/win situation: users get a smoother experience logging into enterprise apps, IT teams don’t have to manage passwords for each application, and users gain stronger identity assurance. Additionally, modern authentication protocols enable user management to be centralized, reducing administrative sprawl.

Identity modernization in a post-WAM world

But modern authentication is only one part of the identity stack. It improves access security, but it doesn’t provide the policy enforcement, session security, or governance once delivered by legacy Web Access Management (WAM) systems. Those centralized systems weren’t perfect, but they gave security teams something today’s protocol-based approaches often lack: centralized control.

WAM handled more than just login — it also managed sessions, authorization rules, user directories, and policy enforcement. That meant consistent behavior across apps, and a centralized way to update or revoke access without impacting individual applications.

When modern authentication is implemented without orchestration, organizations’ application developers are forced to implement those security capabilities themselves (session management and policy enforcement). In the near future, orchestration will be critical to enabling applications to take advantage of security capabilities such as CAEP as well.

Sidebar: for a deeper dive into what modernization should look like beyond SSO, I recommend this primer on identity modernization.

The risks of relying solely on modern authentication

In today’s fragmented infrastructures — multi-cloud, hybrid, and post-M&A — the absence of orchestration creates serious risk. Without it, identity capabilities like session management and authorization are buried inside individual apps, handled inconsistently by dev teams using whatever framework they’re most familiar with. 

When every app does things differently, there are inevitably gaps, so you’re not really as secure as you might think.

Let’s talk about how modern authentication can help make sure security never suffers.

Tackling session management

One of the biggest gaps I see in modernized app environments is session management. It’s common (and easy) to assume it’s handled automatically once SSO is in place, but it’s not.

With WAM, control of session behavior — idle timeouts, renewals, revocations — was centralized. You had a single point of control to enforce consistent policies and revoke sessions when something went wrong, one technical approach for maintaining user sessions. But with modern protocols, session logic is left to the applications. That means developers are in charge of managing session behavior using their app’s framework, whether it’s Spring, Node.js, Ruby on Rails, or something else entirely.

Now take that and multiply it across dozens or hundreds of apps. Each one has its own session timeout settings. Each one handles session renewal differently. Some are up-to-date while others are running old versions with known vulnerabilities. 

This kind of patchwork leads to inconsistent end user behavior and makes a co-ordinated response nearly impossible.

Here’s what I believe security teams should be asking:

  • “How fast can we revoke a user’s sessions across all apps in our enterprise?”
  • “Which of our frameworks are still using vulnerable session handling libraries?”
  • “Do we even know where our session policies are defined?”

If the answer to any of those is “we’re not sure,” you’ve got a visibility problem.

This is where orchestration comes in handy. By layering orchestration over your existing identity protocols, you can regain centralized control without tearing out your identity providers or rewriting apps.

The risks of relying solely on modern authentication

Using a security-as-a-house analogy, modern authentication gives you a cleaner entryway into the house. But if the rest of the house is built on duct tape and developer guesswork, you’re not any safer. 

That’s the trap many organizations fall into. They enable SSO, breathe a sigh of relief, and move on. Meanwhile, session handling is inconsistent, authorization logic is buried in app code, and the ability to respond to threats in real time is lost. 

Which basically means a fragile identity layer that looks modern but breaks under pressure.

The hidden dangers of fragmented identity logic

Leaving identity logic inside individual apps introduces three major categories of risk:

  1. Inconsistent session management

Every app configures session timeouts, renewals, and revocation differently. Developers have to manage them themselves, often without deep identity expertise. Vulnerabilities emerge in session libraries, but patches are rolled out slowly or not at all.

  1. Decentralized authorization

Authorization rules are often buried in app code, which makes them hard to audit, govern, or adjust. Over time, this leads to policy drift, misconfigurations, and security gaps that no one notices until it’s too late.

  1. Operational complexity

Without orchestration, it’s nearly impossible to standardize policies or respond quickly to threats. You’re dependent on tribal knowledge within dev teams. Compliance audits become a huge headache, and incident response slows to a crawl.

You’re essentially flying blind, because your security tools can’t see what’s happening inside the app because the logic is scattered across dozens of custom implementations.

This is why we’re seeing enterprises shift focus from just modern authentication to full identity orchestration. As JPMorgan recently pointed out in their open letter, identity standards and governance are now essential and not optional.

Tokens are gold to attackers. Yet we’re still managing them with inconsistent tools and incomplete visibility.

What should modern enterprises do instead?

It’s time to think beyond protocols. OIDC and SAML solve part of the problem, but they weren’t designed to handle everything. 

With Identity Orchestration, you can:

  • Apply unified session and authorization policies across all apps
  • Revoke user sessions instantly, regardless of app or framework
  • Rotate federation keys and certificates centrally
  • Integrate with real-time risk signals (e.g., CAEP) to support Zero Trust
  • Avoid rewriting apps or migrating identity providers

I’m always bullish on identity orchestration, because it provides better security, faster response, and less risk, all without sacrificing the flexibility that modern protocols offer.

If you’re managing identity at scale across hybrid environments or M&A sprawl, you’ll find that this modernization blueprint lays out how to do it without losing control.

Where authentication ends, orchestration begins

Modern authentication protocols are a big step forward, but they’re not the destination. Without orchestration, you’re missing the control layer that ties it all together.

One more house analogy to close this out. Authentication is the front door. Orchestration is the foundation underneath it, the thing that makes sure your house doesn’t crumble when someone breaks in or when the storm hits.

So yes, go ahead and modernize. Use OIDC. Adopt SAML. But don’t stop there.

Because convenience without control is a risk you just cannot afford.

Ready to extend control beyond login? Modern authentication is just the first step. Strata’s Last Mile Enforcement Guide shows how to bring centralized policy and session control to every app — even the ones developers forgot about. Learn how to layer orchestration over your existing identity infrastructure and close the gaps modern auth leaves behind. Learn more with our Last Mile Enforcement Guide →