Session Abstract: As enterprises increase their adoption of SaaS software, usage and reliance on single sign-on solutions have become more widespread. Today many organizations rely on Identity providers (IdPs) as their primary source of identity and access management to protect heir most valuable assets — such as code, cloud platform(s), and email. Given the high value asset it protects, attacking IdPs is becoming increasingly common. This talk will discuss methods attackers can use once they’ve established a foothold in an IdP to retain persistence. Using persistence mechanisms, we'll discuss methods for detection and response of compromised accounts and possible future improvements that could aid in mitigating this threat.