> Okay, so… what are those cases? I’m also curious.

If you're willing to make a third party SaaS's uptime the ceiling for your own org, you can delegate auth. Github might not be a good choice for SSO.

If you're not threatened by per-user-per-month fees, you can delegate auth.

If your threat model is compatible with a third party having visibility into your user's network location and the frequency and duration of their activities across your org, you can delegate auth. (Okta will probably not inform your competitor that your main sales guy is in North Carolina this week and has logged in from the conference room wifi of your competitor's main client.)

If you can trust the third party to not allow an interloper to bypass your requirements, you can delegate auth.