Most SSO solutions don't verify device identity or state, so you're not ensuring that the connection is coming from a computer you trust running software you trust.
>>mjg59+(OP)
I guess it's a matter of what the IdP attests. It's definitely possible for an IdP like Okta to include a ton of client details as part of the attestation payload. Stuff like GeoIP, client certificate fields, MDM status, etc.
>>xyzzy_+9b
Right, but you have to individually set up all of your apps to work with it; the proxy can be mandatory for all apps by dint of network controls.