(no title)

For example, where the authentication request is coming from (on-site, managed device), what methods are being used (hardware second factor, Authenticator app).

These are all things that the SSO can check at time of authentication, before a token or session key gets issued to the user. Also, all of these things can be checked again when doing any auth flows for the various linked services.

So with stolen SSO credentials, they might be worth diddly squat to you if you didn’t think to also be on-site or on a managed company device (physically or virtually).