The Push Security Unauthorized IdP Login rule is designed to detect unauthorized login attempts to applications using identity providers (IdPs), which could indicate potential security threats such as SAMLjacking attacks. This rule is not currently enabled, indicating that it may require configuration before deployment in a production environment. The rule monitors log types specifically tied to user login activities and has a high severity rating, emphasizing the critical nature of unauthorized access attempts. It achieves detection through a defined deduction period, which is set to one hour, ensuring that repeated login attempts within this timeframe do not generate multiple alerts. The rule includes several tests, each targeting different identity provider login processes. If a login is detected using an unauthorized IdP, the system is expected to log with detailed contextual information including user identity, the application being accessed, and the nature of the login attempt.