The rule detects changes in the SAML authentication enforcement status for administrators in the Duo system. It specifically triggers alerts when the enforcement status is set to 'disabled' or 'optional', which may weaken the security posture by allowing administrative access without mandatory authentication. The rule logs actions taken regarding the Single Sign-On (SSO) setup and checks if any administrator updates the SAML enforcement status to either of these states. Significant logs include updates labeled with the action 'admin_single_sign_on_update', capturing changes related to administrator authentication settings. The configuration must ensure that the enforcement status is 'required' to prevent unauthorized access to sensitive administrative features. Furthermore, the rule is scheduled to perform checks every hour, reducing the risk window for unauthorized access.