This is a huge deal. Depending on how deep the attackers got it could be considered a giant compromise of data at multiple companies. Imagine you had a single password that could let you into any app a company is using internally. Not only that but that single password could be used for any account. That's basically what it means when your identity provider is compromised. Not only that but it is really hard to tell if it was a legitimate login because the assertions are perfectly valid.<p>If I was a company I'd seriously reconsider outsourcing my identity provider.