It is important to test the security of Single Sign-On implemented. Since it doesn’t require username and password, it may expose sensitive data to the attacker.

Single sign on issues arise for developers integrating with Force.com when either the API Partner Server URL is not validated or SSL is not used when a non-native application calls back to an external server with a user’s session id. This may result in exposure of the API Session ID or Salesforce data to an attacker.

Check the below link

https://developer.salesforce.com/page/Secure_Coding_Single_Sign_On