"Signs of a phishing email include: grammatical errors, misspellings, incorrect names and titles, conflicting or intentionally confusing information, and a false sense of urgency"
that describes every email I get at work 😐
All of these do this because they've been told to implement awful single-sign-on services, but lacking the expertise or the manpower to scratchbuild (because IT budgets are always treated as cost sinks), they go to third party contractors.
My health insurance has at least two different SSO providers, one of which is Microsoft and the other of which is Fuck Knows™, but they somehow both still have my username and password shared somewhere, which sure doesn't seem like a good idea!
But having been involved in procurement discussions for shit like that, I can tell you that what probably happened is someone got an order somewhere that login needed to be "more secure", and they flailed around to find which ever third party auth solution satisfied the box ticks for whichever bogus certification standard someone in management thought sounded intimidating enough.
Nobody involved actually knew anything about security except "it's important", and so trusted the word of some overpriced corporate consultant that gave them a readable but meaningless metric with boxes they could tick off, so that's what they did.
