They handle it better and your options to respond are better.

You can immediately invalidate all associations for instance. You can revalidate them too once your identity provider is back up and running. Okta is going through this right now I believe, but I haven’t been paying a whole lot of attention to it.

There’s no password with federated sites. It’s certificates to prove the connection is valid, and tokens.

The federated website could chose to save nothing about you. It would make it a lot easier for them to do so, as it means less resources to manage, and less PII to be concerned about storing.

One you have a business relationship with. You can sign up for a paid account with google or Microsoft. Use your own domain. Disable what ever adware options you’d like, and use that as your identity provider.

While you can roll your own, many services if they even support custom saml federation only do so for enterprise customers. You’re much more likely to find useful federated services with google or MS.

I would never recommend Facebook.

This is bad advice. Federated identity and oauth are great tools. You need to use the right identity provider.

When some random website gets hacked and has its authentication database dumped your credentials won’t be in there.

You can see what a website has access too from your identity provider.

It’s federation. It’s a trust model. Like the fediverse.