Feature: Better certificate rotation for SAML connections
Description: SAML connections only support one certificate at a time. This makes it painful to perform standard certificate rotations. For each 3rd-party connection, we need to schedule a cutover time and accept some blocked logins until both sides can finish the rotation.
This flow is lacking compared to other connection types like ADFS, where rotation is handled automatically via the metadata URL. Such a feature for SAML would be amazing, and has previously been asked about here: SAML certificate rollover
But even something as simple as allowing upload of multiple certificates for SAML connections would help, so that we could add the upcoming certificate in advance and gracefully cut over without downtime.
Use-case: We provide a B2B SaaS offering in the healthcare space. We chose Auth0 primarily to support SSO connections with the upstream IDPs of our enterprise customers, which are health insurance companies, hospital systems, etc. Most of our customers use SAML for SSO. Some even demand SAML even though they use ADFS for their IDP, which prevents us from using the nicer ADFS-native flow (since that flow uses WS-Fed for the protocol).
We are a small team, so time spent manually handling SAML cert rotations is a drain and gets more annoying the more we grow and add more enterprise SSO connections. Furthermore, our clients also tend to have IT teams that are strapped for time, which makes it even harder to coordinate each manual rotation. Anything that can make this process smoother and more automated would be a boon for us.
@dan.woda@konrad.sopala
It’s been over a year since this was requested. Curious if it has made it onto Auth0’s roadmap at all? It remains a huge pain point with SAML connections.
In my case we have a cronjob that inspects the metadata endpoint every 15 minutes and updates the certificate accordingly. That has been working really great with Azure AD up until recently when they started alternating between two valid certificates prior rotation, hence the need of having more than one certificate configured for the enterprise SAML connection in Auth0.
Hello, what is the status of “SAML Certificate Management” improvement mentioned above and what should it consist of? Looking particularly into automatic / easier way to refresh SAML IDP certificates for SAML connections. Thanks!
+1 for supporting SAML metadata endpoints. To be frank I’m shocked that an IAM as massive as Auth0 doesn’t support this; wouldn’t it be a dealbreaker for potential customers? Manually managing certificates is very error prone. @simov’s cronjob approach seems like a reasonable workaround, but as he mentioned even that is limited without Auth0 supporting multiple certs; and this arguably shouldn’t be a consumer’s concern.
Please support registering a SAML metadata endpoint ASAP.