Better certificate rotation for SAML connections

Feature: Better certificate rotation for SAML connections

Description: SAML connections only support one certificate at a time. This makes it painful to perform standard certificate rotations. For each 3rd-party connection, we need to schedule a cutover time and accept some blocked logins until both sides can finish the rotation.

This flow is lacking compared to other connection types like ADFS, where rotation is handled automatically via the metadata URL. Such a feature for SAML would be amazing, and has previously been asked about here: SAML certificate rollover

But even something as simple as allowing upload of multiple certificates for SAML connections would help, so that we could add the upcoming certificate in advance and gracefully cut over without downtime.

Use-case: We provide a B2B SaaS offering in the healthcare space. We chose Auth0 primarily to support SSO connections with the upstream IDPs of our enterprise customers, which are health insurance companies, hospital systems, etc. Most of our customers use SAML for SSO. Some even demand SAML even though they use ADFS for their IDP, which prevents us from using the nicer ADFS-native flow (since that flow uses WS-Fed for the protocol).

We are a small team, so time spent manually handling SAML cert rotations is a drain and gets more annoying the more we grow and add more enterprise SSO connections. Furthermore, our clients also tend to have IT teams that are strapped for time, which makes it even harder to coordinate each manual rotation. Anything that can make this process smoother and more automated would be a boon for us.

Thanks for the detailed feature request!

We have the same requirement. Coordinating each manual rotation across 2 organizations is inefficient and time consuming.

3 Likes

Thanks for adding additional context! Make sure to upvote this feedback topic please!

Upvoted. We would appreciate this feature for the same efficiencies described above.

@dan.woda @konrad.sopala
It’s been over a year since this was requested. Curious if it has made it onto Auth0’s roadmap at all? It remains a huge pain point with SAML connections.