Feature: Better certificate rotation for SAML connections
Description: SAML connections only support one certificate at a time. This makes it painful to perform standard certificate rotations. For each 3rd-party connection, we need to schedule a cutover time and accept some blocked logins until both sides can finish the rotation.
This flow is lacking compared to other connection types like ADFS, where rotation is handled automatically via the metadata URL. Such a feature for SAML would be amazing, and has previously been asked about here: SAML certificate rollover
But even something as simple as allowing upload of multiple certificates for SAML connections would help, so that we could add the upcoming certificate in advance and gracefully cut over without downtime.
Use-case: We provide a B2B SaaS offering in the healthcare space. We chose Auth0 primarily to support SSO connections with the upstream IDPs of our enterprise customers, which are health insurance companies, hospital systems, etc. Most of our customers use SAML for SSO. Some even demand SAML even though they use ADFS for their IDP, which prevents us from using the nicer ADFS-native flow (since that flow uses WS-Fed for the protocol).
We are a small team, so time spent manually handling SAML cert rotations is a drain and gets more annoying the more we grow and add more enterprise SSO connections. Furthermore, our clients also tend to have IT teams that are strapped for time, which makes it even harder to coordinate each manual rotation. Anything that can make this process smoother and more automated would be a boon for us.
@dan.woda@konrad.sopala
It’s been over a year since this was requested. Curious if it has made it onto Auth0’s roadmap at all? It remains a huge pain point with SAML connections.
In my case we have a cronjob that inspects the metadata endpoint every 15 minutes and updates the certificate accordingly. That has been working really great with Azure AD up until recently when they started alternating between two valid certificates prior rotation, hence the need of having more than one certificate configured for the enterprise SAML connection in Auth0.
Hello, what is the status of “SAML Certificate Management” improvement mentioned above and what should it consist of? Looking particularly into automatic / easier way to refresh SAML IDP certificates for SAML connections. Thanks!
+1 for supporting SAML metadata endpoints. To be frank I’m shocked that an IAM as massive as Auth0 doesn’t support this; wouldn’t it be a dealbreaker for potential customers? Manually managing certificates is very error prone. @simov’s cronjob approach seems like a reasonable workaround, but as he mentioned even that is limited without Auth0 supporting multiple certs; and this arguably shouldn’t be a consumer’s concern.
Please support registering a SAML metadata endpoint ASAP.
+1 for this request; our previous provider allowed us to have multiple active certificates per connection. When can we expect this feature to be released?
+1 from me too for this feature. I have seen a SimpleSAML.php based implementation that can do this, and was amazed to learn that Auth0 does not have it already.
It is shocking that industry-leader Auth0 doesn’t support multiple certificates, or some other strategy for seamless certificate rotations.
Parroting all the stories above, coordinating an after-hours or weekend phone call with each customer every year is expensive, annoying, and error prone. We had one last night that went sideways due to a simple copy-paste error. We had to roll back quickly and reschedule another (after hours) appointment with the customer to try again with the corrected certificate.
Supporting multiple certificates has the potential of easing all that scheduling/downtime pain, AND provide a safe proving ground for new certificates’ accuracy and validity.