Better certificate rotation for SAML connections

Feature: Better certificate rotation for SAML connections

Description: SAML connections only support one certificate at a time. This makes it painful to perform standard certificate rotations. For each 3rd-party connection, we need to schedule a cutover time and accept some blocked logins until both sides can finish the rotation.

This flow is lacking compared to other connection types like ADFS, where rotation is handled automatically via the metadata URL. Such a feature for SAML would be amazing, and has previously been asked about here: SAML certificate rollover

But even something as simple as allowing upload of multiple certificates for SAML connections would help, so that we could add the upcoming certificate in advance and gracefully cut over without downtime.

Use-case: We provide a B2B SaaS offering in the healthcare space. We chose Auth0 primarily to support SSO connections with the upstream IDPs of our enterprise customers, which are health insurance companies, hospital systems, etc. Most of our customers use SAML for SSO. Some even demand SAML even though they use ADFS for their IDP, which prevents us from using the nicer ADFS-native flow (since that flow uses WS-Fed for the protocol).

We are a small team, so time spent manually handling SAML cert rotations is a drain and gets more annoying the more we grow and add more enterprise SSO connections. Furthermore, our clients also tend to have IT teams that are strapped for time, which makes it even harder to coordinate each manual rotation. Anything that can make this process smoother and more automated would be a boon for us.

Thanks for the detailed feature request!

We have the same requirement. Coordinating each manual rotation across 2 organizations is inefficient and time consuming.

Thanks for adding additional context! Make sure to upvote this feedback topic please!

Upvoted. We would appreciate this feature for the same efficiencies described above.

@dan.woda @konrad.sopala
It’s been over a year since this was requested. Curious if it has made it onto Auth0’s roadmap at all? It remains a huge pain point with SAML connections.

Upvoted. We would appreciate this feature.

Hi Folks,

Our latest public roadmap includes an item for SAML Certificate Management, target release of Q1 2024.

Thanks!

Just linking my ticket here Support multiple signing keys for enterprise SAML connection

In my case we have a cronjob that inspects the metadata endpoint every 15 minutes and updates the certificate accordingly. That has been working really great with Azure AD up until recently when they started alternating between two valid certificates prior rotation, hence the need of having more than one certificate configured for the enterprise SAML connection in Auth0.

Thanks for sharing @simov!

Hello, what is the status of “SAML Certificate Management” improvement mentioned above and what should it consist of? Looking particularly into automatic / easier way to refresh SAML IDP certificates for SAML connections. Thanks!

Hello,

What is the status of this ticket? We are currently experiencing major issues related to this.

Can you provide us an update on this?

Its not implemented yet I noticed, but is it still on the roadmap? What is the new timeline?

We are having production incidents each time Azure rotates the public key. We cannot justify this anymore to our customers.

+1 for supporting SAML metadata endpoints. To be frank I’m shocked that an IAM as massive as Auth0 doesn’t support this; wouldn’t it be a dealbreaker for potential customers? Manually managing certificates is very error prone. @simov’s cronjob approach seems like a reasonable workaround, but as he mentioned even that is limited without Auth0 supporting multiple certs; and this arguably shouldn’t be a consumer’s concern.

Please support registering a SAML metadata endpoint ASAP.