Problem statement
This article explains why it is possible to see successful authentications in the logs after the SAML certificate has expired.
- The following error is seen in the logs:
The certificate used to sign the SAMLResponse is expired.
- However, successful logins were also seen.
Solution
SAML specifications do not mandate an expiry check. This means that SAML logins can still work after certificates have expired.
- Note that the SAML response is still validated with the certs, but only the expiry is ignored. So, expired certs can still be used to sign and verify.
From a security perspective, this is not a vulnerability.
- In most cases, the Explicit Key Trust Model is used, so the cert is just a means of signature validation. However, be aware that depending on the Identity Providers (IdPs)/Service Providers (SPs) used, they can have their own arbitrary rules. Some restrict SHA-1 certs or enforce cert expiration checks.