Why Login is Possible with Expired Certificate in SAML Connections

rueben.tiow · March 23, 2024, 12:08am

Problem statement

This article explains why it is possible to see successful authentications in the logs after the SAML certificate has expired.

The following error is seen in the logs:
- The certificate used to sign the SAMLResponse is expired.
However, successful logins were also seen.

SAML specifications do not mandate an expiry check. This means that SAML logins can still work after certificates have expired.

Note that the SAML response is still validated with the certs, but only the expiry is ignored. So, expired certs can still be used to sign and verify.

From a security perspective, this is not a vulnerability.

In most cases, the Explicit Key Trust Model is used, so the cert is just a means of signature validation. However, be aware that depending on the Identity Providers (IdPs)/Service Providers (SPs) used, they can have their own arbitrary rules. Some restrict SHA-1 certs or enforce cert expiration checks.

Topic		Replies	Views
SAML Connection stops working Knowledge Articles saml , certificate , expire	1	1971	August 22, 2022
Does certificate for SAML authentication request have expiration date? Help connections , saml-enterprise-connection	3	1108	October 20, 2023
"Action Required for "my-saml-link" connection: Signing certificate will expire in 29 days" Knowledge Articles	1	1076	June 19, 2023
Signing Certificate expiration report Help reports , support-center	1	2094	December 6, 2022
SAML Integration Invalid thumbprint for a valid certificate Help connections , saml-enterprise-connection	2	1321	September 20, 2023