Why Login is Possible with Expired Certificate in SAML Connections

Last Updated: Dec 11, 2024

Overview

This article explains why it is possible to see successful authentications in the logs after the SAML certificate has expired.

  • The following error is seen in the logs:
    • The certificate used to sign the SAMLResponse is expired.
  • However, successful logins were also seen.

Applies To

  • Expired Certificate
  • SAML Connections

Solution

SAML specifications do not mandate an expiry check. This means that SAML logins can still work after certificates have expired.

  • Note that the SAML response is still validated with the certs, but only the expiry is ignored. So, expired certs can still be used to sign and verify.

From a security perspective, this is not a vulnerability.

  • In most cases, the Explicit Key Trust Model is used, so the cert is just a means of signature validation. However, be aware that depending on the Identity Providers (IdPs)/Service Providers (SPs) used, they can have their own arbitrary rules. Some restrict SHA-1 certs or enforce cert expiration checks.
2 Likes