Why Login is Possible with Expired Certificate in SAML Connections

Problem statement

This article explains why it is possible to see successful authentications in the logs after the SAML certificate has expired.

  • The following error is seen in the logs:
    • The certificate used to sign the SAMLResponse is expired.
  • However, successful logins were also seen.


SAML specifications do not mandate an expiry check. This means that SAML logins can still work after certificates have expired.

  • Note that the SAML response is still validated with the certs, but only the expiry is ignored. So, expired certs can still be used to sign and verify.

From a security perspective, this is not a vulnerability.

  • In most cases, the Explicit Key Trust Model is used, so the cert is just a means of signature validation. However, be aware that depending on the Identity Providers (IdPs)/Service Providers (SPs) used, they can have their own arbitrary rules. Some restrict SHA-1 certs or enforce cert expiration checks.
1 Like