SAML Security and Limitations

Review AuthOS SAML security controls, evidence gaps, and deployment limitations

AuthOS release 0.8.2 API v1 Latest-only documentation
Updated Jul 15, 2026 Edit this page
On this page

Limitations

AuthOS SAML is Beta. The documented endpoints are implemented, but AuthOS does not claim SAML conformance or certification and does not yet publish complete product-specific interoperability, abuse-case, external certificate-rotation, or emergency-compromise evidence. Validate the exact Service Provider and both success and failure paths before production.

Single Logout invalidates sessions only for the configured service, not every Service Provider or the AuthOS platform session. IdP-initiated responses are unsolicited and may be rejected by some Service Providers. Certificate rollover publishes one active signer and at most two verification-only previous certificates for a maximum seven-day overlap.

Security Best Practices

  1. Enable Signing:

    • Set both sign_assertions: true and sign_response: true
    • Ensures integrity and authenticity of SAML assertions
  2. Certificate Rotation:

    • Rotate certificates before 3-year expiration
    • Refresh Service Provider metadata during the seven-day overlap window
    • Check lifecycle_status, expires_in_seconds, and published_previous_certificates
    • Retire overlap early only after every Service Provider trusts the active certificate, or during a compromise response
  3. Secure Configuration:

    • Validate entity_id matches actual Service Provider
    • Verify acs_url is HTTPS and belongs to legitimate Service Provider
    • Use proper NameID format for your use case
  4. Monitor Access:

    • Review audit logs regularly for SAML configuration changes
    • Track SAML login events via analytics endpoints
    • Set up alerts for suspicious activity
  5. Test Thoroughly:

    • Test both SP-initiated and IdP-initiated flows
    • Verify attribute mapping works correctly
    • Test with MFA enabled
    • Validate session timeout behavior
  6. Keep Metadata Updated:

    • Provide Service Providers with metadata URL for automatic updates
    • Notify Service Provider administrators when rotating certificates
    • Document integration procedures for your team