LET'S TALK
← All work
SAML 2.0OIDCNIST SP 800-63CNIST SP 800-131ASSO HygieneDeep Prototype

SAMLPolicyAudit — SAML / OIDC SSO Policy Audit

22 SSO integrations across SAML 2.0, OIDC, SCIM. Per integration: signature algorithm, encryption algorithm, assertion lifetime, signed assertion + signed response + encrypted assertion, NameID format, IdP-init vs SP-init, allowed clock skew, AuthnContextClassRef. Surfaces 4 integrations with weak crypto (SHA-1, RSA-1024) + 2 over-long assertion lifetimes + 1 unsigned-assertion CRITICAL finding.

SAMLPolicyAudit — SAML / OIDC SSO Policy Audit preview
Open live →

What it is

The shape behind SSO security audits. Most teams stand up SAML once and never re-audit — until a partner integration is found using SHA-1 + IdP-init + 2-hour assertion lifetimes. SAMLPolicyAudit is the inventory that surfaces those by default.

What’s in it

  • 22 SSO integrations spanning:
    • IdP-side — Okta corporate IdP, Auth0 customer IdP (OIDC), Microsoft Entra ID enterprise, Google Workspace
    • SP-side (we are IdP) — Salesforce, Snowflake, Datadog, Sentry, GitHub Enterprise, HubSpot, Notion, Linear, Figma, Slack Enterprise, PagerDuty
    • Legacy partner integrations (4) with weak crypto + over-long lifetimes + unsigned assertions
    • OIDC channels (Auth0 + 2 customer)
    • SCIM provisioning channel
  • 8-axis policy check per integration:
    1. Signed assertion (CRITICAL — unsigned = anyone can craft)
    2. Signed response (response-wrapping defense)
    3. Encrypted assertion (defense in depth above TLS)
    4. Assertion lifetime (≤15 min recommended)
    5. Signature algorithm (SHA-256+ / RSA-2048+ per NIST SP 800-131A)
    6. Init flow (SP-init preferred; less CSRF surface)
    7. Clock skew (≤2 min recommended)
    8. NameID format (explicit > unspecified)
  • Worst-offender findings:
    • SI-019 — UNSIGNED ASSERTION on legacy partner. Anyone with the IdP URL can craft any assertion. URGENT KILL.
    • SI-018 — RSA-SHA1 + UNSIGNED RESPONSE + 2-hour lifetime + IdP-init. Compound failure.
    • SI-017 — RSA-1024 key (NIST SP 800-131A requires 2048+ since 2014).
    • SI-022 — OIDC id_token lifetime 24h. Way too long.

Why this shape

NIST SP 800-63C (Federation) + SP 800-131A (Crypto Transitions) define the modern SAML/OIDC baseline. SOC2 CC6.1 + ISO 27001 A.5.16-A.5.17 demand the ongoing audit. The killer attack class — XML signature wrapping (XSW) — exploits exactly the gaps in axes 1+2: unsigned assertion + unsigned response. SAMLPolicyAudit prototypes the inventory that catches the XSW-vulnerable integrations.

How it ships

Single HTML file, ~17KB. Zero dependencies. 22 integrations × 8-axis policy check in 220 lines of vanilla JavaScript.

Open the tool →