Henri Cook's Blog

TL;DR Okta doesn't enforce expiry checks on signing certificates for identity providers, and you have no other option but to accept it.

I use Okta regularly, for both personal and corporate projects. They're generally speaking, pretty great. Gartner's Magic Quadrant names them as a leader of the space and they're a solid choice for authn and federated authn.

I was pretty surprised today to discover that Okta do not check expiry dates on Identity provider (IDP) signing certificates. That is to say that if your application uses Okta to handle SSO, and you've setup an IDP for your authentication system (e.g. Azure AD, Pingfederate, Keycloak etc.) when the signing certificate expires login will continue to work.

After a days-long investigation Okta support confirmed to me that this is what's happening, and since it's not documented anywhere I wrote this blog post to save others wasting time. At the time of writing Okta do not document this behaviour, in response to my support request they implied that they might document it in future but the response was very non-committal as if it wasn't something they wanted to admit (opinion/speculation).

Users that shouldn't be able to sign in, can sign in(!) using an IDP with an expired signing certificate. Sounds serious, but read on...

Leave a Comment