Privacy policy.

Your privacy matters to us. This policy describes what information Simple SAML collects, why we collect it, and how we use and protect it. We have tried to write it in plain English so it is straightforward to read.

Simple SAML is a stateless SAML proxy. When one of your end users authenticates through their identity provider, we receive and validate the SAML assertion, then issue a signed JWT to your application. We act as a pass-through. We do not build profiles of your end users or store their identity data.

Two audiences read this page:

If you're an admin

You signed up for Simple SAML to add SSO to your application. You are our customer. The sections below describe data we hold about your account and your connections.

If you're an end user

You were redirected to Simple SAML by an application you use. Simple SAML processes your SAML assertion long enough to validate it and to mint a JWT for that application, and then discards it. We do not create an account for you. We do not retain your NameID, attributes, or session beyond what is described in "Replay protection" below. The application that signed you in is your data controller; their privacy policy governs what happens to your data after that handoff.

Account information

When you sign up we ask for your email address and a password. We use your email to communicate with you about the service: security notices and product updates. Passwords are stored as salted hashes, never in plaintext.

Connection configuration

We store the connection configurations you create. Each connection links one identity provider to one client application and includes IdP metadata, endpoint URLs, and your application's callback URL. This configuration is necessary for us to run sign-ins on your behalf. You own this data.

Replay protection

To prevent replay attacks, we temporarily hold the identifier of each processed SAML response in an in-memory cache for approximately ten minutes, then discard it. We do not keep a persistent log of authentication events, and we do not store NameIDs, SAML attributes, or any personal information about the end users who authenticate through your connections.

Server and usage logs

Our servers collect standard access logs: IP addresses, request paths, HTTP status codes, and response times. We use these for security monitoring and operations. Raw server logs are retained for a limited period and then deleted.

Cookies and session state

We use a single session cookie to keep you logged in to the Simple SAML dashboard. We do not use third-party tracking cookies, ad pixels, or analytics services that report your behavior to outside companies. Because our cookies are strictly necessary for the dashboard to function, we do not display a cookie consent banner.

• We do not sell your personal information to anyone, ever.
• We do not serve you ads or share your data with advertisers.
• We do not store the personal data of the end users who authenticate through the identity provider.
• We do not read the content of your SAML assertions beyond what is necessary to route and validate them.
• We do not use your data, or your end users' data, to train machine-learning models.

We share your information only in these limited circumstances.

Service providers

We use a small number of subprocessors to operate the service: Cloudflare for edge networking and DNS, and a transactional email provider for signup verification and account emails. Each is bound by a data processing agreement and may only use your data to provide services to us, not for their own purposes.

Legal requirements

If we are required by law to disclose information (a court order, subpoena, or similar legal process) we will notify you before complying unless we are legally prohibited from doing so or unless disclosure would put someone at risk of harm.

We keep accounts and their connection configuration for as long as the account is active. When you close an account, its data is deleted immediately. When you delete your login profile, your email and password hash are deleted immediately and you are removed from any accounts you belong to.

We do not maintain a persistent log of authentication events. Raw server logs are retained for a limited period and then deleted.

All data is encrypted in transit using TLS 1.2 or higher. Secrets required to operate the service, including the private key we use to sign JWTs, are stored in Rails encrypted credentials and are never checked into version control or written to logs.

Access to production systems is limited to operations staff and restricted to SSH key authentication.

If we discover a breach that affects your data, we will notify you without undue delay after becoming aware of it, and in any event within 72 hours where applicable data protection law requires it.

If you believe you have found a security vulnerability in Simple SAML, please report it to security@simplesaml.com. We aim to acknowledge reports as quickly as we reasonably can and to resolve confirmed issues without undue delay. Please give us a reasonable window to investigate and remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith and follow this process.

Machine-readable contact information is published at /.well-known/security.txt per RFC 9116.

Regardless of where you are located, we honor the following rights for all users.

Access and portability

Email us and we will provide an export of your account and connection configuration.

Correction

You can update your account information from the profile settings page. If you need help correcting data you cannot change yourself, contact us.

Deletion

You can close an account from its settings page. This immediately and permanently deletes the account and all of its data: connections, invites, tags, and memberships. Your profile is separate and is not affected by closing an account.

You can delete your profile from the profile page. This immediately deletes your email address and password hash and removes you from any accounts you belong to.

If you prefer, email us and we will handle either on your behalf.

Objection and restriction

If you believe we are processing your personal information in a way you have not consented to, contact us. We will investigate and respond consistent with applicable data protection law.

If you are in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

A data processing agreement is not required for the end-user SSO flow itself: Simple SAML does not store the personal data of the end users who authenticate through your connections (SAML assertions are validated and discarded, not retained).

For the customer-account data we do hold (your email, password hash, and connection configurations), a signed DPA is in development as part of our SOC 2 Type 1 work. If your procurement process requires a signed DPA today, email legal@simplesaml.com and we will execute one with you.

We may update this policy at any time and for any reason. The current version is always posted at this URL with an updated effective date. We recommend reviewing the policy periodically.

Have a question about this policy or want to exercise one of your rights? Email us at privacy@simplesaml.com. We respond to privacy inquiries consistent with applicable data protection law.