SAML SSO still working even after certificate expired

[jineesh M G]

Hi Guyz,

We have an Identity Provider configured in our data center and configured this against Google SSO. Recently we noticed that the signing certificate is expired.(Expired on March 2017) But still the login is working without any error.

But when we configured another site with same SAML configuration we are getting a "This account cannot be accessed because the login credentials could not be verified." error. Then we replaced the existing certificate with a valid certificate and everything started  working as expected.

So my question is why the expired certificate is working without any problem in all other sites??

Thanks,

MG

[jineesh M G]

Here are the details about the scenario

---------------------------------------------------

We have two sites a.domain.com , b.domain.com configured with google SSO. Both these sites are sending assertion to google. And we are using google drive service inside these sites. (We have noticed that the certificate is expired in March 2017)

Recently we have created one more site c.domain.com using the same content of the above mentioned website. When we trying to send assertion to Google service we are getting ""This account cannot be accessed because the login credentials could not be verified."" error. Then we have checked in google forums and figured out this is due to the expiration of signing certificate. And then we have replaced  public certificate in google admin console and also updated the certificate in c.domain.com. Now everything is working as expected. 

But the strange issue is that still both a.domain.com and b.domain.com is working fine with old EXPIRED certificate. We have cleared the browser cache and still the same effect.

So the question is: Why both these sites assertion is still valid with old expired certificate.???