2026-05-06 · Platform
SAML 2.0 SSO (Business+)
- Per-org Service Provider keypair generated on first config save (RSA-2048, AES-256-GCM at rest).
- SP metadata XML at /auth-service/sso/saml/:orgId/metadata for one-click IdP import.
- Real self-signed X.509 certificate in metadata so spec-strict IdPs (Microsoft Entra) accept it directly.
- Signed AuthnRequests, verified-signed Assertions, InResponseTo replay defence.