Security and PrivacySecurity Best Practices

SAML Security

This page explains how Descope secures the SAML exchange between a tenant's identity provider (IdP) and Descope, which acts as the service provider (SP).

Request signing

Descope signs the SAML AuthnRequest it sends to the IdP with its private key. The IdP verifies that signature using Descope's public certificate, which it reads from the SP metadata URL (or a certificate you upload manually). By default Descope generates a key pair per tenant, and you can bring your own. See SAML Signing and Encryption Keys.

Response and assertion encryption

Descope can decrypt encrypted SAML responses from the IdP using the tenant's private key. This lets the IdP encrypt the assertion in transit. The same SAML Signing and Encryption Keys page covers using Descope's keys or your own.

Certificates

Descope publishes its SP certificates in the tenant's metadata URL. If you rotate keys, make sure the IdP picks up the new certificate (via the metadata URL or a fresh manual upload). Expired or wrong-format certificates are a common cause of SSO failures, so check them first when debugging. See SSO Troubleshooting.

Assertion validation

Descope validates the assertion before signing a user in, which protects against impersonation:

  • The email returned by the IdP must match the email that initiated the login.
  • The email domain must match the tenant's configured SSO domain.
  • The user must be associated with the requested SSO application.

Assertions that fail these checks are rejected. See the SSO error codes (E062020, E062021, E062023) for the specific failures.

Single logout (SLO)

SLO is not supported

You cannot sign a user out of Descope using Single Logout (SLO) from a tenant's SSO provider. Signing out of the tenant's IdP does not end the Descope session, and ending the Descope session does not sign the user out of their IdP.

Manage your application's session with session management and sign users out of your own app session directly.

Was this helpful?

On this page