Privacy Policy

What we collect and why

Account information

When you sign up we ask for your email address and a password. We use your email to communicate with you about the service: security notices and product updates. Passwords are stored as salted hashes, never in plaintext.

Connection configuration

We store the connection configurations you create. Each connection links one identity provider to one client application and includes IdP metadata, endpoint URLs, and your application's callback URL. This configuration is necessary for us to run sign-ins on your behalf. You own this data.

Replay protection

To prevent replay attacks, we temporarily hold the identifier of each processed SAML response in an in-memory cache for approximately ten minutes, then discard it. We do not keep a persistent log of authentication events, and we do not store NameIDs, SAML attributes, or any personal information about the end users who authenticate through your connections.

Server and usage logs

Our servers collect standard access logs: IP addresses, request paths, HTTP status codes, and response times. We use these for security monitoring and operations. Raw server logs are retained for a limited period and then deleted.

Cookies and session state

We use a single session cookie to keep you logged in to the Simple SAML dashboard. We do not use third-party tracking cookies, ad pixels, or analytics services that report your behavior to outside companies. Because our cookies are strictly necessary for the dashboard to function, we do not display a cookie consent banner.

What we don't do

• We do not sell your personal information to anyone, ever.
• We do not serve you ads or share your data with advertisers.
• We do not store the personal data of the end users who authenticate through the identity provider.
• We do not read the content of your SAML assertions beyond what is necessary to route and validate them.

When we share information

We share your information only in these limited circumstances.

Service providers

We use a small number of subprocessors to operate the service: Cloudflare for edge networking and DNS, and a transactional email provider for signup verification and account emails. Each is bound by a data processing agreement and may only use your data to provide services to us, not for their own purposes.

Legal requirements

If we are required by law to disclose information (a court order, subpoena, or similar legal process) we will notify you before complying unless we are legally prohibited from doing so or unless disclosure would put someone at risk of harm.

How long we keep your data

We keep accounts and their connection configuration for as long as the account is active. When you close an account, its data is deleted immediately. When you delete your login profile, your email and password hash are deleted immediately and you are removed from any accounts you belong to.

We do not maintain a persistent log of authentication events. Raw server logs are retained for a limited period and then deleted.

How we protect your data

All data is encrypted in transit using TLS 1.2 or higher. Secrets required to operate the service, including the private key we use to sign JWTs, are stored in Rails encrypted credentials and are never checked into version control or written to logs.

Access to production systems is limited to the operator and restricted to SSH key authentication.

If we discover a breach that affects your data, we will notify you within 72 hours of becoming aware of it, consistent with our obligations under applicable data protection law.

Reporting a security issue

If you believe you have found a security vulnerability in Simple SAML, please report it to security@simplesaml.com. We acknowledge reports within two business days and aim to resolve confirmed issues promptly. Please give us a reasonable window to investigate and remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith and follow this process.

Machine-readable contact information is published at /.well-known/security.txt per RFC 9116.

Your rights

Regardless of where you are located, we honor the following rights for all users.

Access and portability

Email us and we will provide an export of your account and connection configuration.

Correction

You can update your account information from the profile settings page. If you need help correcting data you cannot change yourself, contact us.

Deletion

You can close an account from its settings page. This immediately and permanently deletes the account and all of its data: connections, invites, tags, and memberships. Your profile is separate and is not affected by closing an account.

You can delete your profile from the profile page. This immediately deletes your email address and password hash and removes you from any accounts you belong to.

If you prefer, email us and we will handle either on your behalf.

Objection and restriction

If you believe we are processing your personal information in a way you have not consented to, contact us. We will investigate and respond within 30 days.

If you are in the European Economic Area or the United Kingdom, you also have the right to lodge a complaint with your local data protection authority.

Data processing agreements

Because Simple SAML does not store the personal data of the end users who authenticate through your connections (SAML assertions are validated and discarded, not retained), a data processing agreement is not applicable to that data flow. We do not offer a signed DPA.

Changes to this policy

We will notify you by email at least 14 days before any material change to this policy takes effect. Minor changes such as fixing typos or clarifying language without changing substance may be made without advance notice. The current version is always posted at this URL with an updated effective date.

Contact us

Have a question about this policy or want to exercise one of your rights? Email us at privacy@simplesaml.com. We respond to all privacy inquiries within 30 days.