SAMLkit Security Statement

This document was last updated on 2021/11/12 UTC. A clear message will be displayed on samlkit.com when this document changes significantly.

The information in this security statement applies to samlkit.com.

• SAMLkit is a development and testing tool. Use it at your own risk. It is inadvisable to use it in conjunction with any critical system.
• SAMLkit does not store on its servers any of the information it receives from other SAML entities or information you enter into the application. SAML messages and relay state received through the Redirect binding are redacted before they end up in access logs.
• SAMLkit is currently hosted using Cloudflare and Netlify. SAMLkit cannot guarantee Cloudflare or Netlify isn't able to view submitted SAML message payloads.
• Most data you enter into SAMLkit, like messages, metadata, and signing key pairs, are processed in your browser. SAML messages are received by and processed on the server for the duration required to deliver the message to the browser. Hosted entity metadata, including potentially sensitive URLs and public keys, is embedded in URLs; SAMLkit processes requests for such URLs for the duration required to deliver the metadata to the requester in XML format.
• Any data you submit from your SAML service provider to SAMLkit or from SAMLkit to other SAML identity providers is by choice.
• Messages, entity metadata, signing key pairs are stored in your browser. They are as safe as your browser is secure. Regardless, it is not advised to use private keys or other sensitive data that, if compromised, could impact the confidentiality, integrity or availability of your system.
• The information you enter is not shared or sold by SAMLkit.