SSO Config Linter

Catch broken SSO configuration in your editor, not in production. This extension lints the two documents enterprise SSO lives and dies by:

OpenID Connect discovery documents (openid-configuration)
SAML 2.0 metadata (any .xml file containing SAML metadata — detected automatically)

Most SSO outages aren't code bugs — they're configuration drift: a signing certificate that quietly expired, an ACS URL that slipped back to http://, a discovery document missing jwks_uri. None of that shows up in unit tests, because the config lives outside your application code. This linter surfaces it as squiggles the moment it appears in a file.

Maintained by SSOJet — the SSO & SCIM platform that lets B2B SaaS teams ship enterprise login in days, not quarters. Pairs with our CI-side validator, sso-config-validator, so the same checks run in your editor and your pipeline.

What it checks

OIDC discovery (openid-configuration)

All members required by OpenID Connect Discovery 1.0 (issuer, authorization_endpoint, jwks_uri, response_types_supported, ...)
token_endpoint present unless only the implicit flow is supported
HTTPS issuer with no query string or fragment; HTTPS for every endpoint and URI
RS256 support and Authorization Code flow availability (warnings)
Optional issuer pinning via the ssoLinter.expectedIssuer setting
Strict JSON syntax with precise error positions

SAML 2.0 metadata (auto-detected in XML files)

EntityDescriptor with a non-empty entityID (optionally pinned to an expected value)
A usable IDPSSODescriptor or SPSSODescriptor
SingleSignOnService / AssertionConsumerService endpoints present, with HTTPS Locations (localhost gets a gentler warning) and recognized bindings
X.509 signing certificate expiry — expired certificates are errors, certificates expiring within 30 days (configurable) are warnings. No OpenSSL needed; the certificate is parsed right in the editor.

Usage

Open an openid-configuration file or any SAML metadata XML — diagnostics appear automatically and update as you type. You can also run SSO Config Linter: Validate Current File from the Command Palette.

Example

Expired SAML certificate caught in the editor

OIDC discovery document validation

Snippets

Prefix	Language	Inserts
`oidc-discovery`	JSON	OIDC discovery document skeleton
`saml-idp-metadata`	XML	SAML 2.0 IdP metadata skeleton
`saml-sp-metadata`	XML	SAML 2.0 SP metadata skeleton

Settings

Setting	Default	Description
`ssoLinter.expectedIssuer`	—	OIDC `issuer` / SAML `entityID` must match this exactly
`ssoLinter.certExpiryThresholdDays`	`30`	Warn when a signing certificate expires within this many days

Validate the live config too

This extension checks the files you're editing. To validate the deployed discovery document and metadata on every push, add ssojet/sso-config-validator to your CI.

More free SSO tools from SSOJet

The linter pairs well with SSOJet's free, no-login browser tools when you need to go beyond static validation:

SAML Tester — run a full SAML login flow against your IdP and inspect every request and response live
SAML Tools — the full toolbox: SAML message decoder, IdP and SP metadata builders, X.509 self-signed certs and fingerprint calculator, XML sign/encrypt utilities, and a SAML troubleshooter
OIDC Tester and OIDC Playground — exercise your discovery document and authorization flows interactively
JWT Validator — decode and verify the tokens your OIDC config produces
SAML Glossary — when a metadata term in a squiggle message is unfamiliar

A natural workflow: scaffold metadata with this extension's snippets, fix what the linter flags, generate a signing cert with the X.509 tools, then run a live login through the SAML Tester before shipping.

About SSOJet

SSOJet gives B2B SaaS teams enterprise-ready SSO (SAML, OIDC) and SCIM provisioning as a drop-in — see the docs and blog for SAML/OIDC setup guides.

License

MIT