generally speaking, no, there should be no security concerns checking this into a repo but some best practices would be recommended to follow:
- make the repo private
- protect the main branch
- require PRs and # approvals and/or add CODEOWNERS
- only allow individuals that need to edit with write/admin privileges
- having anybody with read-only access to the repo is unnecessary since SAML.to does the reading on behalf of the users
if provisioning is needed, there would be a encrypted token for SCIM in the text of the file, but that token is encrypted by SAML.to AWS KMS, so checking an encrypted string into a file shouldn't be a huge concern for most
also, SAML.to Premium allows users to maintain their own PKI and allows administrators to encrypt and sign according to their organizations requirements!
on a final note, I'd entertain a feature request for "include" statements in the config file so CODEOWNERS could be leveraged nicely
that's all I can think of for now. I'll get these best practices into the docs and I'd entertain any and all suggestions or thoughts!
generally speaking, no, there should be no security concerns checking this into a repo but some best practices would be recommended to follow: - make the repo private - protect the main branch - require PRs and # approvals and/or add CODEOWNERS - only allow individuals that need to edit with write/admin privileges - having anybody with read-only access to the repo is unnecessary since SAML.to does the reading on behalf of the users
if provisioning is needed, there would be a encrypted token for SCIM in the text of the file, but that token is encrypted by SAML.to AWS KMS, so checking an encrypted string into a file shouldn't be a huge concern for most
also, SAML.to Premium allows users to maintain their own PKI and allows administrators to encrypt and sign according to their organizations requirements!
on a final note, I'd entertain a feature request for "include" statements in the config file so CODEOWNERS could be leveraged nicely
that's all I can think of for now. I'll get these best practices into the docs and I'd entertain any and all suggestions or thoughts!