Features

How We Secure Your Credentials

Every credential you store travels through multiple independent encryption layers — by design, not as an add-on.

Your Browser CloudFront FLE Encrypted in browser Application Never sees plaintext Secrets Manager Encrypted at rest KMS CMK Per-org key isolation

Encrypted Before Submission

SAML Manager uses AWS CloudFront Field-Level Encryption (FLE) to encrypt sensitive fields inside your browser. The credential_data payload is encrypted with a public RSA key before the HTTP request is sent — meaning the plaintext never appears in server logs, proxy caches, or error messages.

Double-Encrypted at Rest

Credentials are stored in AWS Secrets Manager, which applies its own native encryption layer. On top of that, every secret is wrapped with a dedicated AWS KMS Customer Master Key (CMK) — giving you two independent, auditable encryption layers at rest. Compromising one layer does not expose your secrets.

Per-Org Key Isolation & BYOK

Each organization is assigned its own dedicated KMS CMK — credentials from different organizations are cryptographically isolated, not just logically separated. Need full key custody? Supply your own KMS key (Bring Your Own Key — BYOK). Revoke the key grant and your credentials become permanently unreadable — even to us.

No AI. No LLMs. No Autonomous Agents.

Your credentials are never fed to any large language model, AI assistant, or autonomous agent — including hosted AI services such as OpenAI, Anthropic, AWS Bedrock, or Azure OpenAI. Decryption is scoped exclusively to the per-organization provisioning Lambda that requires it. This is enforced at the IAM policy and KMS key policy level, not just by convention.

Plan Comparison

Choose the plan that fits your deployment. All plans include full credential security — see above.

Feature comparison across SAML Manager plans — Home Labber, Basic, Premium, and Ultimate
Features	Home Labber Free Free forever 0 votes Get started	Basic $100_/mo or $1,000/yr 1 vote Get started	Most Popular Premium $300_/mo or $3,000/yr — save 17% 3 votes Get started	Ultimate $500_/mo or $5,000/yr — save 17% 4 votes Get started
Identity Providers
Basic IDP Configuration Configure standard Identity Provider settings
ADFS Configuration Active Directory Federation Services integration	—
Azure AD Configuration Microsoft Entra ID (Azure Active Directory) integration	—
Service Providers
Available Service Providers Pre-built SP connectors included with your plan	AWS + Jellyfin	5 SPs	Unlimited	Unlimited
Operations
Audit Logs Full activity log for compliance and security reviews	—

Home Labber

Free

Free forever 0 votes Get started

Identity Providers

Basic IDP Configuration

ADFS Configuration—

Azure AD Configuration—

Service Providers

Available SPsAWS + Jellyfin

Operations

Audit Logs—

Basic

$100_/mo

or $1,000/yr 1 vote Get started

Identity Providers

Basic IDP Configuration

ADFS Configuration

Azure AD Configuration

Service Providers

Available SPs5 SPs

Operations

Audit Logs

Add-ons

Enhance any plan with optional network add-ons, billed alongside your subscription.

Private Static IPv4/IPv6 Address

Compatible with all plans

A dedicated, static IP address for your organization's outbound SAML traffic — useful for firewall allowlisting and consistent IP identity across deployments.

$100 /mo or $1,000/yr

Shared IPv4/IPv6 Addresses

Home Labber & Basic only

Shared IP addresses suitable for smaller deployments and home lab environments where a dedicated static IP is not required.

$20 /mo or $200/yr