Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline

Identity Management (IdM) solutions based on protocols such as OAuth 2.0, OpenID Connect (OIDC), and SAML 2.0 are critical components of modern digital infrastructures in both enterprises and public administrations. Ensuring their security is essential for establishing trust in large-scale digital ecosystems. Continuous Delivery (CD) and DevSecOps pipelines are increasingly adopted to support continuous integration, deployment, and security validation of IdM software. However, existing DevSecOps toolchains lack automated support for protocol-level pentesting and conformance testing of IdM deployments.

In this work, we integrate Micro-Id-Gym—an automated pentesting and conformance testing tool for OAuth, OIDC, and SAML—into a CD/CI pipeline. We describe the approach, report our experience deploying it in collaboration with Poligrafico e Zecca dello Stato Italiano, and show how automated security testing can be seamlessly incorporated into DevSecOps workflows for continuous risk assessment and improved identity infrastructure security.