diff --git a/services/web/scripts/ukamf/check-idp-metadata.js b/services/web/scripts/ukamf/check-idp-metadata.js
new file mode 100644
index 0000000000..1a3439154e
--- /dev/null
+++ b/services/web/scripts/ukamf/check-idp-metadata.js
@@ -0,0 +1,67 @@
+/*
+  Checks the SAML metadata provided by the IdP.
+  Currently, only checking the valid from and to dates for the certificate
+  Run with: node check-idp-metadata /path/idp-metadata.xml
+*/
+
+const { Certificate } = require('@fidm/x509')
+const _ = require('lodash')
+const moment = require('moment')
+const fs = require('fs-extra')
+const xml2js = require('xml2js')
+
+function checkCertDates(signingKey) {
+  let cert = _.get(signingKey, [
+    'ds:KeyInfo',
+    0,
+    'ds:X509Data',
+    0,
+    'ds:X509Certificate',
+    0,
+  ])
+  if (!cert) {
+    throw new Error('no cert')
+  }
+  cert = cert.replace(/\s/g, '')
+
+  const certificate = Certificate.fromPEM(
+    Buffer.from(
+      `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----`,
+      'utf8'
+    )
+  )
+
+  const validFrom = moment(certificate.validFrom)
+  const validTo = moment(certificate.validTo)
+
+  return {
+    validFrom,
+    validTo,
+  }
+}
+
+async function main() {
+  const [, , file] = process.argv
+
+  console.log('Checking SAML metadata')
+
+  const data = await fs.readFile(file, 'utf8')
+  const parser = new xml2js.Parser()
+  const xml = await parser.parseStringPromise(data)
+
+  const idp = xml.EntityDescriptor.IDPSSODescriptor
+  const keys = idp[0].KeyDescriptor
+
+  const signingKey =
+    keys.length === 1
+      ? keys[0]
+      : keys.find(key => _.get(key, ['$', 'use']) === 'signing')
+
+  const certDates = checkCertDates(signingKey)
+
+  console.log(
+    `SSO certificate is valid from ${certDates.validFrom} to ${certDates.validTo}`
+  )
+}
+
+main()