This 'certs' folder must never be published.

Alternatives:

1. Using the .htaccess if the AllowOverride at your Apache Server is active

2. Add a Directory at your Apache server:

<Directory /<path-to-onelogin-saml-sso-plugin>/php/certs
    Order deny,allow
    deny from all
    Options -Indexes
</Directory>