Is SAML any better?

andrewstuart2 · 2025-01-29T07:01:42 1738134102

Absolutely not. Read the specs [0] there as well if you truly want to know. XML canonicalization is a special kind of hell that I've done once and wish to never do again. And the enveloped signatures of xmldsig are also pretty complicated to get right. And it's a wild west as to how the specs are implemented on RPs and IDPs alike (more so, in my experience, than OIDC by a long shot).

[0] https://www.oasis-open.org/standard/saml/ or https://saml.xml.org/saml-specifications

paulddraper · 2025-01-29T12:38:44 1738154324

(I know, agreed. Rhetorical.)

tptacek · 2025-01-29T07:56:28 1738137388

SAML is much, much worse than OIDC.

https://news.ycombinator.com/item?id=28080553

jrochkind1 · 2025-01-29T15:57:09 1738166229

No. I think SAML(/Shibboleth) was a big influence to OAuth2 (?) and is probably the source of most of what ails OAuth2.

jcmfernandes · 2025-01-29T09:39:41 1738143581

Give it a try and try to come back with your sanity intact. I dare you :)

It's mess.

tolien · 2025-01-29T11:16:06 1738149366

Having just updated a project to use a newer version of the OpenSAML libs, this x1000. How something so fundamental can be so badly implemented (and documented!) is just mind-blowing.