undefined | Better HN

0 pointsmatthewaveryusa6y ago0 comments

Use a custom scheme because odds are if you're doing things right you'll need a good revocation story which SAML doesn't provide.

0 comments

2 comments · 1 top-level

lvh6y ago· 1 in thread

The use case in the article is enterprise login to a bunch of services. It's hard enough to get them to do SSO, you can't seriously suggest you're going to get them to implement bespoke schemes?

matthewaveryusaOP6y ago

I don't disagree with you that it's a crappy situation. A lot of SaaS providers ldap/AD sync so you can authz off of groups and do automatic revocation. Enterprise integrations suck exactly because of these kinds of things. while adding a key per SP may get you further down the authz path, it doesn't solve the revocation part and also doesn't provide a way to do more advanced authz -- The natural evolution of an app that will authorize access to a subset of users will be to add roles for users, giving them different privileges, and then you're back to a custom authz protocol.

j / k navigate · click thread line to collapse