undefined | Better HN

0 pointsswaptr1y ago0 comments

Interesting. How do you analyze if a SSO implementation is good or not?

0 comments

7bit1y ago

Check if they follow the specs. Especially with SAML, I've found many, many implementations that are just broken. Such es logging a user out of the IdP after idling, when they should just revoke the session for their SP.

Another good one is when they INSIST on using an email address for the name-id. These things change, so let me PLEASE use an immutable I'd ... That's already close to not getting accepted because it invites problems.

Another one being Auto-Provision ing not being implemented, needing an additional user sync. This also contributes to not getting accepted.

If an SP does not implement certificate rollover, it's getting an Instant NO!

But to be fair, Microsoft's IdP side has some flaws as well, which is annoying.

ezekg1y ago

And people complain about an SSO tax...

7bit1y ago

Rightfully so.

j / k navigate · click thread line to collapse

0 comments

7bit1y ago

Another one being Auto-Provision ing not being implemented, needing an additional user sync. This also contributes to not getting accepted.

If an SP does not implement certificate rollover, it's getting an Instant NO!

But to be fair, Microsoft's IdP side has some flaws as well, which is annoying.

ezekg1y ago

And people complain about an SSO tax...

7bit1y ago

Rightfully so.

j / k navigate · click thread line to collapse