When using PKCE the relying party can use JWKS to validate the token instead of talking to the IdP.
Are you suggesting that, that is somehow insecure?
> At the request of the members, the Security Services (SAML) TC has closed.
0: https://news.ycombinator.com/item?id=41056529
There are tons of orgs that have built SSO on SAML so it won't die for a long time, but it's a frozen standard. From my understanding, it's frozen because no one wanted to put in the time to improve it.
OIDC doesn't scale, and OIDC Federation is still in draft. SAML Federation is mature with wide support and good discovery UX thanks to SeamlessAccess.
SAML has a variety of standard attribute bundles, entity categories, frameworks, and profiles covering important integrations, e.g., identity assurance. These are slowly being defined in (or ported to) OIDC.
I like OIDC and think highly of the people working on it, but it's nowhere near as cut and dry as you suggest.
I think... it probably is as cut and dry as I'm suggesting.
The things you just listed sounds like unnecessary complexity that inevitably leads to the “too big standard” problem, where every vendor and id provider has their own half assed, incomplete and incompatible implementation of the standard, or worse - with security bugs. Something quite often seen with SAML.
That’s not to say that oidc or oauth doesn’t have alignment issues. See https://news.ycombinator.com/item?id=35713518 “We implemented OAuth for the 50 most popular APIs. TL;DR: It is still a mess”
Factually incorrect
Frankly I’d suggest the same thing about Okta but as bad as they are whatever you do to avoid them would probably be worse in practice.
"Suffering A Massive Lot" - jk
Let's just say my interaction with managing websites that used SAML was less than pleasant.
My interactions supporting it as both the identity provider & the service provider have lead to me being the SAML person at work, and I'm now very used to people either laughing at my misfortune or giving me pitiful looks.
It combines all the wonderful antipatterns you can name: a protocol where near everything is optional and two standards-compliant implementations can refuse to cooperate in any number of ways, hair raising security decisions (XML-DSIG?! configurable crypto? ughh), and half-baked features (back-channel SLO, anyone?)
It's a Lovecraftian horror that actually makes me appreciate JWTs.
The document is open source: https://github.com/ssoready/docs/pull/55
The "Continue with" buttons that include Microsoft, Google, and Apple, tend to pick up most SMBs without SAML SSO headaches on either side.
Like so:
https://www.xsplit.com/user/auth
https://id.atlassian.com/login
Use an email domain restriction, and you have by and large SSO; the user can only log into your SaaS if the user is an active account at that company.
Storing user passwords yourself is a liability, indirect or direct: https://www.reuters.com/technology/eu-privacy-regulator-fine...
The problem is when you work with smaller shops that don’t have IT departments or worse bad IT departments you’re going to pay a fortune in support costs.
Use an open source identity provider or pay someone to do it for you.
Healthcare, as an industry, is not making decisions based on what constitutes "good engineering", for the most part. There are so many other things I'd burn to the ground that are just ancient, ass-backwards things that the rest of the industry has moved on from, but healthcare clings to. (…IPSec, for example. God I'd like to not have to do double-NAT'ing with providers who don't even understand NAT and just expect me to recognize IP addresses that are only internal to their network and never exposed to me, ever again.)
I tried that with SAML (back then, it didn't require kludgy X.509 thumbprint management in AWS), and I ran away crying after a couple of days trying to understand why it fails.
The incredible overengineering of the XML signature specification is certainly to blame for this recent SAML verification vulnerability (from the same site): https://news.ycombinator.com/item?id=41586031
(Well, used : in luckily no longer in charge of an IdP with a bespoke SAML implementation so I don’t need to deal with this crap anymore!)
I intend to work on it further once my kid is… well, a little less of a toddler. :)
> As well in "HTTP Redirect Binding" or "HTTP POST Binding", The RelayState value MUST NOT exceed 80 bytes
From https://docs.oasis-open.org/security/saml/v2.0/saml-bindings...
At FusionAuth, we have an open issue for this: https://github.com/FusionAuth/fusionauth-issues/issues/2467 which you can read for more details.
SAML is full of these kinds of gotchas. We have an open source library which provides Java SAML bindings: https://github.com/FusionAuth/fusionauth-samlv2
FWIW, the for library I work on -- github.com/ssoready/ssoready -- we sidestepped this issue by simply not using SAML RelayState at all under the hood. Between the fact that it's vulnerable to attacker manipulation, and the size limits, it's not worth the pain. We just implement SAML RelayState / OAuth `state` via good old database persistence.
> We just implement SAML RelayState / OAuth `state` via good old database persistence.
I'm not sure I understand how this helps. You still need to support the parameter so that folks can pass information through the login state (for deeplinking, among other use cases). Which means you still need to process it and therefore are committed to either being noncompliant with the spec or providing functionality that is limited to 2005 sensibilities.
What am I missing?
What I have in mind - I'd say only very small population understand that OIDC / Oauth(orization) is about granting access to a service to access your data. Meaning once you have approved service (lets say Dropbox), now Dropbox can access your data on your google account (this of course depends what exactly dropbox asked and if you clicked on "approve", but most people do click as they want to login to Dropbox via their Google account).
SAML is better, as it can be defined at Google side what data is being sent to DropBox when Single Sign On happens and DropBox cannot access your google data as it sees fit.
SAML ain't perfect either because there's no practical way to "sign me out everywhere"
OIDC is far preferable to SAML, but the last time I touched this, half the reason why customers preferred SAML was because their IdP supported SCIM but only for SAML applications.
And yeah, you're right -- Okta, for example, doesn't let you add SCIM to an OIDC application. It's unfortunate -- there's no deep technical reason you can't mix OIDC and SCIM -- but it is the world we live in.
The "just" makes it sound like this is a minor point. This is a huge point. Enterprises are forced by their customers and regulators to show that terminated employees lose access immediately. There are two ways to make that happen: force everything to flow through a VPN, and SCIM. Most SaaS providers do not support IP allowlisting needed to enforce that all traffic flows through the VPN, and the only alternative to enforce that user sessions are terminated immediately is if the SaaS keeps sessions in a database and those sessions are revoked as part of SCIM. Otherwise the sessions could continue to be valid for days or even longer, presenting a risk of allowing terminated employees to wreck untold havok.
Is it just me or is anybody else going 'the fuck did I just read?' here? It's... incredibly condescending?
N. a complicated or unpleasant situation from which it is difficult to extricate oneself.
Indeed.
> You care about supporting SAML because your customer wants your product to support SAML. This is sound reasoning on your part. But why does your customer want SAML support?
> One click to login: why your users like SAML
What? No, the users don't know about SAML.
Anyways, no, users don't like SAML. OIDC has a much nicer UX.
