SAML Gap Analysis

[timcappalli]

Based on the discussion on yesterday's call, let's use this issue to start tracking down some technical reasons why SAML may be preferred over OIDC in some deployments.

[aaronpk]

IdP-initiated login

The biggest feature of SAML I hear as an argument for it over OIDC is IdP-initiated login. While it works in OIDC a technically different way than SAML, it is a feature described in OIDC here.

[aaronpk]

To reiterate what I said in the call: while there are certainly some ways to use OIDC in a way that is less secure than SAML, I want to identify all those gaps, and write language into the IPSIE profile of OIDC that makes it so only the secure ways of doing OIDC are allowed in IPSIE.

[sakimura]

Hi.

Since I was not in the call, I am lacking the context so might be completely off but OIDC's choice is not LESS secure, but is MORE secure. The SAML way of doing IdP Initiated login is prone to XSRF and is FAL1 in SP800-63-4 2pd.

On Thu, Nov 21, 2024 at 1:20 AM Aaron Parecki @.***> wrote:

To reiterate what I said in the call: while there are certainly some ways to use OIDC in a way that is less secure than SAML, I want to identify all those gaps, and write language into the IPSIE profile of OIDC that makes it so only the secure ways of doing OIDC are allowed in IPSIE.

— Reply to this email directly, view it on GitHub https://github.com/openid/ipsie/issues/4#issuecomment-2489021875, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABFENYA3YI5OIED6EKMBH32BSZDTAVCNFSM6AAAAABSEVGVEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBZGAZDCOBXGU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en

[aaronpk]

Sorry for the confusion Nat, my two comments here are unrelated. I agree that OIDC's IdP-initiated login is more secure than SAML's. However it was brought up on the call that there are some other ways in which SAML is more secure than some configurations of OIDC, so I want to identify that list so we can make sure to exclude the less-secure options from the OIDC profile.

[sakimura]

Having concore example woulld be very good we dould probably reire the feature. On Nov 21, 2024 at 03:10 +0900, Aaron Parecki @.***>, wrote:

Sorry for the confusion Nat, my two comments here are unrelated. I agree that OIDC's IdP-initiated login is more secure than SAML's. However it was brought up on the call that there are some other ways in which SAML is more secure than some configurations of OIDC, so I want to identify that list so we can make sure to exclude the less-secure options from the OIDC profile. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[sbroddy]

IdP initiated login to SAML resources has long been frowned on, despite various vendors' encouragement of the practice. Just one of a multitude of references: link

In my ecosystem, it is rarely used, but on occasion there are RPs that for whatever reason cannot support SP initiated. One particular time reporting system comes to mind, though this has been resolved in later versions of their application.

In my biased opinion, we should not be encouraging IdP initiated SAML today if there is any concern over security.

Back to the original start of this issue, I operate in a SAML federation with >1,000 enterprises, ~700 IdPs, and >6,000 RPs/SPs. And that's before I include my international SAML federation (order of 6,000 IdPs and ~80 interfederated federations). Expecting this number of enterprises and resources to pivot in any near term timeframe is not really reasonable. A pivot of this sort would be akin to IPv4 to IPv6 migrations.

[aaronpk]

I appreciate the migration challenge issue, but setting that aside, I was hoping to learn more about the technical features of SAML that lead it to be preferred over OIDC.

[sbroddy]

I don't know enough about OIDC to effectively weigh in here, but I'm sure there are significant gaps between the two as SAML is used in my ecosystem, and at the scale at which we use it. I'm starting some of these gap conversations amongst colleagues and may have more to weigh in here in the future.