search

pilcrowonpaper / copenhagen

A basic guideline on implementing auth for the web
https://thecopenhagenbook.com
MIT License
1.51k stars 45 forks source link

Guide: SAML #3

Open pilcrowonpaper opened 9 months ago

pilcrowonpaper commented 9 months ago

Unfortunately I've never implemented SAML before

ptman commented 1 month ago

SAML is terrible. XML with signatures embedded inside the content they are signing. The different normalization modes... It's a gift that keeps on giving... more security issues. Avoid SAML

vpatov commented 1 month ago

SAML is terrible. XML with signatures embedded inside the content they are signing. The different normalization modes... It's a gift that keeps on giving... more security issues. Avoid SAML

SAML certainly has its drawbacks. But avoiding it is akin to sticking your head in the sand - SAML is widely used in enterprise, and I don't see it going anywhere anytime soon. The web could use more high-quality learning resources on SAML, especially for flows that don't go through the typical web browser SSO profile (I needed this recently and couldn't find much useful information online).