SAML: A Technical Primer

218 pointsposted a year ago
by noleary
(ssoready.com)

99 Comments

tptacek

a year ago

This is a very weird page, as it seems to suggest that SAML is the only way to do single sign-on integration with IdPs like Okta. But modern systems all do OIDC, which is what you should do. You need a much better reason to support SAML than "the CISO wants it so they can use Okta", because the CISO can (and should) just use OIDC.

ralala

a year ago

OIDC is better when using the authorization code flow because it does not only rely on cryptography while validating the token. The relying party needs to talk to the IdP. This is better from a security perspective, because past vulnerabilities have shown, that implementing the cryptography right in every relying party is challenging. You can achieve similar security with SAML when using the artifact binding. Note: I work professionally with Keycloak and also offer reviews of OIDC and SAML implementations.

tptacek

a year ago

I don't think artifact binding really addresses many of the issues people are talking about when they suggest OIDC is categorically more secure than SAML.

ralala

a year ago

OIDC is newer and many of the issues with SAML were addressed in the architecture. However I’m curious to hear which attack vectors you are thinking about.

tptacek

a year ago

Most obviously, the precarity of XMLDSIG.

ralala

a year ago

This is where artifact binding can greatly increase the security….

Browser sends artifact to RP, RP fetches assertion from IdP via HTTPs, afterwards verifies the signature.

Signature verification is not implemented correctly? The attacker still needs to break HTTPS…. And then you would have a big problem anyway.

tptacek

a year ago

A common pattern of SAML vulnerability is one that allows logins from one org access to resources of another org, which is not mitigated by trusting IdP's.

xnyan

a year ago

SAML is an unfortunate a necessity in most enterprise environments. There’s almost always something, usually more than one, where SAML is the only option. I do think in 2024, everyone should also offer SAML alternatives in parallel .

deathanatos

a year ago

Sure, but that would arise because you've followed the advice in the article.

If you're a relying party, and you want to integrate with Okta, Google, other OIDC-supporting IdPs … implement OIDC!

If you're on the RP side and you have to integrate with an IdP that only speaks SAML and not OIDC, well, then you're probably out of luck and just have to make the call: is it worth the business? Maybe it is. Then you implement SAML.

victor106

a year ago

> because it does not only rely on cryptography while validating the token

When using PKCE the relying party can use JWKS to validate the token instead of talking to the IdP.

Are you suggesting that, that is somehow insecure?

unscaled

a year ago

PKCE (specifically the S256 method, but that's the one that you're supposed to implement in almost all cases) is by itself a cryptographic method, but there are few points to note here:

1. PKCE relies on very simple cryptography that is hard to implement incorrectly. There is only is only one protocol defined (SHA-256), and that protocol is considered safe. Allowing the "plain" protocol in the RFC was silly, but we were lucky that the RFC writers didn't go full bonkers like they did with JWT, and started digging up ancient ciphers in case someone really wants to run PKCE on a WW2 vintage Enigma machine. In short, PKCE has no weird or old cryptography.

2. PKCE is not considered mandatory or even recommended for confidential clients prior to OAuth 2.1 (which is still a draft). It is rarely implemented in these cases.

3. You cannot use JWKS for PKCE. I believe you are confusing PKCE with the ID Token, but the GP was specifically talking about the Authorization Code flow, where the ID Token doesn't really matter. If you're using that flow an unfortunate piece of over-engineered industrial waste[1], but if you're using the Authorization Code flow it doesn't matter: even if the ID Token is completely broken, it cannot hurt you, since you must have a correct authorization code to get it in the first place.

4. Even if PKCE itself gets broken somehow (the main risk being an IdP that allows downgrade attacks), this only makes the protocol vulnerable to CSRF on confidential clients. Only on public clients that rely on custom URL schemes (such as native apps), this can lead to a more serious exploit.

[1] Sadly, this is coming from the same people who wrote the PKCE spec. On one hand they think your system might be too constrained to support SHA-256, so we need to add the "plain" algorithm, but on the other hand, they make RSA signatures (including SHA-256!) a mandatory part of the Open ID Connect spec through this totally unnecessary token.

admax88qqq

a year ago

They are suggesting that it’s easy to make mistakes when writing the JWT auth code as opposed to just talking to the IdP using TLs

mooreds

a year ago

Another thing to mention, as I have in the past[0], is that SAML is frozen in time and will no longer be updated. The link in that HN post has TLS errors now, but it says:

> At the request of the members, the Security Services (SAML) TC has closed.

0: https://news.ycombinator.com/item?id=41056529

There are tons of orgs that have built SSO on SAML so it won't die for a long time, but it's a frozen standard. From my understanding, it's frozen because no one wanted to put in the time to improve it.

xenophonf

a year ago

> just use OIDC

OIDC doesn't scale, and OIDC Federation is still in draft. SAML Federation is mature with wide support and good discovery UX thanks to SeamlessAccess.

SAML has a variety of standard attribute bundles, entity categories, frameworks, and profiles covering important integrations, e.g., identity assurance. These are slowly being defined in (or ported to) OIDC.

I like OIDC and think highly of the people working on it, but it's nowhere near as cut and dry as you suggest.

tptacek

a year ago

I don't know a lot of security engineers that agree, and while (as a SAML implementor) I have my own opinion, "don't do new SAML implementations" is mostly me parroting what I think is the consensus.

I think... it probably is as cut and dry as I'm suggesting.

Too

a year ago

What about OIDC does not scale?

The things you just listed sounds like unnecessary complexity that inevitably leads to the “too big standard” problem, where every vendor and id provider has their own half assed, incomplete and incompatible implementation of the standard, or worse - with security bugs. Something quite often seen with SAML.

That’s not to say that oidc or oauth doesn’t have alignment issues. See https://news.ycombinator.com/item?id=35713518 “We implemented OAuth for the 50 most popular APIs. TL;DR: It is still a mess”

nmadden

a year ago

This cuts both ways. The last major revision of SAML predates the iPhone by several years. Things like PKCE, which are essential for security on mobile devices and in other cases don’t exist at all in SAML, yet the same attack vectors apply (plus a boatload more).

7bit

a year ago

> But modern systems all do OIDC

Factually incorrect

stouset

a year ago

If your CISO wants to use SAML for anything, fire your CISO.

Frankly I’d suggest the same thing about Okta but as bad as they are whatever you do to avoid them would probably be worse in practice.

paulddraper

a year ago

I gather that you've fired every CISO you've ever had.

stouset

a year ago

If I’d been in a position to, I would have. Except for Sam Quigley who was the fucking best.

NewJazz

a year ago

Do you mean chooses it over OIDC, or even when a product can only do SSO via SAML?

pmontra

a year ago

Surprisingly the page doesn't explain the meaning of SAML. It's Security Assertion Markup Language https://en.wikipedia.org/wiki/Security_Assertion_Markup_Lang...

nocman

a year ago

Oh, I thought it stood for:

"Suffering A Massive Lot" - jk

Let's just say my interaction with managing websites that used SAML was less than pleasant.

thrwaway1985882

a year ago

> Let's just say my interaction with managing websites that used SAML was less than pleasant.

My interactions supporting it as both the identity provider & the service provider have lead to me being the SAML person at work, and I'm now very used to people either laughing at my misfortune or giving me pitiful looks.

It combines all the wonderful antipatterns you can name: a protocol where near everything is optional and two standards-compliant implementations can refuse to cooperate in any number of ways, hair raising security decisions (XML-DSIG?! configurable crypto? ughh), and half-baked features (back-channel SLO, anyone?)

It's a Lovecraftian horror that actually makes me appreciate JWTs.

davewritescode

a year ago

I was also the SAML person at one point in my career and I 100% agree. I used to laugh at all the HN criticisms of JWT because of how much of a nightmare SAML is.

stouset

a year ago

Cthulhu does not appreciate being associated with this.

emj

a year ago

Do you renew the certificates used to distribute the public keys in SAML metadata, and if so why do you do it? I have had a hard time convincing people it is useless to renew those certs and have yet to find an implementation that care about those certificates.

terom

a year ago

Renewing the certificates seems technically pointless, but some organizations/federations require it.

Rotating the keys would make some sense, but just swapping the cert for a new one issued against the same keys doesn't. It's the easiest way to fulfill those requirements, because you don't need to synchronize the metadata updates, the signatures are always valid with both the old and new cert.

emj

a year ago

Make senses, most bigger federations do not bother with this luckily for us it is just specific idps.

> synchronize the metadata updates

Sadly I know many implementations that do not handle key changes in the metadata in a smooth way. The two SPs I have from Adobe both require manual updating of one key per idp, making a switch pain to synchronize.

thrwaway1985882

a year ago

All my x509s for SAML signing are self-signed, and all my self-signed certs live for 9999 days and I plan to let someone else figure out the fallout from that as I'm going to be /retired/. No one has ever really complained. Some IdPs I've integrated with use certificates that are signed by public CAs and it's always a hassle because the ergonomics around it are terrible.

IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.

robertlagrant

a year ago

Yes, JWTs are so simple compared to what came before that it's hard to argue with them. Just make sure your verification doesn't allow none or old ciphers and you're basically fine.

Terretta

a year ago

(S)uggest (A)lternative (M)odern (L)ogin: OIDC/Oauth2 ?

The "Continue with" buttons that include Microsoft, Google, and Apple, tend to pick up most SMBs without SAML SSO headaches on either side.

Like so:

https://www.xsplit.com/user/auth

https://id.atlassian.com/login

Use an email domain restriction, and you have by and large SSO; the user can only log into your SaaS if the user is an active account at that company.

Storing user passwords yourself is a liability, indirect or direct: https://www.reuters.com/technology/eu-privacy-regulator-fine...

davewritescode

a year ago

As someone who worked at a very large SaaS company this is a good recommendation if the vast majority of your customers come from large enterprises with competent IT departments.

The problem is when you work with smaller shops that don’t have IT departments or worse bad IT departments you’re going to pay a fortune in support costs.

Use an open source identity provider or pay someone to do it for you.

Terretta

a year ago

I'd argue you're half right.

Yes, it is a good recommendation if the customers have an IT Department.

But I'd argue you're missing the other half.

It's an even better recommendation if the customer is using M365, Google Workspaces, or Apple Business Manager, without an IT Department, since they don't need an IT Department at all to get effectively the same benefit as SSO.

After your initial setup to accept OIDC as the SaaS or PaaS, neither you nor the customer have to do an "integration" to support additional customers of Microsoft, Google, or any other OIDC provider you add. You could let your customer validate an email domain to ensure their sign-ins are theirs, but other than that, once you support OIDC with their provider, nobody has to do anything.

Something on the order of 80% of SMB in the U.S. are on O365/M365 by some measures, and judging from startups here, every tech startup thinks everyone's on Google Workspaces like they are, so that's the other 80%. :-) Toss in socials if you are B2C instead of B2B, and of course Apple IDs if you are targeting users by "wallet share".

You get the key benefit of SSO while your clients do not need to integrate one by one. And...

> Use an open source identity provider or pay someone to do it for you.

Or, don't do that effort at all, use what's baked in and just take the win.

user

a year ago

[deleted]

politelemon

a year ago

Thanks, I had wondered about that, though I was certain that the S didn't mean simple.

mirekrusin

a year ago

Everybody who worked with it knows that S stands for Shitty.

recursive

a year ago

Everyone in here is saying SAML is dead and long live OIDC. The company I work for has SAML support, but not OIDC. As far as I understand it, all the customers are asking for SAML. I've never heard a request for SAML. This is in the health care sector.

deathanatos

a year ago

I also work in healthcare. There are some entities out there doing OIDC, but SAML is pretty popular, unfortunately.

Healthcare, as an industry, is not making decisions based on what constitutes "good engineering", for the most part. There are so many other things I'd burn to the ground that are just ancient, ass-backwards things that the rest of the industry has moved on from, but healthcare clings to. (…IPSec, for example. God I'd like to not have to do double-NAT'ing with providers who don't even understand NAT and just expect me to recognize IP addresses that are only internal to their network and never exposed to me, ever again.)

surfpel

a year ago

I implemented SAML SSO for Django at my prev company about a year ago. I procrastinated for a few months and by the time I implemented it, the whole company started retiring it in favor of OIDC. I was about to do that too but I quit right before. Looked much easier to do OIDC with Django. Seemed like SAML was on the way out in general, even Django extensions weren’t prioritizing it and information resources for implementing SAML weren’t great. Long live OIDC I guess.

paulddraper

a year ago

Anyone who thinks OIDC is way easier than SAML has never implemented OIDC (or SAML).

cyberax

a year ago

I have implemented the server-side of OIDC to support the single sign-on for AWS account management. It was a breeze, around 200 lines of Go code.

I tried that with SAML (back then, it didn't require kludgy X.509 thumbprint management in AWS), and I ran away crying after a couple of days trying to understand why it fails.

pdq

a year ago

I investigated both and implemented OIDC. It was difficult, but compared to the SAML and XML complexity, I'd say it was much easier.

paulddraper

a year ago

XML is marginally more complicated than JSON: attributes and namespaces.

Apples to apples, is it's not much different. XSD is just as complex as JSONSchema.

Verbose? Sure.

But people love XML so much, they invented JS-and-XML (JSX). :shrug:

unscaled

a year ago

The problem is not XML by itself. XML adds a considerable amount of complexity to JSON[1] and when writing security-oriented software complexity matters quite a bit[2]. But this is still a level of complexity that can be managed. Most other XML-based protocols aren't as bad as SAML.

No, the main problem with SAML is that it relies on XML Signatures (XMLDSig). And the main problem with XML Signatures is that the signature needs to be embedded inside the XML it's signing, instead of being attached to it, like every other signature standard on the planet.

[1] The added complexity is not just attributes and namespace, but also entities, DTD and processing instructions. If you want even the most basic type checking, XML schema becomes mandatory. This is important, since JSON doesn't need a schema for handling basic types, and in fact OAuth 2.0 and Open ID Connect do not rely on JSON Schema at all.

[2] See the OWASP cheatsheet for all the ways accepting XML input from the internet can put your application in danger: https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_...

No equivalent document exists for JSON.

osigurdson

a year ago

XML=JSON=YAML=TDL (tree describing language)

user

a year ago

[deleted]

paulddraper

a year ago

> If you want even the most basic type checking, XML schema becomes mandatory. This is important, since JSON doesn't need a schema for handling basic types

Huh?

> the main problem with SAML is that it relies on XML Signatures (XMLDSig). And the main problem with XML Signatures is that the signature needs to be embedded inside the XML it's signing, instead of being attached to it, like every other signature standard on the planet.

You are correct that is the hardest part of SAML, but to be clear, there's a SignatureValue element that is separate from SignedInfo.

And you can use a library to sign. I don't see many implementing their own JWT signatures either.

user

a year ago

[deleted]

user

a year ago

[deleted]

jcrites

a year ago

Could you elaborate? I'm interested.

fabian2k

a year ago

If the customer is using an identity provider like Microsoft Entra, is there any reason not to just use OIDC instead of SAML?

tptacek

a year ago

No. If you can use OIDC, you should do so; in fact, if you can't use OIDC, you should consider rearchitecting so that you can. SAML is that bad.

fabian2k

a year ago

That was my understanding and also my plan, but it does not seem feasible to force this as the vendor of the software. If the customer says they need SAML at some point the business side will require that it is implemented. I do want to try and get as far with only OIDC as possible, but I am a bit worried that some larger customer might just bulldoze through because they only want SAML. Might be much more likely for on premise cases, if you're in the cloud you probably use an identity provider that supports OIDC already.

tptacek

a year ago

We've managed to hold the line on OIDC so far. So has Tailscale. If Tailscale can hold the line, given who they're selling to, I think most orgs can. Really, try to avoid doing SAML. Remember, as a vendor, you're often competing with companies that don't do real SSO integration at all.

At the very least: if I was ever to do SAML, I would rip your face off in the pricing for it.

mwcampbell

a year ago

If by "we" you mean Fly, can you tell me if Fly happens to be implementing OIDC (or reusing a third-party implementation) in Elixir, Ruby, or another language? I'm curious about what Fly in particular is using because I know that Fly has invested pretty substantially in Elixir and Phoenix in particular, and I've got a Phoenix app where I want to implement OIDC. We previously implemented SAML by literally using Shibboleth SP. Thanks.

xyzzy_plugh

a year ago

There's a surprisingly long line of folks who would gladly get their face ripped off for SAML. In my experience, it's worth it.

bitexploder

a year ago

Lol, yeah, having SAML means putting XML parsing into critical security points. No thanks.

poincaredisk

a year ago

Is it that different from parsing JSON? A honest question, what's the difference? Billion laughs attacks and similar?

tptacek

a year ago

It's not just XML formatting; it's bizarro stuff like XML canonicalization and comments, and it's in a signature format. It really might be the worst mainstream cryptosystem in the entire industry.

Jerrrrrrry

a year ago

A computer scientist would say they have identical parsing complexity, so not much.

A computer programmer wouldn't even know where to begin, as the chesterton's fence had long been rejustified

bitexploder

a year ago

But it’s not true in practice. Pure simple XML vs JSON sure. XML you deal with in SAML has tons of extra things like namespaces, canonicalization issues, etc. it is way more complex and has led to many security issues over the years.

Jerrrrrrry

a year ago

I had originally quoted

  "in theory, it's easy in practice. in practice, its easy in theory"
But I thought scientist vs. programmer would be literally analogous and rivet more finches.

bitexploder

a year ago

Yeah, see the other replies in here. It is just a mess of ancient cruft and unclear implementation guidelines.

robmccoll

a year ago

Even better: XML signatures, which are very easy to get wrong in both signing and verification.

bitexploder

a year ago

Yeah, it is a gross morass of pain and cruft and unclear implementation for devs.

galdor

a year ago

Microsoft Entra having first class support for OIDC really helps; I remember seeing a decision diagram in their documentation recommending using OIDC for new projects, it can help negotiating. Google Workspace also works just fine with OIDC, and so does Okta.

I've been told that the only source of problems is going to be companies using Shibboleth, even though there seems to be an OIDC plugin.

ned_at_codomain

a year ago

Yeah, SAML will probably fade away (slowly). And sometimes, you might be able to convince the customer just to use OIDC.

But human behavior change is hard and expensive. For the most part, it's just easier to give the customer what they're asking for / what they expect, even when you know they're wrong.

When you're trying to push an enterprise deal over the finish line, this is often just not a good enough reason to introduce friction with your buying committee.

And if you have to support SAML for one stubborn customer eventually, you might as well support SAML for all customers that really want it.

userbinator

a year ago

Cryptographically authenticating SAML assertions is the most perilous part of implementing SAML

The incredible overengineering of the XML signature specification is certainly to blame for this recent SAML verification vulnerability (from the same site): https://news.ycombinator.com/item?id=41586031

1270018080

a year ago

Since we're here, I hope someone creates another all encompassing SP/IDP emulator like samltest.id used to until the owner stopped paying. That made my life so much easier as a developer when SAML stuff came up. No one else has come close.

ucarion

a year ago

I'm working on that at the instant (I wrote this article). Sadly the samltest.id squatter wants at least $15k, super lame. dummyidp.com it is!

loloquwowndueo

a year ago

I use this one https://sptest.iamshowcase.com/

(Well, used : in luckily no longer in charge of an IdP with a bespoke SAML implementation so I don’t need to deal with this crap anymore!)

ucarion

a year ago

FWIW back in the day, samltest.id was a dummy IDP, whereas sptest.iamshowcase.com is a dummy SP. You could hook these two up to each other and see the whole flow.

mooreds

a year ago

Also worth noting that per the spec, the RelayState can only be 80 bytes.

> As well in "HTTP Redirect Binding" or "HTTP POST Binding", The RelayState value MUST NOT exceed 80 bytes

From https://docs.oasis-open.org/security/saml/v2.0/saml-bindings...

At FusionAuth, we have an open issue for this: https://github.com/FusionAuth/fusionauth-issues/issues/2467 which you can read for more details.

SAML is full of these kinds of gotchas. We have an open source library which provides Java SAML bindings: https://github.com/FusionAuth/fusionauth-samlv2

ucarion

a year ago

Yeah, I didn't even mention the other bindings (HTTP-Redirect, Artifact, etc.) because they're not widely supported. Only SAML's HTTP-POST binding enjoys "every IDP supports this exact protocol" status.

FWIW, the for library I work on -- github.com/ssoready/ssoready -- we sidestepped this issue by simply not using SAML RelayState at all under the hood. Between the fact that it's vulnerable to attacker manipulation, and the size limits, it's not worth the pain. We just implement SAML RelayState / OAuth `state` via good old database persistence.

mooreds

a year ago

We've found some usage of http-redirect and support it. But we've gotten requests for Artifact and other more esoteric features (encrypted assertions). It's definitely an example of the 80/20 rule.

> We just implement SAML RelayState / OAuth `state` via good old database persistence.

I'm not sure I understand how this helps. You still need to support the parameter so that folks can pass information through the login state (for deeplinking, among other use cases). Which means you still need to process it and therefore are committed to either being noncompliant with the spec or providing functionality that is limited to 2005 sensibilities.

What am I missing?

ucarion

a year ago

What I'm saying is you can implement the functionality of the parameter -- i.e., arbitrary data that survives a round-trip through a SAML login -- without literally using RelayState.

For example, the ID of a SAML `AuthnRequest` always gets echoed back to you in the SAML `Response`. So you can use that as an opaque identifier. You store ID/state pairs in the database when you start SAML logins, and look them back up when the assertion comes back to you. Basically, that's what we do on behalf of our customers.

It's a bit more work for us to implement, but it gives SSOReady customers the "deeplinking" functionality without the weird caveats that RelayState carries.

ratiolat

a year ago

I really wish that OIDC / Oauth(orization) would be less confusing from user experience and security perspective.

What I have in mind - I'd say only very small population understand that OIDC / Oauth(orization) is about granting access to a service to access your data. Meaning once you have approved service (lets say Dropbox), now Dropbox can access your data on your google account (this of course depends what exactly dropbox asked and if you clicked on "approve", but most people do click as they want to login to Dropbox via their Google account).

SAML is better, as it can be defined at Google side what data is being sent to DropBox when Single Sign On happens and DropBox cannot access your google data as it sees fit.

SAML ain't perfect either because there's no practical way to "sign me out everywhere"

solatic

a year ago

No reference to SCIM?

OIDC is far preferable to SAML, but the last time I touched this, half the reason why customers preferred SAML was because their IdP supported SCIM but only for SAML applications.

ucarion

a year ago

That's a very fair point! I'm going to add mention of SCIM / directory sync. I feel like it's easiest to stick that into the CISO section, since a big part of SCIM is just the deprovisioning aspect?

And yeah, you're right -- Okta, for example, doesn't let you add SCIM to an OIDC application. It's unfortunate -- there's no deep technical reason you can't mix OIDC and SCIM -- but it is the world we live in.

solatic

a year ago

> a big part of SCIM is just the deprovisioning aspect?

The "just" makes it sound like this is a minor point. This is a huge point. Enterprises are forced by their customers and regulators to show that terminated employees lose access immediately. There are two ways to make that happen: force everything to flow through a VPN, and SCIM. Most SaaS providers do not support IP allowlisting needed to enforce that all traffic flows through the VPN, and the only alternative to enforce that user sessions are terminated immediately is if the SaaS keeps sessions in a database and those sessions are revoked as part of SCIM. Otherwise the sessions could continue to be valid for days or even longer, presenting a risk of allowing terminated employees to wreck untold havok.

ucarion

a year ago

Oh don't get me wrong at all -- deprovisioning is huge indeed!

I'm not going to misleadingly edit my initial comment, and your comment is fair. I said "just" when I should have said "precisely". As in, I was already talking about how SAML interacts with "Bob from Sales got fired, probably should kick him out of the CRM". SAML gives you "Bob can't log into the CRM ever again", SCIM gives you "... and his CRM user and sessions are immediately revoked".

To be clear, SSOReady also has a "SCIM made easy" API, we definitely know about and care about helping people implement SCIM: https://ssoready.com/docs/scim/scim-quickstart

tbeseda

a year ago

SAML-snark aside, this is a great primer. Definitely useful in explaining to different stakeholders what we're talking about when we talk auth.

eqvinox

a year ago

> You care about supporting SAML because your customer wants your product to support SAML. This is sound reasoning on your part.

Is it just me or is anybody else going 'the fuck did I just read?' here? It's... incredibly condescending?

marvel_boy

a year ago

It is not you. Also SAML is just a nigthmire.

samllmas

a year ago

Mire:

N. a complicated or unpleasant situation from which it is difficult to extricate oneself.

Indeed.

baq

a year ago

It’s a statement of fact…?

cryptonector

a year ago

> What is the point of SAML?

> You care about supporting SAML because your customer wants your product to support SAML. This is sound reasoning on your part. But why does your customer want SAML support?

> One click to login: why your users like SAML

What? No, the users don't know about SAML.

Anyways, no, users don't like SAML. OIDC has a much nicer UX.

randlet

a year ago

They specifically said "customers" not "users" and in my experience (healthcare) they're correct. Being able to tell customers IT departments you support SSO via SAML goes a long way towards getting a purchase approved.

user

a year ago

[deleted]