I did a SAML implementation with Ping Identity for a "large kids brand" and it was horrible. Getting permissions and roles out of LDAP, passed through SAML and translating them to our application was so brutal it was laughable.
Guess what happened. 12 months later they dropped everything except the SAML login support and switched back to using our permissions instead.
Guess what happened. 12 months later they dropped everything except the SAML login support and switched back to using our permissions instead.