[isaack]

For people on the "hipster" train of SPA/JWT etc, I found OpenID Connect (not the original OpenID) incredibly useful. With a simple JS library [1] you can ask your users to log in with Google, Microsoft, etc, and you can then validate the JWT tokens issued on the server-side.

[1]: https://adodson.com/hello.js/

[tonyarkles]

OIDC is definitely my preferred approach, but that's kind of the point of the article. Big orgs & governments, today, are generally going to be using SAML, if you're lucky (other times they're going to ask you to integrate directly with their 2-decade-old Active Directory).

SAML's kind of quirky, but the handful of integrations I've done so far haven't been that bad. Most of the pain comes from all of the half-baked implementations. I used to get riled up when a customer would ask "can you please not use signed or encrypted assertions? Our side doesn't support that"... now I just mostly shrug, make sure we're doing it over HTTPS, and... meh.

[zwily]

A not-encrypted assertion over https makes sense, but not signed?!?!?

[tonyarkles]

> but not signed

That's right... Key management is hard lets go ride bikes.