[varikin]

I had just started a new job and my manager handed me a project to implement the SP side of SAML into our monolith. He explicitly said, I looked at the docs and don't want to deal with that headache. Fuck, that was a pain in the ass. So many bugs just due to conflicting statements in different parts of the docs. Everything can be done 5 different ways.

[35fbe7d3d5b9]

This is a direct result of a spec that basically says "here's a grab bag of options, pick what suits you".

Maybe your IdP expects SOAP over HTTP but your SP won't. Perhaps the SP insists on encrypting AuthnRequests. God help you if one side wants to do URL encoding and DEFLATE.

I've made my life easier by refusing to ask/answer questions around SSO and instead insisting on talking about "ADFS login". We still do SAML, but at least there's a baseline implementation that I can plan for.

[rcaught]

The SP is a walk in the park compared to the IdP.

[rkeene2]

To be fair, SAML itself isn't that difficult -- Shibboleth is just not very good.

I implemented a SAML IdP [0] in MUCH less time than it took to configure Shibboleth. The specification for SAML is pretty easy to comprehend.

The implementation is really an experiment, but the configuration and usability is significantly better. Improving the implementation doesn't affect this. In some closed-source forks I've written a production version that's been in use for several years.

[0] https://github.com/rkeene/saml-idp/blob/master/lib/saml/saml...