[teknopurge]

The author did a good job, but these were(are) known issues for quite a while. TLDR: implementation bugs with known countermeasures.

https://www.usenix.org/system/files/conference/usenixsecurit... (from 2012)

We've implemented SAML for 10s of millions of users and devices. The spec is verbose, but the approach solves common business issues. My suggestion is to use SAML simply: federations and passing attributes between trusted parties, allowing to verify the payloads. SAML can do a lot, but keep it simple and use OOB services for more orchestration/metadata.

[tptacek]

The other word for "implementation bug" is "footgun". Standards with lots of footguns are bad standards. SAML has a lot of footguns. It is a bad standard.

[explorigin]

This. Lots of SAML libraries don't fully implement the spec but I second what parent says. It does well for federation attributes.