[quickthrower2]

Makes me question if URL-as-all-factors is a secure way to authenticate someone/thing. Even with SSL encrypting the path , there is the risk of someone sharing that URL since it is a familiar thing to do to share links.

[NavinF]

With third party cookies going away, URL parameters are the only way to do SSO across domains. Not much you can do about it.

[quickthrower2]

With SAML IIRC the IdP request is GET (but hey that one is fairly public - no credentials have been supplied yet) and the response is POST back to the origin site.