Yes, that was my usage of "secure" here. I obviously didn't mean that we should blindly trust SAML implementations. SAML should be avoided if possible, due to inherently complicated implementation. The same goes true for JWT. Both standards have better alternatives which are viable for the majority of necessary use cases.