[geauxvirtual]

How much of this code was actually reviewed? Doing a quick glance through some of the features being touted around SSO, there are a few vulnerabilities, and wonder if these actually work and have been tested with different providers.

* I say this as an engineer who has supported an authentication platform for years for a SAAS company and know not one IdP has implemented SAML the same as others.

[bsgeraci]

That is interesting, I have a good idea about setting up some red team agents and blueteam agents with claude code and seeing if we can improve security by testing things. In the pen test world these AI tools have basically beat all humans breaking into systems with no AI assistance.

If you have anymore details I would love to hear from your experience and what you think would be useful to look at. I will make a ticket based on this concern. I really want to make this as secure as we can and have people poke and do the code reviews. :)

Or analyse the code base. I am using security agents to harden the code base and testing end to end testing based on that.

Adding some security agents in the loop is a great idea!