undefined | Better HN

0 pointsthrwaway19858821y ago0 comments

> Let's just say my interaction with managing websites that used SAML was less than pleasant.

My interactions supporting it as both the identity provider & the service provider have lead to me being the SAML person at work, and I'm now very used to people either laughing at my misfortune or giving me pitiful looks.

It combines all the wonderful antipatterns you can name: a protocol where near everything is optional and two standards-compliant implementations can refuse to cooperate in any number of ways, hair raising security decisions (XML-DSIG?! configurable crypto? ughh), and half-baked features (back-channel SLO, anyone?)

It's a Lovecraftian horror that actually makes me appreciate JWTs.

0 comments

davewritescode1y ago

I was also the SAML person at one point in my career and I 100% agree. I used to laugh at all the HN criticisms of JWT because of how much of a nightmare SAML is.

stouset1y ago

Cthulhu does not appreciate being associated with this.

emj1y ago

Do you renew the certificates used to distribute the public keys in SAML metadata, and if so why do you do it? I have had a hard time convincing people it is useless to renew those certs and have yet to find an implementation that care about those certificates.

terom1y ago

Renewing the certificates seems technically pointless, but some organizations/federations require it.

Rotating the keys would make some sense, but just swapping the cert for a new one issued against the same keys doesn't. It's the easiest way to fulfill those requirements, because you don't need to synchronize the metadata updates, the signatures are always valid with both the old and new cert.

emj1y ago

Make senses, most bigger federations do not bother with this luckily for us it is just specific idps.

> synchronize the metadata updates

Sadly I know many implementations that do not handle key changes in the metadata in a smooth way. The two SPs I have from Adobe both require manual updating of one key per idp, making a switch pain to synchronize.

thrwaway1985882OP1y ago

All my x509s for SAML signing are self-signed, and all my self-signed certs live for 9999 days and I plan to let someone else figure out the fallout from that as I'm going to be /retired/. No one has ever really complained. Some IdPs I've integrated with use certificates that are signed by public CAs and it's always a hassle because the ergonomics around it are terrible.

IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.

robertlagrant1y ago

Yes, JWTs are so simple compared to what came before that it's hard to argue with them. Just make sure your verification doesn't allow none or old ciphers and you're basically fine.

j / k navigate · click thread line to collapse

0 pointsthrwaway19858821y ago0 comments

> Let's just say my interaction with managing websites that used SAML was less than pleasant.

It's a Lovecraftian horror that actually makes me appreciate JWTs.

0 comments

davewritescode1y ago

I was also the SAML person at one point in my career and I 100% agree. I used to laugh at all the HN criticisms of JWT because of how much of a nightmare SAML is.

stouset1y ago

Cthulhu does not appreciate being associated with this.

emj1y ago

terom1y ago

Renewing the certificates seems technically pointless, but some organizations/federations require it.

emj1y ago

Make senses, most bigger federations do not bother with this luckily for us it is just specific idps.

> synchronize the metadata updates

thrwaway1985882OP1y ago

IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.

robertlagrant1y ago

Yes, JWTs are so simple compared to what came before that it's hard to argue with them. Just make sure your verification doesn't allow none or old ciphers and you're basically fine.

j / k navigate · click thread line to collapse