Comment by caust1c

Comment by caust1c 2 months ago

I know very little about XML and SAML, but from what little I do know it shocks me that it's still the de-facto standard for SSO.

Great analysis and thanks for sharing!

tptacek 2 months ago

It should not be, and people should use OIDC in preference to it wherever they can.

Reply View 12 replies

Roguelazer 2 months ago

I'm optimistic SAML will be dead soon. ActiveDirectory/EntraID/whatever Microsoft wants to call it now supports OpenID Connect. Okta, OneLogin, Google, and all the other post-turn-of-the-millenium IdPs support OIDC. Shibboleth is the last major IdP I know if that is SAML-only, and I haven't seen anyone using it in like 10 years. When I built enterprise SSO for my current company, we went OIDC-only and we haven't had a single customer who needed SAML.

Reply View | 11 replies
- jrochkind1 2 months ago
  
  > Shibboleth is the last major IdP I know if that is SAML-only, and I haven't seen anyone using it in like 10 years
  Most universities are still using Shibboleth. And probably will be forever. I think Shibboleth influenced SAML, probably to it's detriment.
  
  Reply View | 1 reply
  
  Griever 2 months ago
  
  Yup, thankfully most federate through InCommon so it’s less painful than it used to be, but that’s not saying much.
  
  Reply View | 0 replies
- zdragnar 2 months ago
  
  Working in the health market, pretty much the only thing our customers support is SAML, and that's only among customers who have anything at all that can integrate with us.
  
  Reply View | 2 replies
  
  koito17 2 months ago
  
  Anecdotally, many American universities and academic journal sites still use Shibboleth. Thus, in the United States, SAML is far from dead, whether we like it or not.
  
  Reply View | 1 reply
  
  GoblinSlayer 2 months ago
  
  Shibboleth supports CAS.
  
  Reply View | 0 replies
- Johnnynator 2 months ago
  
  > Shibboleth is the last major IdP I know if that is SAML-only
  Shibboleth has officially supported Plugins for OIDC for some time now.
  As others said, Shiboleth is still rather pupular at Universities and higher Education, OIDC will have a hard time to set foot there without the OpenID Connect Federation Draft beeing finished and then Implemented by the different Metadata Federation that exist (most National Research Networks manage one)
  
  Reply View | 0 replies
- hirsin 2 months ago
  
  Okta barely supports OIDC I'm afraid. We have to use SAML with them because they don't support a reusable app model for OIDC (a "marketplace app" that multiple customers can use).
  I'd love to add FastFed support for OIDC and be done with it but SAML still rules the world.
  
  Reply View | 2 replies
  
  pquerna 2 months ago
  
  Our app <https://www.okta.com/integrations/conductorone/> is in the Okta OIN ("marketplace") using OIDC? So not sure what you mean by that?
  
  Reply View | 1 reply
  
  hirsin 2 months ago
  
  Ooh that's excellent news, thank you! When I'd last checked it was not an option and our account rep had no predictions to offer.
  
  Reply View | 0 replies
- sk5t 2 months ago
  
  > I'm optimistic SAML will be dead soon
  Get used to disappointment.
  
  Reply View | 0 replies
- riffraff 2 months ago
  
  Isn't the shared identity login thingy (eIDAS) in the EU SAML based?
  
  Reply View | 0 replies