Comment by stouset
Comment by stouset a day ago
SAML is absolutely insane. It’s three separate specs: one that defines what every XML element means semantically, one that defines multiple document models that you might want to combine those to use, and one that talks about network protocols you might want to use those documents in.
It’s insane and inscrutable.
I previously worked at the company that first created this gem. It was not written based off actually reading the spec. It was based off a loose examination of what other legitimate docs in the wild looked like, and built to parse those.
Which of course meant that early on it was vulnerable to everything since it was built to fit positive results and not negative ones. This isn’t even the first XML signature issue: early released versions didn’t even bother to check that the part being used was the part that was signed. If any part of the doc was signed and valid it was good to go.
Fun times.
In my experience, anything XML-related seems to be the product of simplicity-hating architecture astronauts with zero consideration for efficiency, possibly as a way of justifying their existence and continued employment.
Standards based on ASN.1 get a lot of hate (X.509 etc.) but I'd rather work with that than XML.