Comment by Freak_NL

Comment by Freak_NL 21 hours ago

0 replies

View on Hacker News

XML signatures in SAML suck so much they deserve to be your point one. For functionality at least it's possible to just poke around and see what works with whatever party your connecting, but debugging broken signing? With XML signatures it is possible to have it all working with one provider (perhaps a Windows machine running ADFS) and then be unable to verify the signatures from another, and you'll never know where the fault lies.

At least with modern stuff like JWT's the ways to encrypt and sign are well-understood.