Lately I’ve been working a lot with SAML, and I have to say it’s an extremely complex, and obfuscated protocol. The best analogy I can come up with uses our infamous light bulb jokes. (“How many programmers does it take?”) SAML is like building a mini nuclear reactor to power a light bulb in your office. It’s certainly geeky, but what the fuck is the point? You’ve over engineered something that should be very simple: Single Sign-On.
Besides that point, who the hell cares about SSO? I think most Internet users are comfortable with maintaining a list of usernames and passwords for various sites. I don’t believe a “circle of trust” is needed these days for the sole purpose of saving a few keystrokes. It seems very… 1998 to me.
OAuth is a different story. From what I’ve gathered, OAuth is more of an authorization protocol to share protected resources with various third parties. I would imagine this could be shoehorned into an SSO implementation… but OAuth is a little out of scope of my project.
No, the reason SAML exists and has amazing support is due to one thing: politics. For some reason, the word SSO is a magical synonym for “synergy” and “Web 2.0.” All I see is that I’ve made this Service Provider have butt sex with this other Service Provider while the Identity Provider was watching in the corner. The people that make the calls and define the projects think they’ve synergized each other.
There are so many rotten things about this protocol. It uses XML. Everything is namespaced, signed, encrypted, wrapped. 302 redirects happen all over the place. If a redirect takes too long or is interrupted, the entire process fails. SAML is supposed to be an open protocol, yet none of the implementations of SAML will talk to each other without a lot of massaging.
I really despise XML as a data protocol. It looks unclean to the eyes — in order to read it easily you have to tabulate it out and pretty print the contents to something more readable. Pick anything else… CSV, JSON, they all look a little dirty depending on the contents, but it’s easy enough to scan for something you’re looking for. XML might have all of these great features for namespaces and all of that, but are those actually used most of the time? No, most of the shit I see in XML is configuration files, or RSS feeds. I see data with more bytes in tags than of values. That’s a dead giveaway of a protocol with a shit ton of overhead.
For implementations of the SAML protocol, we have two primary choices in the open source (free) world: Shibboleth, and ZXID. There are a few commercial products available, but most of them run on Windows only. The one that I did look in to was PingFederate and in talking with a sales guy the pricing was similar to Oracle: “If you have to ask about the price, it’s too expensive for you.” But seriously, based on our traffic rate, PingFederate would have been around $80,000 – $100k for a “no questions asked” license, or around $20,000 per server for some other licensing plan. That’s ridiculous! All this thing needs to do is process some shitty XML and sign it with SSL keys. It looked like the primary consumers of PingFederate were Windows users, which means the people that are using SAML are the ones that make poor IT decisions in the first place.
I’ve eventually found myself in a mixed up environment, using Shibboleth as an IdP and writing my own SP implementation using the ZXID libraries. IT SUCKS! I can’t begin to describe how much of a setup pain this has been. Shibboleth SP worked fine with Shibboleth IdP, but the SP has a lot of bugs with it. Users get kicked off randomly. The session cache can’t be shared between servers unless it’s backed with a broken ODBC driver, or a memcache driver. Of course, storing session data in memcache is a clusterfuck to begin with because memcache is an unreliable cache and not something to be used with important data like session keys. So, it was either use sticky sessions in our load balancer which sucks, or find some other Service Provider.
Forget about support with Shibboleth. The primary author, Scott Cantor is a total dick. I don’t have time to site email threads, but just search for a few, his attitude is all over the place. He just has that smug, dickface geek attitude that says, “I wrote this, I know better than you, and your question is retarded.”
Ahh, here’s an example at the top of this page:
The Shibboleth 2 IdP does not support SLO. Period. Don’t bother looking. This document is NOT a recipe for implementing SLO. It’s a warning to those who think they understand SLO. They probably do not understand it and need to think about it long and hard before they even begin to contemplate it at some future point in time.
Now, why would you have something that allows people to log in, but not even bother to design the protocol to log back out easily? That page goes into all of the excuses about why it’s “wrong” to implement SLO… but a second group of people forked the project and compiled in their own binaries that supports SLO out of the box. I downloaded that, installed it over the top of my Shibboleth IdP tree and it worked great, no problems. Why would you, as a project maintainer, leave out something so critical? Then, why would you allow someone else to provide that same functionality and not be a nice guy and include it in your project? That’s the attitude I’m talking about, and I see it all over the Open Source world. Open Source developers need to lose the fucking ego and start focusing on creating a better product.
Shibboleth SP was out. That’s where ZXID came in. I can integrate it along side our current authentication methods. Super! But, nobody mentioned that SAML is not an open, standardized protocol, and everyone seems to implement it differently. ZXID has all sorts of problems. It segfaults on me, the API is horrible, the documentation is disgusting. Despite that, ZXID seems like the lesser of two evils.
I have most of this working, but a few key signing problems to work out. It’s taken me weeks of dedicated time to set all of this up. I’m so fucking pissed off at SAML. I have other tasks just piling up on me, and this project is due under a deadline. On that note, I need to get back to work. I’m not even going to take the time to re-read this for grammar, I just needed to bitch. Please comment if you’ve shared in my misery!