Skip navigation

Lately I’ve been working a lot with SAML, and I have to say it’s an extremely complex, and obfuscated protocol.  The best analogy I can come up with uses our infamous light bulb jokes.  (“How many programmers does it take?”)  SAML is like building a mini nuclear reactor to power a light bulb in your office.  It’s certainly geeky, but what the fuck is the point?  You’ve over engineered something that should be very simple:  Single Sign-On.

Besides that point, who the hell cares about SSO?  I think most Internet users are comfortable with maintaining a list of usernames and passwords for various sites.  I don’t believe a “circle of trust” is needed these days for the sole purpose of saving a few keystrokes.  It seems very… 1998 to me.

OAuth is a different story.  From what I’ve gathered, OAuth is more of an authorization protocol to share protected resources with various third parties.  I would imagine this could be shoehorned into an SSO implementation… but OAuth is a little out of scope of my project.

No, the reason SAML exists and has amazing support is due to one thing: politics.  For some reason, the word SSO is a magical synonym for “synergy” and “Web 2.0.”  All I see is that I’ve made this Service Provider have butt sex with this other Service Provider while the Identity Provider was watching in the corner.  The people that make the calls and define the projects think they’ve synergized each other.

There are so many rotten things about this protocol.  It uses XML.  Everything is namespaced, signed, encrypted, wrapped.  302 redirects happen all over the place.  If a redirect takes too long or is interrupted, the entire process fails.  SAML is supposed to be an open protocol, yet none of the implementations of SAML will talk to each other without a lot of massaging.

I really despise XML as a data protocol.  It looks unclean to the eyes — in order to read it easily you have to tabulate it out and pretty print the contents to something more readable.  Pick anything else… CSV, JSON, they all look a little dirty depending on the contents, but it’s easy enough to scan for something you’re looking for.  XML might have all of these great features for namespaces and all of that, but are those actually used most of the time?  No, most of the shit I see in XML is configuration files, or RSS feeds.  I see data with more bytes in tags than of values.  That’s a dead giveaway of a protocol with a shit ton of overhead.

For implementations of the SAML protocol, we have two primary choices in the open source (free) world:  Shibboleth, and ZXID.  There are a few commercial products available, but most of them run on Windows only.  The one that I did look in to was PingFederate and in talking with a sales guy the pricing was similar to Oracle:  “If you have to ask about the price, it’s too expensive for you.”  But seriously, based on our traffic rate, PingFederate would have been around $80,000 – $100k for a “no questions asked” license, or around $20,000 per server for some other licensing plan.  That’s ridiculous!  All this thing needs to do is process some shitty XML and sign it with SSL keys.  It looked like the primary consumers of PingFederate were Windows users, which means the people that are using SAML are the ones that make poor IT decisions in the first place.

I’ve eventually found myself in a mixed up environment, using Shibboleth as an IdP and writing my own SP implementation using the ZXID libraries.  IT SUCKS! I can’t begin to describe how much of a setup pain this has been.  Shibboleth SP worked fine with Shibboleth IdP, but the SP has a lot of bugs with it.  Users get kicked off randomly.  The session cache can’t be shared between servers unless it’s backed with a broken ODBC driver, or a memcache driver.  Of course, storing session data in memcache is a clusterfuck to begin with because memcache is an unreliable cache and not something to be used with important data like session keys.  So, it was either use sticky sessions in our load balancer which sucks, or find some other Service Provider.

Forget about support with Shibboleth.  The primary author, Scott Cantor is a total dick.  I don’t have time to site email threads, but just search for a few, his attitude is all over the place.  He just has that smug, dickface geek attitude that says, “I wrote this, I know better than you, and your question is retarded.”

Ahh, here’s an example at the top of this page:

The Shibboleth 2 IdP does not support SLO. Period. Don’t bother looking. This document is NOT a recipe for implementing SLO. It’s a warning to those who think they understand SLO. They probably do not understand it and need to think about it long and hard before they even begin to contemplate it at some future point in time.

Now, why would you have something that allows people to log in, but not even bother to design the protocol to log back out easily?  That page goes into all of the excuses about why it’s “wrong” to implement SLO… but a second group of people forked the project and compiled in their own binaries that supports SLO out of the box.  I downloaded that, installed it over the top of my Shibboleth IdP tree and it worked great, no problems.  Why would you, as a project maintainer, leave out something so critical?  Then, why would you allow someone else to provide that same functionality and not be a nice guy and include it in your project?  That’s the attitude I’m talking about, and I see it all over the Open Source world.  Open Source developers need to lose the fucking ego and start focusing on creating a better product.

Shibboleth SP was out.  That’s where ZXID came in.  I can integrate it along side our current authentication methods.  Super!  But, nobody mentioned that SAML is not an open, standardized protocol, and everyone seems to implement it differently.     ZXID has all sorts of problems.  It segfaults on me, the API is horrible, the documentation is disgusting.   Despite that, ZXID seems like the lesser of two evils.

I have most of this working, but a few key signing problems to work out.  It’s taken me weeks of dedicated time to set all of this up.  I’m so fucking pissed off at SAML.  I have other tasks just piling up on me, and this project is due under a deadline.   On that note, I need to get back to work.   I’m not even going to take the time to re-read this for grammar, I just needed to bitch.  Please comment if you’ve shared in my misery!

Advertisements

47 Comments

  1. Hi 🙂

    You known that there is another free implementation in town than ZXID, it’s Lasso. It’s a GPL library implementing the SAMLv2 protocol with many bindings (PERL,Java,Python,PHP)

    We have also made an IdP called Authentic. You can see the version 2 (beta) running there https://www.identity-hub.net. No configuration on idp side to enroll a service provider, just get the metadata for the idp (https://www.identity-hub.net/idp/saml2/metadata) and plug it in your SP. Authentic will autoconfigure on its side (provided your service provider publish its metadata file).

    We support many authentication systems, SSL, OTP(OATH), OpenID.

    For creating simple service provider there is an apache module based on Lasso called mod_mellon.

    If you use python/Django you can pick the service provider code present in Authentic2, it is made to be reused. In other cases look at the API documentation, for SSO/SLO code typical code is really simple.

    URLS:
    https://dev.entrouvert.org/projects/lasso
    https://dev.entrouvert.org/projects/authentic
    https://rnd.feide.no/software/mod_mellon/
    http://lasso.entrouvert.org/documentation/api-reference/index.html

    • +1 on authentic2

  2. I did check out Lasso during my research. I needed to integrate SAML support with Perl, and the documentation was very poor for it. I did my best to trial & error hook up to an IdP but I just couldn’t get past the first 2 lines of code failing.

    I didn’t have time to wait on mailing list responses so I went back to ZXID. I eventually got everything to work, and am going through testing now.

    I still think SAML is way too over-engineered, but now that I at least have a functional system I guess I hate it a little less. 😛

  3. Hi,

    I am sorry that you did not pass the first 2 lines with Lasso… Lasso has recently been used to build an IdP in Perl with all the SAML2 profiles. Moreover, you can usually grab answers quickly on the lists (especially from Benjamin). Maybe you could have saved weeks 😉 The API signature is simple and you also have examples of code. Then, even for non expert, it takes few days to make your SP run a SAML SSO. The best, Lasso is under GPL.

    I am quite curious to know what you want to use SAML for. Because SAML is not only SSO. SAML specifies a SSO mechanism to enhance the user experience when you want the user to run certified identity information exchanges between trusted organizations.
    If you just need a SSO, maybe you do not want SAML. A simple browser password wallet could match your needs. Of course, you can use SAML for this but it’s not the primary use.

    SAML has been built to make the users in control of the exchanges of certified identity information between trusted organizations. For instance, because you want to authorize users of orgA to access SP of orgB. Maybe you also want to make some trust management and you want certified identity attributes in your assertions to make a fine-grained access control. Such exchanges could mean a bad user experience if the user has to interact with each party to provide passwords. Then, the SSO come into the place to make the whole smoother.

    SAML is also specified to rely on pseudonyms to avoid privacy concerns that you could meet if all your SP are able to link your accounts. Finally, you only need a standard web browser to make it happen and XML is not so bad. You can easily add new namespaces, for instance to add your own attributes in assertions. You can use XML signatures to sign protocol messages and assertions. You can use existing tools to parse documents, schemas, validate signatures, etc.

  4. Yeah, we’re using it only for SSO, and I realize SAML2 does more than that… but unfortunately all of our 3rd party companies use SAML, and I’m stuck with it. It’s sort of become one of those industry standards that everyone uses, and has become a sort of a status symbol. “We support SSO!”

    Thanks for the info though, I will keep Lasso in mind if I need to do a big revamp of our auth architecture.

  5. You discovered all the hard ways to do this for free first.

    Try openSSO which was opensourced from Sun a few years back. It is also available through forgerock:

    http://www.forgerock.com/openam.html

  6. Take a look at this (www.distaltech.com) for a simple, efficient and low cost, SAML compatible (but does not require) solution…designed exclusively for SaaS / Cloud providers…

    Yes, I work for them…let me know if you would like any additional info.

  7. Hi,

    I am trying to implement a SAML SSO service provider for my client using PERL. I am pretty new to SAML, can you help me with the setup.

    Thanks,

  8. +1 and “Like” if I could. I am researching SAML and OAuth for future projects and came across this post and it provided me with much enjoyment and I laughed more than a few times.

    I love reading actual internal dialogue level developer thoughts.

  9. I Googled “SAML Sucks” to discover this post. That says it all 🙂

    • Same here.

      First thing you do when you encounter [unknown],
      google: [unknown] sucks.

      That will give you some initial idea what to expect.

  10. I’m developing for the online education market, and as a course provider, the vast majority of our students SSO from other systems. They don’t create accounts with us, but with our clients; the clients then create accounts for them.

    Through that process, I’ve implemented several SSO systems, from each side, and SAML is by far the worst I’ve seen. I’m just glad there was a library for it in the language I’m required to use; even configuring that library has been more painful than implementing most of the other systems.

    For future SSO needs, I’m going to recommend CAS. It has one technical drawback from our perspective, but it’s very simple.

  11. Thanks for the amusing and informative post. I too am researching SAML and OAuth. Like you, just the fact that SAML is based on XML was a bit of a tip-off. Very funny, thanks.

  12. Thank god i’m using Microsoft’s products…

    • When I was working with X.500 in the early 90s, I actually heard fools on conference calls say ‘Thank God for X.500’.

    • I have NEVER had any issues with authentication until I was forced to start using SAML. It is the biggest clusterfuck piece of bullshit I have ever seen or used in my life. In the real estate world, vendors call all the shots. Its really ass fucking backwards.. There are incredible data products with solid transport schemas all over the place.. SQL, Oracle, MySQL, oData.. So what do these failed (I mean ALL of their software platforms are about 1ten years deprecated and are and I mean Really are super shitty.. I mean, they suck… There is not one single platform that pumps my chubster..) )dumbass vendors do? Ooo Let’s reinvent the fucking wheel so no one can make great products and we can keep all these brokers in Year 2K and keep all the business! We suck, and our products suck so we HAVE to do this or we will be working in godaddy tech support. Lets call it rets for the real estate transaction something or other. and lets use SAML in everything for SSO since no one on small biz level uses it! then they will HAVE to use us! Oh and lets get the National Association of realtors / NAR to approve it and create another fucking subcommittee and we will call it reso and piss away more fucking money.. Fuck brokers they deserve to use our shitty software and to suck a SAML dick This way we failed tech vendors can have big ol SAML circle jerk fucking parties. Fucking SAML cock sucking cum gurgling bullshit real estate standards on my left nut sack little saml dick loving failed wannabe saml swallowing web vendor bullshit.. Fuck SAML! This bullshit fuck Microsoft and big vendor mentality is costing more time and money than it is worth.. really… fucking saml commie bastards. Where do you find the most SAML resources? Web Vendors and Programmers with little man syndrome, who jerk off to xml charts, who used the password of password until this bullshit standard fucking showed up, and threw this bullshit together to make it look like they had a half a peckerwood brain to make others think oir assume they know what the definition of security was… Fucking H Free Willy! Stop Reinventing the fucking wheel! PS.. Fuck SAML….. ‘m going to go and blow my fucking brains out now so don’t waste your time replying. All my suicide not says is.. Yes.. Fuck SAML…

        • theadminblagger
        • Posted 04/30/2013 at 9:07 am
        • Permalink

        What real estate vendors did you use SAML to integrate with? The entire real estate industry is standards and restrictions on every layer. From software, down to regulations on buying or selling a house. You’re pretty much fucked if you try to circumvent the MLS by selling your house on your own. It’s anticompetitive and Un-American.

        In general, I see industries use SAML to protect something that shouldn’t be protected. It’s highly obfuscated security to implement control for the sake of control. For example, to watch the Olympics live streaming on the web, you had to log in using SAML SSO over to your cable/satellite provider. NBC covered the 2012 Olympics, which is a free, over-the-air station. Yet, they chose SAML to protect something that everyone should see for free. I do not waste my money on cable TV, so the path of least resistance to watch the Olympics was to just pirate the content. Sad, really.

        –The Admin

  13. Hi, I am in the process of install shibboleth, its killing me! Anyway, the story is, we are are a global scientific group, each memerber have a username and password, and a certificate to login to group websites. Now our department has a website, my boss wants to use the same username/password with sso to login to our department website. we have no idea where to start. after googling we found shibboleth might be the option.
    Now I am trying to install shibboleth. there are so many different components, configuration, errors! I have install idp and sp but no idea how this is going to work.
    Anyway, my question is in order to solve my problem, is there any other option rather than shibboleth?

  14. Thanks for a highly amusing synopsis of SAML.
    I am in the same boat now of having to implement SAML for a 3rd party interface.
    I am reminded of the early 90s debate on X.500 which was just a small skirmish in the bigger war between the OSI and IETF protocols. We should be thankful that SAML uses XML and not ASN.1.
    Happily X.500 has died and been harmlessly buried out of sight of most developers.
    All that remains is the current X.509 certificate structure which is widely used today.

  15. OpenAM is a solution for SAML 2.0 integration (IdP, SP and IdP Proxy). It also supports OAuth. There is also a lightweight implementation for a SAML 2.0 Service Provider. It is called OpenAM Fedlet.

  16. Picketlink/Picketbox in JBoss provides a IDP/STS/PDP. I would choose it over the others listed (OpenAM/Shibboleth/etc)

  17. Simple SAML php might be an option for you http://simplesamlphp.org/

  18. Great article! I have been knee deep in SAML for over a year now and SAML is truly a technological cesspool. The designers could not have made it more complicated. We have integrated with about a half dozen other SAML IDPs with us being the SP and every one of them has been a nightmare. Its like we are talking to each other in different dialects of Mandarin Chinese. We are tantalizingly close to understanding each other except there is always one or more exceptions that fuck up the SSO transaction.

  19. I feel your pain brother – SAML is the bastard child between EJB1 and SOAP-WS.

  20. I am doing a saml2 integration right now (70h is what I got for the time to integrate!!!) I agree with some of the points mentioned in the original blogpost. However this comment strikes me “Besides that point, who the hell cares about SSO? I think most Internet users are comfortable with maintaining a list of usernames and passwords for various sites. ” about any company does have a dozen or more applications where a user needs to authenticate against. I cannot image asking my user ‘sure, you just login into every application’. Here SSO just really helps, a user log’s in once, and is automatically ‘logged in’ into all other applications, you just cannot ask a user to keep a list of all usernames/passwords for each and every application.
    I have to agree, saml2 is complex, not easy to understand and certainly if you are not native english speaker, like me. It took me a while to understand the ‘Service provider’ concept and I was like ‘Ooo you mean the application!’ sure there is a bit more to it, but the terminology did throw me off-guard a couple of times.
    If you need to implemented ‘just’ SSO within your organisation, then I can recommend jasic-cas. Very easy to setup/install and run. It’s a ‘set and forget’ type of system once it’s running and works very well.

  21. Also, “+1 and Like if I could.” – as Brandon Lamb said. 😉 For most of the users and workflows the OAuth v1.0a is quite enough. It is an easy-to-understand, easy-to-implement, easy-to-manage, easy-to-use protocol and even interoperability is guaranteed. Unfortunately, the OAuth v2.0 totally re-organized the original concept of OAuth: IETF tries to create an SAML-like framework from this. I agree with Eran Hammer: I am not sure whether this was a good choice…

    http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/

    But, on the other hand… If someone really-really-really needs the cross-domain SSO functionality, separated modules that support different authentication methods, name ID mapping by communicating directory servers, or adding special authorization attributes, that can use an implementation based on SAML, which was standardized several years ago. OAuth v2.0 is totally incomplete…

  22. I’ve been using SimpleSAMLphp as a SAML 2 IdP for a couple of years now, and it’s been pretty much flawless. Since it’s open source, I was able to write a module to take the REMOTE_USER env variable from our Apache NTLM environment, then look up the user’s additional info (name, email, etc) in an LDAP query to Active Directory, and SimpleSAML wraps all that up nicely. Clients in our corporate environment are able to use 3rd party services without logging in to anything but their windows desktop.

  23. From your poorly written post I am absolutely sure you never had to admin multiple accounts and create/block/delete users from a lot of services in a regular basis.

    So, yeah, your post is full of rage from someone who have never been in a corporate environment.

  24. I have been neck deep in SAML for the last couple years and most of my co-workers and my wife think I posted this fine bit of rage. I will say you are wrong about people can keep track of passwords, unless of course they write it on a post-it note under their mouse pad (do people even use mouse pads anymore) Anyways most people are brain dead especially in a corporate environment and remembering passwords while trying to fill out TPS reports is just asking too much.

    I will say this, as part of a skills test I make job candidates configure SAML, it really helps clear out the BS’ers from the truly skilled system admins.

    • “I will say this, as part of a skills test I make job candidates configure SAML, it really helps clear out the BS’ers from the truly skilled system admins.” – That’s just plain evil! But a good way to separate the boy from the men.

      • Just trying to keep the world safe from the monkeys that work at Best Buy Geek Squad downloading CentOS install it on virtualbox and then call themselves Linux and VMware experts on their resumes!

    • “most of my co-workers and my wife think I posted this fine bit of rage.”

      It’s funny, I’ve also been wondering if/when one of my coworkers stumbles onto one of my blag entries and finger points me. I generally talk like this to my peers anyway. There’s probably enough content here to get me fired and/or lose clients over!

      “I will say you are wrong about people [can’t] keep track of passwords…”

      Yes, you’re correct, but I believe the “forgot my password” feature on most websites is heavily used. We get around 1,000 hits a day to ours. It’s just a fact of life when using the Web — you need to figure out how to have a bunch of usernames and passwords, as each site will have different password strength requirements. Everyone has to deal with it, and that’s why I say SSO is bullshit.

      An even better solution is to try and push a service like LastPass on users. Pick *one* good password, and let it deal with the rest for you.

      “part of a skills test I make job candidates configure SAML…”

      That’s an interesting idea… but how much time are you giving candidates to do this? A week long “homework style” test?

  25. It looked like the primary consumers of PingFederate were Windows users, which means the people that are using SAML are the ones that make poor IT decisions in the first place.

    Holy shit, I could not have said it any better.
    You … I like you.

    • Why thank you sir!

  26. guys if you want simple org A auth to Org B then just use ADFS.. or google identity for enternal participants..
    so much simplier than this shit..

    • Troy,

      I think I can speak for a lot of companies when I say that you cannot have your company information at Google. Specially any company outside of the US of A because of the patriot act.
      Second, not everybody has the knowledge to have a system in place that runs ADFS. It moght sound so simple to say ?oooo let’s use ADFS’ but there are nowadays to many people in the world that don’t have a clue how to setup a MS server (assuming it does needs a MS server). Me for example, i would’t have a clue where to start, while SAML2 is a lot easer to get started with, it runs on all mayor operating systems, not only MS servers, again, assuming that ADFS is a MS only technology.

      Lastly,
      no matter what system you are planning to use (ADFS, SAML2, OpenID, Google identity etc..), if a person doesn’t understand SSO in the first place, he/she shouldn’t touch it, walk away and let it handle by professionals in the first place

  27. Has anyone had any experience using the Perl module Net-SAML2? I have it installed and am having trouble getting past the certificate validation. I’d be happy to post more details if anyone would be willing to help.

  28. SAML is less about SP to SP circlejerking than it is about making it so an enterprise has access control over who has access to it’s chosen cloud-based service providers. Whoever told you that it’s about reducing passwords (which is a side effect) has their head up their keister. When an enterprise gets in bed with a service provider, there’s all sorts of things that they want – like the ability to kill a user’s access to the SP immediately upon termination.

    Consider the Sales guy that gets canned: a last hurrah for him (without SAML) could be to log in directly to Salesforce and delete all of his contacts and leads. I wonder how much work he’s just created for the guy that takes over his accounts? If you’re only allowing him to access Salesforce via the federated connection, then he has to authenticate to your company’s authentication system, before he can hit Salesforce.

    As to PingFed? I’ve used it for a number of years – on Linux. Why? Well, there’s a lot of solid features in it that you won’t get with your open source stuff – things like certificate expiration notification. That may not be an issue if you’ve only got 100 users in your IdP, and a couple of connections… But when you get to 100 connections, 200, 500… It becomes a daily management issue, and it’s good to know when there’s an issue. Plus, their integration kits (they’ve done a majority of the first mile/last mile work for your developers) are really helpful.

    Best of luck on your implementation!

  29. Ahh, another SAML sufferer, you have my condolences.

    I’m currently in the process of cleaning up a sizable vendor mess and you’ve just repeated 100% of my feelings on the topic. Vendor X sells us product Y (which was selected by campus wide survey, I might add), product Y claims SAML compatibility, we end up finding out that product Y is using a SAML library held together by spit and tape (and string templates) and, as a result, only works with Shibboleth. We only find this out because they refuse to give support to anyone that didn’t pay for support and continue to hand wave and say, “Don’t worry, try this fix. No? What about this fix?” all the way until contract signing. Even after we sign, they insist that it’s out federation server vendor’s problem. Finally, months down the line, our federation server vendor steps in after 2 escalations and says, “Here is the bit of the SAML standard they are implementing incorrectly”. We send it to vendor X, and after a week or 2 of silence, they agree to fix it, but refuse to give us a timeline. We will be going live in a few weeks, and we still don’t have correctly working SLO.

    To make matters worse, our department probably has the most competent IT people on campus… and we aren’t the IT department… so we have absolutely no power to put a workaround in place. Though my boss is always telling me that I’m too negative for my age, I think I’m doing pretty well in the face of an almost certain train wreck.

    • O oOo Ooo, I have one to!!!

      We just finished up implementing SAML2 into one of our CMS systems (Jahia) and after testing it against our own OpenAM test server we did bring it into the dev environment of our client running OpenSSO.

      What do you think it happened?? This worked out of the box, not a single code change required.

      Kaori,
      you seem to blame SAML2 here and I understand your frustration, but in reality the vendor of you application (Y) didn’t stick to specification. No matter how you are going to twist it, any integration where product Y doesn’t stick to specification will never work, ever!

      I am glad you fixed your issue though, SAML2 isn’t really that bad..

        • James
        • Posted 09/03/2014 at 10:57 pm
        • Permalink

        OpenAM is OpenSSO.

        • yoong
        • Posted 01/18/2015 at 1:00 pm
        • Permalink

        hi,
        i would like to use OpenAM to login to Jahia : can somebody help me?
        thank you

  30. Yes big surprise to discover SAML for first time. When the project come to my desk, at first, looks easy, but then, discover to access the web application (SP) we need our own IDP/SAML server. A lot found commercial one, but very expensive. So no choice to go with SSO license, free, like OpenAM. But big surprise, take a lot of time to setup, and need to understand a lot about SAML. After 2 days spending on that, just feel, shit !! that is fucking project coming to my desk. And more projects on side, so ya, not cool at all !! Cannot believe there is no a standard easy going way to use SAML, without spending weeks to develop and understand that. Happy to see this post, feel my day much better. Not alone to hit the wall 🙂 But for those who like challenge, that is very interesting new game, like Sudoku.

  31. Does the “ML” in “SAML” stand for “Marketing Lie”? 🙂

    What’s worse, SAML is really not that secure. The protocol assumes the consumer validates the SAMLResponse and cert signature correctly. But in practice, some smaller vendors will completely ignore the cert and signature, and the protocol doesn’t enforce this. All the work, and in the end, it’s essentially held in together by “the honor system.”

    Meanwhile, SSO in itself is a simple problem that can be solved with a couple lines of code.

    • if you say it can be solved in a couple of lines of code I would urge you to wrap this into a spec and publish and marked it and ensure that everybody will start use it, it will make our life much simpler!

      In the mean time, there are corporates big and huge that use SAML in many many systems and they would benefit greatly from the couple of lines of code. While you are add it, make sure it can be couple with the many directory systems and ensure that we can still receive the correct info from authorisation servers, we (enterprise users) have specific needs that at this moment (unfortunatly) cannot be solved with a couple of lines of code.
      That said, there are amazing toolsets and frameworks we as enterprise users can use and we can mostly configure our systems (rather then write code, even a couple of lines) to ensure we can meet customers (and in the end your) demands.

      I think it’s fair to say that authentication cannot be solved in a couple of lines of code.

        • kevinseifert
        • Posted 04/14/2016 at 9:37 am
        • Permalink

        Heh, the lines of code depend on the problem. It will be a different few lines, for example, if you connect to a database or Active Directory.

        SSO existed long before SAML, and it was never as complicated as SAML has made it.

        I think the real problem is that as people are turning more to boxed software solutions, they can’t solve the simplest problems because they can’t modify the software in any way. As a result, SAML is really an designed for people that can’t write code.

        Here are two simpler approaches to SSO:

        1. I write a service that validates a one-time-use random token, and returns session data. For example: I insert a random token into a database, and hand off the token to you over https. You can use it to look up session data from my service. You validate the token in place of username/password, and you can retrieve the user id and roles from the session.

        2. encrypt a packet of data, which includes a timestamp, and pass it from one end point to another. A shared secret allow decryption of the auth credentials. The packet can contain userid/roles.

  32. I completely feel your pain sir, thus a blog piece (rant) I wrote on the very topic many years ago. http://bentspine.com/sso-sucks/


2 Trackbacks/Pingbacks

  1. […] During my search for an developer’s experience in working with SAML, I’ve stumbled across this rather amusing read. […]

  2. […] During my search for an developer’s experience in working with SAML, I’ve stumbled across this rather amusing read. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: