Having worked with implementing SAML for a large University-funded application, I learned more than I ever wanted to know but less than I needed to know
This is exactly how it works every time I need to touch SAML. Spend two weeks with the ping identity manual, somehow get everything working, forget all about it until the next time a customer wants it :}
Ping ID is "SAML" - they actually don't comply with the spec. If you remove the Bearer element from the SAMLRequest, you should be on your way. Ask me how I know.
I see this comment often, but when I implemented SAML, the spec wasn't too unreadable... I did write my own IdP [0] instead of using something that existed though, since those were more complicated than I needed.
So maybe because I only implemented features I was using it wasn't bad. What did you struggle with?
When I tried to do this, I was looking at an OASIS spec I think? Several hundred pages? I found it to be quite impenetrable. Mainly because of all the jargon. It was all defined of course, but just in terms of other jargon. It was a bit like trying to understand monads by reading wikipedia. In the end I spent about a month on the project, with basically nothing to show for it. If GPT had existed at the time, I probably could have gotten enough of a foothold using AI conversations to understand the spec.
I was in charge of a SaaS offering for Academic and Public libraries years ago, and we had to add SAML functionality for the Academic side ... it was a frustrating few weeks, and I was glad when it was over.
