Hacker News new | past | comments | ask | show | jobs | submit login

Agreed. XML Signatures is the worst part of SAML. It's a spec that's basically begging to be done wrong. I remain confused as to what W3C were thinking.

https://ssoready.com/blog/engineering/xml-dsig-is-unfortunat...




SAML literally predates most modern cryptography, including basic notions like the inseparability of encryption and authentication. It's a backwater that until relatively recently was confined to clanking enterprise deployments, and OIDC means it will never be modernized; the "next modernizing step" would be to simply turn it into OIDC.


> it will never be modernized; the "next modernizing step" would be to simply turn it into OIDC.

To say nothing of the fact that the standards body responsible for pushing SAML forward has shut down:

> At the request of the members (https://www.oasis-open.org/apps/org/workgroup/security/email...), the Security Services (SAML) TC has closed.

Source: https://lists.oasis-open.org/archives/security-services/2023...

(Ironically, the TLS cert for that site has also expired.)




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: