Hacker News new | past | comments | ask | show | jobs | submit login

The use case you mention is exactly the reason, why we have SAML2 and similar SSOs.

Except if you use saml, now you have xml digital signatures. If you thought jwts were bad, take a look at the specs for xml digsig sometime. You can specify multiple signed portions of a document, have multiple sigs, or choose to sign only a part, use a bunch of different algorithms, specify your own canonicalization rules, and you get all the usual fun of xml parsing risks.

If jwts are bad, xml digsigs are "literally cthulu".

I was involved tangentially with a project where there was a SAML2 based federated login to be put in place and I remember there were 3 conference calls before the devs implementing it even understood the flow. I don't even think the guys on the other end understood it properly.

It appears to be much, much simpler to just integrate JWT into your system than deploy a SAML identity provider. I would love to see an easy to deploy decent SML IdP, but so far I have not found one. If anyone has any recommendations I would love to hear them.

They dont exist! IMHO ADFS is actually the best of a bad lot. Your friendly Windows Admin can setup the SSO in a matter of minutes without having to know the spec inside out and upside down.

The other platforms I've used or integrated with - Tivoli, Layer 7, Ping Federate, a huge hack job written in PHP - all took weeks/months to get working.

That said I haven't tried Spring SAML recently, so maybe that is painless now. But probably not

I've been happy with SimpleSAMLPhp in production for about 6 years now. Configuration was very straightforward and the whole process was order-of-magnitude simpler than any other SAML IdP we tried at the time.

Keycloak (http://www.keycloak.org/) is quite easy to deploy.

For our usage, even that was overkill and we are using Ipsilon (https://ipsilon-project.org/), with IPA backend. It is more quirky, docs are scarce, but it works for us.

On app side, it is mod_auth_mellon.

Shibboleth should cover the "decent" side of your question, given it's pretty heavily used in academia. The SP side of things is fairly straightforward to setup; whether the IdP counts as easy to deploy is probably a matter of opinion and experience.

If you're looking for a self-hosted solution I can't help but as far as a provider goes we've had decent success with Okta. Of course SAML kind of sucks no matter how you slice it and Okta seems to think the future is in standards like openID connect.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact