> Let's just say my interaction with managing websites that used SAML was less than pleasant.
My interactions supporting it as both the identity provider & the service provider have lead to me being the SAML person at work, and I'm now very used to people either laughing at my misfortune or giving me pitiful looks.
It combines all the wonderful antipatterns you can name: a protocol where near everything is optional and two standards-compliant implementations can refuse to cooperate in any number of ways, hair raising security decisions (XML-DSIG?! configurable crypto? ughh), and half-baked features (back-channel SLO, anyone?)
It's a Lovecraftian horror that actually makes me appreciate JWTs.
I was also the SAML person at one point in my career and I 100% agree. I used to laugh at all the HN criticisms of JWT because of how much of a nightmare SAML is.
Do you renew the certificates used to distribute the public keys in SAML metadata, and if so why do you do it? I have had a hard time convincing people it is useless to renew those certs and have yet to find an implementation that care about those certificates.
Renewing the certificates seems technically pointless, but some organizations/federations require it.
Rotating the keys would make some sense, but just swapping the cert for a new one issued against the same keys doesn't. It's the easiest way to fulfill those requirements, because you don't need to synchronize the metadata updates, the signatures are always valid with both the old and new cert.
Make senses, most bigger federations do not bother with this luckily for us it is just specific idps.
> synchronize the metadata updates
Sadly I know many implementations that do not handle key changes in the metadata in a smooth way. The two SPs I have from Adobe both require manual updating of one key per idp, making a switch pain to synchronize.
All my x509s for SAML signing are self-signed, and all my self-signed certs live for 9999 days and I plan to let someone else figure out the fallout from that as I'm going to be /retired/. No one has ever really complained. Some IdPs I've integrated with use certificates that are signed by public CAs and it's always a hassle because the ergonomics around it are terrible.
IMO, I think rotation is wildly useless too. It might make sense in a world where my signing certificate was decoupled from the metadata someone else has to very likely load by hand.
Yes, JWTs are so simple compared to what came before that it's hard to argue with them. Just make sure your verification doesn't allow none or old ciphers and you're basically fine.
"Suffering A Massive Lot" - jk
Let's just say my interaction with managing websites that used SAML was less than pleasant.