3 comments

[ 3.2 ms ] story [ 21.2 ms ] thread
This was a great read, thank you for sharing. I deal with identity and federation problems all day at work because I am one of those annoying enterprise customers.

We’re just getting our external openid connect capability enabled and I’m excited to start getting everything moved over. We’re also moving all our internal apps over to openid connect for auth as well, exciting times.

SAML as a technology solves a pertinent problem.

@tptacek describes [0] a basic architecture that will qualify your startup infrastructure for SOC2 certification. SSO is key because it allows easy controls and auditing, and SAML (against shibboleth, KeyCloak, or a third party IdP) is an ideal fit, especially if you want to require multifactor auth for company resources with hard yubikeys instead of mobile authenticator apps, while also avoiding delegating this sensitive business function to google. Stick with SAML between your apps and everything is possible!

Even without needing SOC2, post COVID, it makes even more sense to bake SSO into your infrastructure because it's a lot easier to administrate remote work. All the more reason to consider SAML from the beginning.

That's the promise of SAML. So it's disheartening that its design/implementations may introduce more problems [1] than it fixes.

[0]: https://latacora.micro.blog/2020/03/12/the-soc-starting.html

[1]: https://www.stackallocated.com/blog/2020/saml-idp-no-shared-...

The link misses the most obvious mitigation: encryption and proper metadata management. Don't fault the protocol for poor implementations.