How are you guys finding the tools for supporting SAML SSO? I only recently had to stare into the abyss and found it to be a rather abysmal(harhar) experience.
One of the most popular service providers, Shibboleth, was a PITA to get setup the first time. Terribly complicated to get going from ZERO to signed in with ADFS as the ident provider. Options available for distribution and clustering are not up with the times. Only supported SHA1 hashing. Etc, etc. I know the guys put a lot of effort in on it and are pretty helpful on list but... I can't help but feel that 2014 deserves a better SSO experience :|
I can't speak for the services out there. We built on top of open source libraries to roll our own solution. The protocol is actually pretty straight-forward to implement.
I found the tools weak at best, confusing and overcomplicated at worst. The code from OneLogin [1] was the clearest example I found, but it leaves various things as an exercise for the reader, such as obtaining the relevant public key and establishing trust in that key.
I ended up doing a lot of custom stuff that is highly specific to the particular SAML implementation in use at my company. For example, the public signing key is included with the SAML response (on successful sign on) as an x509 certificate. I extract if from there and establish trust by verifying the signature chain (up to the root SSL certs included in my distro). But, SAML also allows embedding raw RSA or DSA keys, or presumably none at all (and you'd store the trusted key somewhere as a configuration value). So I don't support "SAML" but "the specific SAML implementation currently in use at my company".
But I've worked closely with an OAuth client before as well, and in the end I'd say they are roughly equivalent in terms of ease of use, but there was a larger learning curve for SAML (and XML-DSig is frustrating due to whitespace sensitivity among other things. Implementation seems like a huge burden if your language lacks it).
Care to share the most... er... painful painpoints? We're about to embark on a journey of implementing a SSO solution and are evaluating Windows Identity Foundation.
We went with SAML mainly because of the standardization. A lot of different technologies are in use at Rackspace because teams are given a lot of autonomy. There are open source SAML libraries out there for pretty much any language, so having another team hook into our SSO solution isn't too difficult.
9 comments
[ 3.2 ms ] story [ 19.9 ms ] threadOne of the most popular service providers, Shibboleth, was a PITA to get setup the first time. Terribly complicated to get going from ZERO to signed in with ADFS as the ident provider. Options available for distribution and clustering are not up with the times. Only supported SHA1 hashing. Etc, etc. I know the guys put a lot of effort in on it and are pretty helpful on list but... I can't help but feel that 2014 deserves a better SSO experience :|
I ended up doing a lot of custom stuff that is highly specific to the particular SAML implementation in use at my company. For example, the public signing key is included with the SAML response (on successful sign on) as an x509 certificate. I extract if from there and establish trust by verifying the signature chain (up to the root SSL certs included in my distro). But, SAML also allows embedding raw RSA or DSA keys, or presumably none at all (and you'd store the trusted key somewhere as a configuration value). So I don't support "SAML" but "the specific SAML implementation currently in use at my company".
But I've worked closely with an OAuth client before as well, and in the end I'd say they are roughly equivalent in terms of ease of use, but there was a larger learning curve for SAML (and XML-DSig is frustrating due to whitespace sensitivity among other things. Implementation seems like a huge burden if your language lacks it).
[1] https://github.com/onelogin/java-saml But see other language impls. as well
I don't know a single person that enjoyed dealing with SAML SSO (myself included, using shib)