SAML

This article is a stub. You can help the IndieWeb wiki by expanding it.

SAML is an older set of identity standards often used by enterprises and governments for single-sign-on that has a trusted certificate single point of vulnerability, exploited in 2020 to sign-into numerous high value US government and other accounts, in contrast to IndieAuth, which by its distributed nature has no single point of certificate vulnerability.

Criticism: more vulnerabilities! 2020-12-14 Coordinated disclosure of XML round-trip vulnerabilities in Go’s standard library
There are several potential security problems created by these vulnerabilities, one of which is a complete bypass of SAML authentication.
https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach
https://en.wikipedia.org/wiki/Identity_provider
2019-07-16 Hacker News: IndieAuth – A federated login protocol using one's own domain name
That's basically what we have to do as a SAML service provider. […]
2018-12 W3C Workshop on Strong Authentication & Identity
[…] The workshop explored aligning recent W3C specifications […] as well as other existing community standards such as IndieAuth, Open ID Connect, OAuth, and SAML.
Persona, OpenID, SAML, WebID, and Webfinger
Map of OAuth 2.0 Specs (mentions SAML and IndieAuth)
Reply about IndieAuth, where later on someone brings up SAML: https://twitter.com/dmitshur/status/1248596283536834560
- "Have you considered using IndieAuth (https://indieauth.spec.indieweb.org) which does the same now?
  
  I’ve implemented it on my personal site (https://github.com/shurcooL/home/issues/34) and I’m very happy with it. Especially during GitHub outages." @dmitshur April 10, 2020
^ downstream reply: https://twitter.com/apenwarr/status/1248452527000936451
- "I don’t know enough personally. SAML seems a bit horrible, but I think the required baseline functionality might be enough to consistently login. It has a lot of optional features but I’m less offended about that." @apenwarr April 10, 2020

See Also