SShortSingh.
Back to feed

OIDC vs SAML: Why B2B Teams Will Likely Need Both Protocols

0
·1 views

When enterprise clients request single sign-on (SSO), B2B software teams typically face a choice between two protocols: OIDC, introduced in 2014 and built on JSON and OAuth 2.0, and SAML, a 2005 XML-based standard still dominant in large organizations. In practice, developers rarely get to choose freely — the client's existing IT infrastructure, whether a legacy on-premise identity provider or a modern platform like Okta, determines which protocol is required. OIDC is generally preferred for first-party apps, modern web applications, and clients using current identity platforms, while SAML remains unavoidable for enterprise clients with older systems. Both protocols carry security risks, but SAML's XML signature validation is considered especially error-prone, with well-documented vulnerabilities such as signature wrapping attacks affecting even experienced teams. As a result, most B2B products serving enough enterprise customers will eventually need to support both protocols simultaneously.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Developer builds open-source tool to verify and sign AI skill packages

A developer has released Skillerr, an open-source CLI and protocol designed to add cryptographic verification to AI skill packages used by agents in tools like Claude, Cursor, and Codex. The project addresses a growing supply-chain concern: AI skills are typically plain Markdown files with no way to confirm their author, integrity, or whether they have been tampered with. Skillerr assigns each packaged skill a SHA-256 hash and structured contract detailing its permissions, inputs, and outputs, and rejects execution if any file has been altered after packaging. Authors can optionally sign their skills and anchor a package digest in Sigstore's public transparency log for independent verification. The tool is available on GitHub and the developer is actively inviting the community to test it for security vulnerabilities.

0
ProgrammingDEV Community ·

Developers Over-Engineered AI Agents but Left Their Own Workflow Unstructured

A software engineering analysis argues that developers have built extensive tooling to keep AI coding agents on track — including linters, CI pipelines, and rules files — but have applied almost no equivalent structure to managing their own work across multiple tasks. The piece distinguishes two distinct loops: an execution loop focused on completing a single task correctly, and an orientation loop concerned with maintaining a shared, accurate picture of all ongoing work. Most existing tools address only the execution loop, leaving the orientation loop to informal methods like manually updated markdown files. Research from ETH Zurich, cited in the article, found that AGENTS.md context files offer minimal benefit to agents and can even slightly reduce performance, while costing over 20% more in context overhead. The author calls for 'harness engineering' to be turned inward, applying the same disciplined, automated accountability to the human operator's workflow that is already standard practice for AI agents.

0
ProgrammingDEV Community ·

stoneChat Brings AI Chat to Windows XP and Internet Explorer 6

A developer has released stoneChat, a locally hosted LLM web chat client designed to run on Windows XP-era hardware using Internet Explorer 6. The project uses a PHP backend to handle chat requests, with stunnel added to enable HTTPS connectivity for modern AI API endpoints. It supports OpenAI-compatible APIs, and each model can be individually configured with its own endpoint, API key, token limit, and streaming settings via an INI file. User management, language preferences, and keyboard behavior are also controlled through the same configuration file. The application requires PHP 5.4 or newer on Windows and is launched via a RUN.cmd script, with source code available on GitHub under the WTFPL license.

0
ProgrammingDEV Community ·

Developer Builds Free Serverless Bluesky AI Bot Using GitHub Actions and Gemini API

A developer created an automated Bluesky posting bot to maintain consistent social media presence without consuming development time. The bot runs entirely on free infrastructure, using GitHub Actions for scheduled execution, Google's Gemini API for AI-generated content, and Bluesky's official API for publishing. Credentials are stored securely as GitHub Secrets, eliminating the need for a paid VPS or cloud service. Bot behavior, including posting schedule, topics, and tone, is controlled through a configuration file rather than hardcoded values. The completed project has been published publicly on GitHub for others to reuse and adapt.

OIDC vs SAML: Why B2B Teams Will Likely Need Both Protocols · ShortSingh