What are people's thoughts on SAML?
Any experience with it?

What about GDPR issues, avoiding the use of cookies etc?

+ mutual cryptographic security if required
+ transports only a limited amount of data
+ single logout supported
+ no userspecific sensitive information required
+ no cors problems

Cookies can't be avoided since every request for secured path would trigger an redirect to the sso. But thirdparty cookies or cookies that are used across domains are not required anymore.

Horribly complicated if your need to fully implement it on your own. It's a federation service and has no GDPR complications. Just make sure the right to forget is followed everywhere.
Main reason I'be worked with it is because of MS/Azure active directory.

I find OpenID connect (OIDC) simpler to implement. Depending on your needs you might be able to support multiple protocols trough a service like AWS Cognito (the cheapest) and only need to implement OIDC yourself.

@hjk101 horribly complicated was my fear...

@ojt-rant there are many libs that take away the complexity or seperate it into managable bits.

@stop https://youtube.com/watch/...

god bless us, everyone

anything that's based on XML is pure, unadultered, weapons-grade cancer.

@tosensei you hate the open document format, openstreetmap and svg?

@stop

open document format: yes it's terrible. it's just preferrable as "the lesser evil" compared to the _closed_ document format, which also is just a bunch of XML.

openstreetmap: don't care, never used it.

svg: the few times i had to deal with it, it was exclusively for fixing bugs caused by its peculiarities.