Not only is it complicated, the lack of documentation and the leaky XML libraries that abound ensure that whoever ends up implementing SAML are prone to make security mistakes.
I've audited two systems that used SAML to authenticate their users, both times I found XXE vulnerabilities that let me read files from their servers with the permissions of the webserver process.
I've audited two systems that used SAML to authenticate their users, both times I found XXE vulnerabilities that let me read files from their servers with the permissions of the webserver process.