Identity Federation Pitfalls (SAML/OIDC)1 items

Common Issues & Tests

SAML signature wrapping: ensure signature covers the assertion actually consumed.
OIDC discovery pinning: pin `issuer` and JWKS; reject unexpected endpoints.
Clock skew and nonce handling: protect against replay and mix-up attacks.
Just-in-time (JIT) provisioning guardrails: role scoping, lifecycle cleanup.