alt Hacker NewsThe authorization model is bespoke to your ecosystem. Whether you do that with claims, scopes or assertions is irrelevant. None of these are hacks, but they can’t be simply standardized either. Provisioning/Deprovisioning is a separate concern; SCIM is one way (but just in time provisioning can also be achieved with both solutions).
There’s no reason to choose SAML other than for legacy integration.
I don’t disagree, I’m all for OIDC + SCIM if it isn’t clear from my comments.
Just also don’t automatically assume one solves all the problems of the other, there is still some significant difference between them that makes SAML something the businesses will ask for.