The biggest problem with SAML is probably XML-DSig. The spec is ridiculously complex, but unfortunately the implementations are no better. You're de facto either using libxmlsec1 or the Java stdlib. libxmlsec1 is (anecdotally) a terrifying mess of C that most SAML integration libraries desperately want you to run in-process with your server.<p>There's a totally palatable mini-SAML within SAML waiting to come out. It already exists informally: it's whatever GSuite and Okta's default metadata.xml will give you, and it summarizes to "one signature, on the outside, no encryption".<p>You kind of need to do SAML, though, unless you don't care about selling to companies at all. Smaller companies may or may not be able to do OIDC, but pretty much everyone can do SAML. You just want to have someone else be responsible for the SAML laundromat part (that is: ingesting gross SAML from the Internet and translating it to a friendly consistent format, which doesn't necessarily have to be SAML too). For all its flaws, Cognito fits that bill, as does Okta.