What are the main security risks in SAML SSO, and how does it differ security-wise from OIDC?

SAML uses XML assertions signed by the IdP; its risks stem largely from XML parsing. XML Signature Wrapping (XSW) is the headline attack: an attacker injects a forged assertion while keeping the original signed element somewhere the signature still validates but the application reads the forged one — leading to authentication bypass/impersonation. Other pitfalls: not validating the signature at all (or accepting unsigned assertions), missing Recipient/Audience/NotOnOrAfter checks (replay), XXE in the XML parser, and accepting assertions from untrusted IdPs. vs OIDC: OIDC uses signed JWTs (JSON) which avoid XML-canonicalization/wrapping complexity and are simpler to validate, though they have their own pitfalls (alg:none, key confusion). Mitigate SAML by validating signatures against a known cert, processing only the signed element, enforcing audience/time conditions, and hardening the XML parser against XXE.