For years, the most consistent feature request we received was SSO support. And for years, the answer from our side was a firm, well-reasoned, and occasionally impassioned “no.”

That position was never arbitrary. It was a direct consequence of what SSO meant in practice for most of that time: SAML.

SAML is old. It was designed in an era when XML was considered elegant, and when “federated identity” was a concept so new that nobody had yet discovered all the ways it could go wrong. The CVE history of SAML implementations across the industry is not a pretty read. XML signature wrapping attacks. Assertion forgery. Parser differentials that let maliciously crafted tokens slip past validation. Every major SAML library has been burned by at least one of these, and many have been burned repeatedly.

Syncplify Server! has exactly zero CVE entries in the NIST National Vulnerability Database since its inception in 2013. That’s not a statistic we stumbled into. It’s the result of deliberate, sometimes uncomfortable decisions about what we will and will not put into the product. Adding a SAML stack would have meant inheriting its entire attack surface. That was a trade-off we were not willing to make, and we said so (sometimes too openly) every time the subject came up.

So what changed?

OIDC happened. And more importantly, OIDC matured.

OpenID Connect (OIDC) is not “SAML but newer.” It’s a fundamentally different approach to the same problem. It’s built on OAuth 2.0, it uses JSON Web Tokens instead of XML, it’s thin by design, and its security model is dramatically easier to implement correctly. The attack surface is smaller, the specifications are cleaner, and the ecosystem has had enough time to find and fix its edge cases. OIDC is what SSO looks like when you design it with modern threat models in mind rather than retrofitting security onto an XML messaging framework from 2002.

The protocol finally earned a place in Syncplify Server!. That’s the whole story.

What’s coming in the next major version is full enterprise-grade OIDC support: federated login into the SuperAdmin, Admin, and WebClient! UIs, and (importantly) app-passwords for legacy clients like FileZilla and WinSCP that don’t speak OIDC natively but still need to connect via SFTP/FTPS. The app-password model keeps the security benefits of your Identity Provider (IdP) in place while not leaving older tooling behind. We think it’s the right balance.

More details when the release is ready. In the meantime, if you missed the teaser, here it is.