Stateless by designNo session storage, no database, no cookies issued by the library. You decide what to do with the authenticated Subject.
Two protocols, one contractSAML and OIDC produce the same Subject[T] type. Reuse your session-creation code across both IdPs.
Batteries, not magicFunctional options, sensible Azure-AD defaults, PKCE by default, an open-redirect guard. No surprise behaviour.
Sandbox includedOne docker compose up and you're logging in as alice@example.com through a real Keycloak.