It's not just XML formatting; it's bizarro stuff like XML canonicalization and comments, and it's in a signature format. It really might be the worst mainstream cryptosystem in the entire industry.

A computer scientist would say they have identical parsing complexity, so not much.

A computer programmer wouldn't even know where to begin, as the chesterton's fence had long been rejustified

But it’s not true in practice. Pure simple XML vs JSON sure. XML you deal with in SAML has tons of extra things like namespaces, canonicalization issues, etc. it is way more complex and has led to many security issues over the years.

I had originally quoted

  "in theory, it's easy in practice. in practice, its easy in theory"

But I thought scientist vs. programmer would be literally analogous and rivet more finches.

Yeah, see the other replies in here. It is just a mess of ancient cruft and unclear implementation guidelines.