What is SAML & OIDC

OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) are both widely used identity protocols for Single Sign-On (SSO) and authentication. While they share some similarities, there are key differences between them..

  • IdP (Identity Provider): A service that authenticates users and provides identity information (like username, email, etc.) to other applications. Examples: Okta, Keycloak, Google, or Microsoft Azure AD.

  • SP (Service Provider): A service or application that users want to access. It relies on the IdP to verify the user's identity. Examples: Salesforce, Gmail, or Slack.

In short, the IdP authenticates the user, and the SP consumes the identity information to grant access.

SAML (Security Assertion Markup Language)

  • SAML is an XML-based language used to exchange security-related information.

  • It's primarily used for web SSO, allowing users to access multiple applications with a single set of credentials.

  • SAML relies on a centralized identity provider (IdP) to authenticate users and then issues assertions that contain user information.

  • The assertion is then sent to the Service Provider (SP), which validates the user's identity and grants access accordingly.

OIDC (OpenID Connect)

  • OIDC is an authentication protocol built on top of OAuth 2.0, making it a more modern alternative to SAML.

  • OIDC focuses on providing a standardized way for applications to perform user authentication, authorization, and profile information exchange.

  • Unlike SAML, OIDC doesn't require the SP to maintain its own database or store any user data; instead, the IdP provides all the necessary information through a JSON-based profile.

  • OIDC is designed to be more extensible and flexible than SAML, supporting features like dynamic consent, authorization codes, and refresh tokens.

Key differences

  1. Architecture: SAML relies on a centralized IdP, whereas OIDC allows for decentralized authentication with multiple IdPs.

  2. Protocol complexity: OIDC is built on top of OAuth 2.0, making it more complex than SAML. However, this also means OIDC offers more features and flexibility.

  3. User data storage: SAML requires the SP to store user information, whereas OIDC relies solely on the IdP for storing user data.

  4. Security: Both protocols are secure in their own way, but OIDC's reliance on JSON-based profiles makes it easier to implement and manage security features like encryption and signature validation.

When to choose each

  • Use SAML when:

    • You need a tried-and-true protocol for web SSO.

    • Your existing infrastructure is already set up with SAML-based authentication.

  • Use OIDC when:

    • You want a more modern, extensible, and flexible identity protocol.

    • You're building a new application or service that requires advanced authentication features.