OIDC

OIDC vs SAML: The Differences

Sep 14, 2021 | 6 min read |

OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are popular identity and authentication protocols today. But which one is better for your use case? What are the differentiators? This detailed comparison resource will shed some light on the technicalities and help you make an educated decision for your SaaS offering. Without further ado, let’s get started.

What Is OIDC (OpenID Connect)?

OpenID Connect (OIDC) 1.0 is essentially an identity layer added to the OAuth 2.0 protocol. It is a newer protocol than SAML (more on this in the next section). OIDC allows clients to verify end-user identity according to the authentication carried out by an authorization server. It also lets clients obtain fundamental profile information about end-users in a REST-like and interoperable manner.

OIDC lets all types of clients, including mobile, JavaScript (JS), and web-based clients, request and receive information about end-users and authenticated sessions. It offers an extensible specification suite, which allows participants to utilize optional functionality, such as discovery of OpenID Providers, session management, and encryption of identity data, as needed.

What Is Security Assertion Markup Language (SAML)?

Security Assertion Markup Language is an open standard that allows clients to share security information about identity, authentication, and permission across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data. It offers a framework for implementing Single Sign-On (SSO) and other federated identity systems.

SAML is managed by the Organization for the Advancement of Structured Information Standards (OASIS). It’s an important component that enables users to access multiple apps, services or websites via a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive, and format identification data.

SAML and OIDC: The Similarities

Both OIDC and SAML are trusted identity protocols. They allow users to be authenticated, transferring user information safely from the system responsible for the authentication, the Identity Provider (IdP), to the app or service the end-user is attempting to access. A key way to allow for this form of Single Sign-On (SSO) is to establish trust between the application and the IdP.

SAML and OIDC are core protocols utilized in all kinds of SSO solutions, regardless of the nature of the app or website. SSO solutions create a system where users are only required to authenticate once with the IdP. Following the authentication, they should be able to access any one of the apps configured to trust the IdP. Read more in our comprehensive SSO guide.

The fundamental login flow for OIDC and SAML is as follows:

The user logs in via the Identity Provider
They choose the application they wish to visit
The user’s information is transferred from the IdP to the browser of the user
The user’s information is subsequently passed to the application
The app establishes if they are authorized to access the resources
The user is provided access to the app

If the user directly accesses the application before logging into the Identity Provider (IdP), the login flow will be a little different. It will look as follows:

A user makes an attempt to log straight into the app
The app redirects the login attempt via the user’s browser to the IdP
The user logs in to the IdP (or is told they are already logged in)
IdP establishes that the user can access the app that released the request
The user’s information is transferred from the IdP to the user’s browser
The user’s information is then passed on to the app
The app establishes that they are authorized to access the resources
The user can access the app

OIDC vs SAML: The Differences

Both protocols attain the same end goal. However, the methodology used to authenticate users in terms of technology, capacity and method changes.

IdP/SP vs OP/RP— With both, the app redirects the user to the identity provider for authentication. This is known as a Service Provider (SP) in SAML and a Relying Party (RP) in OpenID. The contrasting element here is that SAML doesn’t connect smoothly with certain apps, especially mobile ones. OpenID works well with both mobile and web-based apps.

Mobile-Centric Authentication – OIDC utilizes RESTful communication to develop lightweight JSON security tokens, which are transferred between the IdP and the relying party. This means OpenID Connect is a leading protocol for mobile-centered application authentication. SAML was primarily created for the authentication of web applications.

Because Security Assertion Markup Language uses XML, there is no potential for this to be utilized in mobile applications, providing OIDC with an advantage to be employed solely in mobile applications.

Verdict: SAML is good for the web, while OIDC is much more versatile.

Message Format— With OpenID Connect (OIDC), there is a JSON Web Token (JWT) known as id-token, which gives authentication information. In SAML, there are assertions that represent the attribute, authorization, and authentication statements, all formatted via XML. JWTs are light in comparison to heavy-weight XML assertions.

Support for API — OIDC came into existence because SAML is heavy and can’t integrate effectively with APIs. OIDC uses RESTful API communication which uses the HTTP communication channel to dispatch light JSON security tokens used in the process of authentication. SAML uses SOAP, a protocol layer on HTTP, but instead dispatches heavy XML messages.

Verdict: OIDC is lighter and more performance-friendly than SAML.

Static Authentication – With Security Assertion Markup Language, static authentication is needed when the IdP and the relying party have to be configured to identify one another before the transfer of data occurs. This can create all kinds of performance issues. However, this is not the case with OIDC, which is by far the faster and more resource-friendly protocol.

Implementation – OIDC is developer-friendly and simpler to implement, which broadens the use cases for which it might be implemented. It can be implemented from scratch pretty fast, via freely available libraries in all common programming languages. SAML can be complex to install and maintain, which only enterprise-size companies can handle well.

Verdict: OIDC wins the user-friendliness battle as well.

User Consent – OpenID Connect is essentially a layer put on an OAuth framework. Therefore, it can offer a built-in layer of permission that asks a user to agree to what the service provider might access. Although SAML is also capable of allowing consent flow, it achieves this by hard-coding carried out by a developer, not as part of its protocol.
Security – When people want to prioritize secure data exchange, Security Assertion Markup Language still has the edge. We also recommend you to check out the SAML Security Cheat Sheet by OWASP. On the security front, OIDC is still maturing. It still cannot match SAML when it comes to sensitive use cases like banking, healthcare, or government related platforms.

Verdict: SAML is still more secure than OIDC in general.

Which One is Best For You?

Both of these authentication protocols are good at what they do. There is no clear winner. As always, a lot depends on your specific use case/s and target audience. You need to determine what your organization is attempting to achieve.

For example, if you need authentication that is light and highly interoperable with mobile apps and APIs, you can opt to implement OIDC. It is also more Single Sign-On (SSO) friendly and lighter than SAML. On the other hand, SAML is a more established federation protocol and has been in existence for a longer period of time, probably making it the more obvious option when security is a priority.

There is also the possibility of enjoying the inherent advantages of both together. SAML’s concept of “trust” is highly effective for accessing apps via portal, accessing resources, and for enterprise-scale SSO activity. On the other hand, you have the user-friendliness and scalability of OIDC which is great for mobile use cases. Adopting a hybrid approach is probably something you should consider.

Start For Free

Looking to take your User Management to the next level?

Full Solution, Easy Migration

Schedule a meeting Start now for free

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.