OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are popular identity and authentication protocols today. But which one is better for your use case? What are the differentiators? This detailed comparison resource will shed some light on the technicalities and help you make an educated decision for your SaaS offering. Without further ado, let’s get started.
OpenID Connect (OIDC) 1.0 is essentially an identity layer added to the OAuth 2.0 protocol. It is a newer protocol than SAML (more on this in the next section). OIDC allows clients to verify end-user identity according to the authentication carried out by an authorization server. It also lets clients obtain fundamental profile information about end-users in a REST-like and interoperable manner.
OIDC lets all types of clients, including mobile, JavaScript (JS), and web-based clients, request and receive information about end-users and authenticated sessions. It offers an extensible specification suite, which allows participants to utilize optional functionality, such as discovery of OpenID Providers, session management, and encryption of identity data, as needed.
Security Assertion Markup Language is an open standard that allows clients to share security information about identity, authentication, and permission across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data. It offers a framework for implementing Single Sign-On (SSO) and other federated identity systems.
SAML is managed by the Organization for the Advancement of Structured Information Standards (OASIS). It’s an important component that enables users to access multiple apps, services or websites via a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive, and format identification data.
Both OIDC and SAML are trusted identity protocols. They allow users to be authenticated, transferring user information safely from the system responsible for the authentication, the Identity Provider (IdP), to the app or service the end-user is attempting to access. A key way to allow for this form of Single Sign-On (SSO) is to establish trust between the application and the IdP.
SAML and OIDC are core protocols utilized in all kinds of SSO solutions, regardless of the nature of the app or website. SSO solutions create a system where users are only required to authenticate once with the IdP. Following the authentication, they should be able to access any one of the apps configured to trust the IdP. Read more in our comprehensive SSO guide.
The fundamental login flow for OIDC and SAML is as follows:
If the user directly accesses the application before logging into the Identity Provider (IdP), the login flow will be a little different. It will look as follows:
Related: Authentication Standoff: OAuth vs SAML
Both protocols attain the same end goal. However, the methodology used to authenticate users in terms of technology, capacity and method changes.
Verdict: SAML is good for the web, while OIDC is much more versatile.
Verdict: OIDC is lighter and more performance-friendly than SAML.
Verdict: OIDC wins the user-friendliness battle as well.
Verdict: SAML is still more secure than OIDC in general.
Both of these authentication protocols are good at what they do. There is no clear winner. As always, a lot depends on your specific use case/s and target audience. You need to determine what your organization is attempting to achieve.
For example, if you need authentication that is light and highly interoperable with mobile apps and APIs, you can opt to implement OIDC. It is also more Single Sign-On (SSO) friendly and lighter than SAML. On the other hand, SAML is a more established federation protocol and has been in existence for a longer period of time, probably making it the more obvious option when security is a priority.
There is also the possibility of enjoying the inherent advantages of both together. SAML’s concept of “trust” is highly effective for accessing apps via portal, accessing resources, and for enterprise-scale SSO activity. On the other hand, you have the user-friendliness and scalability of OIDC which is great for mobile use cases. Adopting a hybrid approach is probably something you should consider.
Start For Free