OIDC

OIDC vs. SAML: Key Differences Explained

Sep 14, 2021 | 7 min read |

OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) are popular identity and authentication protocols today. But which one is better for your use case? What are the differentiators? This detailed comparison resource will shed some light on the technicalities and help you make an educated decision for your SaaS offering. Without further ado, let’s get started.

What Is OIDC (OpenID Connect)?

OIDC 1.0 is essentially an identity layer added to the OAuth 2.0 protocol. It is a newer protocol than SAML (more on this in the next section). OIDC allows clients to verify end-user identity according to the authentication carried out by an authorization server. It also lets clients obtain fundamental profile information about end-users in a REST-like and interoperable manner.

OIDC lets all types of clients, including mobile, JavaScript (JS), and web-based clients, request and receive information about end-users and authenticated sessions. It offers an extensible specification suite, which allows participants to utilize optional functionality, such as discovery of OpenID Providers, session management, and encryption of identity data, as needed.

For a comprehensive understanding, see the OpenID Connect Core Specification.

OpenID Connect (OIDC) — **The OpenID Connect Flow**

What Is Security Assertion Markup Language (SAML)?

SAML is an open standard that allows clients to share security information about identity, authentication, and permission across different systems. SAML is implemented with the Extensible Markup Language (XML) standard for sharing data. It offers a framework for implementing Single Sign-On (SSO) and other federated identity systems.

SAML is managed by the Organization for the Advancement of Structured Information Standards (OASIS). It’s an important component that enables users to access multiple apps, services or websites via a single login process. Identity and authentication levels are shared across different systems and services using the SAML protocol to request, receive, and format identification data.

Detailed information is available in the SAML 2.0 Specification.

SAML and OIDC: the similarities

Both OIDC and SAML are trusted identity protocols. They allow users to be authenticated, transferring user information safely from the system responsible for the authentication, the Identity Provider (IdP), to the app or service the end-user is attempting to access. A key way to allow for this form of SSO is to establish trust between the application and the IdP.

SAML and OIDC are core protocols utilized in all kinds of SSO providers, regardless of the nature of the app or website. SSO solutions create a system where users are only required to authenticate once with the IdP. Following the authentication, they should be able to access any one of the apps configured to trust the IdP.

For a deeper dive into these protocols, consider the NIST Digital Identity Guidelines.

The fundamental login flow for OIDC and SAML is as follows:

The user logs in via the Identity Provider
They choose the application they wish to visit
The user’s information is transferred from the IdP to the browser of the user
The user’s information is subsequently passed to the application
The app establishes if they are authorized to access the resources
The user is provided access to the app

If the user directly accesses the application before logging into the IdP, the login flow will be a little different. It will look as follows:

A user makes an attempt to log straight into the app
The app redirects the login attempt via the user’s browser to the IdP
The user logs in to the IdP (or is told they are already logged in)
IdP establishes that the user can access the app that released the request
The user’s information is transferred from the IdP to the user’s browser
The user’s information is then passed on to the app
The app establishes that they are authorized to access the resources
The user can access the app

Related: OAuth vs SAML

OIDC vs SAML: The Differences

Both protocols attain the same end goal. However, the methodology used to authenticate users in terms of technology, capacity and method changes.

IdP/SP vs OP/RP— With both, the app redirects the user to the identity provider for authentication. This is known as a Service Provider (SP) in SAML and a Relying Party (RP) in OpenID. The contrasting element here is that SAML doesn’t connect smoothly with certain apps, especially mobile ones. OpenID works well with both mobile and web-based apps.

Mobile-Centric Authentication – OIDC utilizes RESTful communication to develop lightweight JSON security tokens, which are transferred between the IdP and the relying party. This means OpenID Connect is a leading protocol for mobile-centered application authentication. SAML was primarily created for the authentication of web applications.

Because SAML uses XML, there is no potential for this to be utilized in mobile applications, providing OIDC with an advantage to be employed solely in mobile applications.

Verdict: SAML is good for the web, while OIDC is much more versatile.

Message Format— With OpenID Connect (OIDC), there is a JSON Web Token (JWT) known as id-token, which gives authentication information. In SAML, there are assertions that represent the attribute, authorization, and authentication statements, all formatted via XML. JWTs are light in comparison to heavy-weight XML assertions.

Support for API — OIDC came into existence because SAML is heavy and can’t integrate effectively with APIs. OIDC uses RESTful API communication which uses the HTTP communication channel to dispatch light JSON security tokens used in the process of authentication. SAML uses SOAP, a protocol layer on HTTP, but instead dispatches heavy XML messages.

Verdict: OIDC is lighter and more performance-friendly than SAML.

Static authentication – With SAML, static authentication is needed when the IdP and the relying party have to be configured to identify one another before the transfer of data occurs. This can create all kinds of performance issues. However, this is not the case with OIDC, which is by far the faster and more resource-friendly protocol.

Implementation – OIDC is developer-friendly and simpler to implement, which broadens the use cases for which it might be implemented. It can be implemented from scratch pretty fast, via freely available libraries in all common programming languages. SAML can be complex to install and maintain, which only enterprise-size companies can handle well.

Verdict: OIDC wins the user-friendliness battle as well.

User Consent – OIDC is essentially a layer put on an OAuth framework. Therefore, it can offer a built-in layer of permission that asks a user to agree to what the service provider might access. Although SAML is also capable of allowing consent flow, it achieves this by hard-coding carried out by a developer, not as part of its protocol.
Security – When people want to prioritize secure data exchange, Security Assertion Markup Language still has the edge. We also recommend you to check out the SAML Security Cheat Sheet by OWASP. On the security front, OIDC is still maturing. It still cannot match SAML when it comes to sensitive use cases like banking, healthcare, or government related platforms.

Verdict: SAML is still more secure than OIDC in general.

Technical example: implementing SSO in a multi-platform environment

A financial services company aims to provide a seamless authentication experience across its web portal and mobile application. Initially, the company implemented SAML for SSO within its web portal, leveraging SAML’s robust security features and its suitability for web-based applications.

As the company expanded its services to mobile platforms, it encountered challenges integrating SAML due to its reliance on XML and SOAP, which are less compatible with mobile application architectures. To address this, the company adopted OIDC for its mobile applications, benefiting from OIDC’s use of JSON and RESTful APIs, which are more suitable for mobile environments.

Outcome:

Web Portal: Continued use of SAML provided strong security and seamless SSO capabilities for users accessing services via web browsers.
Mobile Application: Implementing OIDC enabled efficient authentication processes, improved performance, and a better user experience on mobile devices.

This hybrid approach allowed the company to leverage the strengths of both protocols, ensuring secure and efficient authentication across multiple platforms.

Which one is best for you?

Both of these authentication protocols are good at what they do. There is no clear winner. As always, a lot depends on your specific use case/s and target audience. You need to determine what your organization is attempting to achieve.

For example, if you need authentication that is light and highly interoperable with mobile apps and APIs, you can opt to implement OIDC. It is also more SSO friendly and lighter than SAML. On the other hand, SAML is a more established federation protocol and has been in existence for a longer period of time, probably making it the more obvious option when security is a priority.

There is also the possibility of enjoying the inherent advantages of both together. SAML’s concept of “trust” is highly effective for accessing apps via portal, accessing resources, and for enterprise-scale SSO activity. On the other hand, you have the user-friendliness and scalability of OIDC which is great for mobile use cases. Adopting a hybrid approach is probably something you should consider.

OIDC, SAML, and the Frontegg advantage

Deciding between OIDC and SAML comes down to the specific needs of your application and users. SAML is a powerful choice for enterprise-level, browser-based authentication, while OIDC’s modern, lightweight framework excels in API-driven and mobile-first environments.

Implementing these protocols doesn’t have to be a complex or time-consuming process. With Frontegg, you can seamlessly integrate both OIDC and SAML into your application, reducing developer toil and ensuring a secure, scalable identity solution for your users.

Frontegg’s platform empowers teams across your organization—developers, product managers, and security professionals—to manage identity with ease, so you can focus on innovation and growth. Whether you’re building for the enterprise or the modern cloud, Frontegg helps you take control of authentication with confidence.

Discover how Frontegg can simplify identity management for your team today.

Start For Free

Looking to take your User Management to the next level?

Full Solution, Easy Migration

Contact sales Start now for free

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.