SAML vs. OIDC: What is the Best Approach for Your Business?
What are SAML (Security Assertion Markup Language) and OIDC (OpenID Connect)? Both are authentication protocols that enable Single Sign-On (SSO). Which one is better suited for your business? We introduce both protocols, how they work, their features, and which one is best for your company.
Single Sign-On (SSO)
What is Single Sign-On and why is it important? Every user utilizes numerous apps, programs, and software daily. Managing usernames and passwords for all these different services can quickly become overwhelming. Single Sign-On (SSO) significantly simplifies the user experience, requiring authentication only once. This eliminates the need for username and password databases. With just one ID, users gain secure access to multiple applications and services.
SSO uses an authentication protocol, meaning trusted but independent systems exchange identity information.
The standard protocol defines how this exchange occurs. SAML and OIDC are two common protocols for successful identity management. SAML stands for Security Assertion Markup Language and is often used in workplace environments. OIDC is used, for example, when a user logs into an application like YouTube with their Google account.
What is SAML?
This standard protocol ensures smooth collaboration among key players in authentication. The user authenticates at one location, and all applications are notified accordingly. The three main players in identity management are the user, the service provider, and the identity provider. Service providers are various applications a user wants to access, like Office 365, Webex, Concur, and Salesforce. For example, if the user plans to use Webex, the service provider, Webex, requests SAML authentication. The browser redirects the user with this request to the identity provider. Here, the user authenticates using a username and password, two-factor authentication, or other means.
The Assertion
Once the identity provider authenticates the user, it creates an assertion. The assertion is an XML document. XML is a markup language for structuring data. The assertion contains information about the user and their access rights. To ensure the authenticity of the data, it is cryptographically signed. The browser forwards this SAML assertion to the service provider – in this example, Webex. Using public-key cryptography, the service provider verifies the signature, granting the user access.
Advantages of Security Assertion Markup Language
The protocol forms an external structure allowing service providers and identity providers to exchange authentication and authorization data. Different entities can trust each other's identities without revealing sensitive information. It is a reliable and stable protocol for ensuring IT security, particularly suited for environments with many identity groups – groups of users with varying rights.
What is OIDC?
OpenID Connect (OIDC) is also a standard protocol that sets rules for outsourced authentication. The process is as follows: The user wants to access a service provider. The service provider, unfamiliar with the user, sends a request to the identity provider. This trusted third party authenticates the user and issues corresponding documents.
The identity provider returns a document with claims. What does this mean? A claim is an assertion. In this context, the claim could be the employee's name, role in the company, or contact details. The service provider must trust this document, which must contain truthful data. Therefore, the identity provider digitally signs it with a private key. The service provider verifies the signature using a public key or the identity provider's certificate.
The Token
This document with claims and a signature is called a token. The standard for this is JWT - JSON Web Token - a JSON object with an attached signature. It is the digital equivalent of an ID card issued by the government and verified by the town hall, which acts as the identity provider.
A JSON Web Token includes a user ID in the "sub" (subject) field, along with other fields like "iat" (issued at) and "exp" (expires at). Depending on the identity provider, additional fields can be included in the token, but it should not have too many fields to avoid overloading the data traffic. The token is sent with each request, and excessive fields could burden the data exchange. All these processes and standards comply with the OpenID Connect authentication protocol.
Advantages of OpenID Connect
Tokens are well-suited for highly scalable web and cloud applications. One drawback is that redirects are always required. OpenID Connect works well in web browsers but not in mobile or desktop apps. This limitation applies only to the "Implicit Flow" of OpenID Connect, which is specifically designed for single-page applications in browsers. Other flows, such as the Code Flow or Hybrid Flow, work well for mobile apps or any applications that are not single-page applications or do not run in browsers.
Key Differences Between SAML and OIDC
Under the OpenID Connect protocol, users use JWT or JSON Web Tokens to exchange identity information between services. A JWT is a signed JSON document. SAML uses assertions, which are cryptographically signed XML documents containing information about the user and their rights. The overall concept of both protocols is the same. The flows are similar, but the implementation details differ.
Differences in Implementation and Use
OIDC is straightforward to implement without new infrastructure, but it only works for simple scenarios. Detailed control and complex permissions are not possible, as the token would become too large and burden the data traffic. For simple scenarios, such as distinguishing between an administrator and a regular user, OIDC is sufficient. Platforms like Google, Facebook, or GitHub use OIDC. A mobile app would benefit from the efficiency of OpenID.
Security Assertion Markup Language is more challenging to implement, but the XML-coded assertions allow storing and sharing detailed information. For government agencies or public institutions that manage many accesses and permissions, it is the right solution. It ensures enterprise security for clinics or healthcare providers by controlling access to application portals or sensitive data.
Which Protocol is Right for Your Business?
| Questions | SAML | OIDC |
|---|---|---|
| Do we need authentication for mobile applications or modern web APIs? | X | |
| Are our applications primarily web browser-based? | X | |
| Do we need Single Sign-On (SSO) for our company software? | X | |
| Do we need a straightforward, easy-to-implement, and widely adopted solution? | X | |
| Do our users utilize social login options like Google or Facebook? | X | |
| Do we have strict compliance and security requirements that necessitate comprehensive security protocols? | X |
Conclusion
Both Security Assertion Markup Language and OpenID Connect are protocols for successful identity management. Their use is not a matter of either-or. Depending on the use case, both can be used, even in combination with other authentication standards. Do you have further questions or need detailed advice? Call us or write to us. We are happy to help.
The difference between authentication and authorization
Learn the key differences between authentication and authorization in securing applications. Learn how these processes work together to protect sensitive data and improve cybersecurity with practical examples and best practices.
OpenID Connect as a Digital Identity Solution
As part of digitalization, small and medium-sized businesses also face significant challenges. One of these tasks is to create digital access and data management solutions. Even in smaller companies, employees or external users today need to access many different applications. Handling this securely yet comfortably is no easy task. However, with OpenID Connect, data-sensitive and easy-to-use identity management is easy. Below, you will learn what exactly OIDC is and how it can be used profitably in your company.