What is SAML & OIDC

Shohanur RahmanShohanur Rahman
2 min read

OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) are both widely used identity protocols for Single Sign-On (SSO) and authentication. While they share some similarities, there are key differences between them..

  • IdP (Identity Provider): A service that authenticates users and provides identity information (like username, email, etc.) to other applications. Examples: Okta, Keycloak, Google, or Microsoft Azure AD.

  • SP (Service Provider): A service or application that users want to access. It relies on the IdP to verify the user's identity. Examples: Salesforce, Gmail, or Slack.

In short, the IdP authenticates the user, and the SP consumes the identity information to grant access.

SAML (Security Assertion Markup Language)

  • SAML is an XML-based language used to exchange security-related information.

  • It's primarily used for web SSO, allowing users to access multiple applications with a single set of credentials.

  • SAML relies on a centralized identity provider (IdP) to authenticate users and then issues assertions that contain user information.

  • The assertion is then sent to the Service Provider (SP), which validates the user's identity and grants access accordingly.

OIDC (OpenID Connect)

  • OIDC is an authentication protocol built on top of OAuth 2.0, making it a more modern alternative to SAML.

  • OIDC focuses on providing a standardized way for applications to perform user authentication, authorization, and profile information exchange.

  • Unlike SAML, OIDC doesn't require the SP to maintain its own database or store any user data; instead, the IdP provides all the necessary information through a JSON-based profile.

  • OIDC is designed to be more extensible and flexible than SAML, supporting features like dynamic consent, authorization codes, and refresh tokens.

Key differences

  1. Architecture: SAML relies on a centralized IdP, whereas OIDC allows for decentralized authentication with multiple IdPs.

  2. Protocol complexity: OIDC is built on top of OAuth 2.0, making it more complex than SAML. However, this also means OIDC offers more features and flexibility.

  3. User data storage: SAML requires the SP to store user information, whereas OIDC relies solely on the IdP for storing user data.

  4. Security: Both protocols are secure in their own way, but OIDC's reliance on JSON-based profiles makes it easier to implement and manage security features like encryption and signature validation.

When to choose each

  • Use SAML when:

    • You need a tried-and-true protocol for web SSO.

    • Your existing infrastructure is already set up with SAML-based authentication.

  • Use OIDC when:

    • You want a more modern, extensible, and flexible identity protocol.

    • You're building a new application or service that requires advanced authentication features.

0
Subscribe to my newsletter

Read articles from Shohanur Rahman directly inside your inbox. Subscribe to the newsletter, and don't miss out.

OIDCSAMLauthenticationauthorization

Written by

Shohanur Rahman
Shohanur Rahman

👋 Hey there! I’m Shohanur Rahman! I’m a backend developer with over 5.5 years of experience in building scalable and efficient web applications. My work focuses on Java, Spring Boot, and microservices architecture, where I love designing robust API solutions and creating secure middleware for complex integrations. 💼 What I Do Backend Development: Expert in Spring Boot, Spring Cloud, and Spring WebFlux, I create high-performance microservices that drive seamless user experiences. Cloud & DevOps: AWS enthusiast, skilled in using EC2, S3, RDS, and Docker to design scalable and reliable cloud infrastructures. Digital Security: Passionate about securing applications with OAuth2, Keycloak, and digital signatures for data integrity and privacy. 🚀 Current Projects I’m currently working on API integrations with Spring Cloud Gateway and designing an e-invoicing middleware. My projects often involve asynchronous processing, digital signature implementations, and ensuring high standards of security. 📝 Why I Write I enjoy sharing what I’ve learned through blog posts, covering everything from backend design to API security and cloud best practices. Check out my posts if you’re into backend dev, cloud tech, or digital security!