SAML vs OAuth 2.0 vs OIDC: A Practical Deep Dive with Architecture & API Access Flows
Fayaz Khan๐ง Core Concepts
| Protocol | Purpose | Type | Format | Token Format | Ideal Use Case |
| SAML | Authentication only | Federated Authentication | XML-based | SAML Assertion (XML) | Web SSO |
| OAuth 2.0 | Authorization only | Delegated Authorization | JSON | Access / Refresh Tokens | API Access |
| OIDC | Authentication + Authorization | Identity Layer on OAuth 2.0 | JSON | ID + Access Tokens | Login + API Access |
๐ High-level comparison of SAML vs OAuth 2.0 vs OIDC
๐ SAML (Security Assertion Markup Language)
XML-based legacy protocol for Single Sign-On (SSO)
Common in enterprise apps
Provides a one-time SAML assertion during login
Does not support modern API access directly
๐ OAuth 2.0
Delegated access model (Authorization)
Scopes define what can be accessed
Access Token & Refresh Token issued
Does not provide identity by itself
๐ OIDC (OpenID Connect)
Identity layer on top of OAuth 2.0
Adds ID Token to represent the user
Supports web, mobile, and APIs
Modern alternative to SAML
๐OAuth + OIDC flow
๐งพ Use Case: Cross-App API Access
Scenario
You have App A (browser app) authenticated via SSO
App A needs to access App B and App C APIs
User should not re-login for App B/C data
๐ฏ Implementation Options
โ Option 1: SAML-Based (Legacy)
App A authenticates via SAML SSO
App B and C require separate API access
No native token support โ need OAuth bridge
โ Not seamless for API access
โ Option 2: OAuth 2.0 + OIDC (Recommended)
App A uses OIDC to authenticate
Access Token allows API calls to App B/C
All via standard JWT tokens
โ Seamless and secure
โ Option 3: Hybrid Model
Use SAML for login
Issue OAuth tokens via token exchange
Requires extra setup (like Azure AD or custom IdP logic)
๐ก What is an Identity Provider (IdP)?
A system that:
Authenticates the user
Issues tokens (SAML Assertion / ID Token / Access Token)
Popular IdPs:
Azure AD
Okta
Auth0
Google Identity
๐IdP role in auth ecosystem
๐ Azure Active Directory (Azure AD)
Supports both SAML and OAuth/OIDC
Central user and app management
App registration enables:
Token issuance
Scopes and claims
SSO across applications
Example: App A calls App B API using token from Azure AD
๐ Comparison Summary
| Feature | SAML | OAuth 2.0 | OIDC |
| Auth or AuthZ | Authentication | Authorization | Auth + Authorization |
| Format | XML | JSON | JSON |
| API Access | โ | โ | โ |
| ID Token | โ | โ | โ |
| Browser Friendly | โ | With OIDC | โ |
| Best For | Legacy SSO | API Access | Web + API Unified Login |
๐ Token Flow with OIDC
App A โ Redirect to IdP (Azure AD)
IdP authenticates โ returns ID Token + Access Token
App A uses Access Token to call App Bโs API
App B validates token and responds with data
๐ OIDC Token flow for browser + API
โ Recommendation
For modern apps needing login + API access:
Use OIDC over OAuth 2.0
Register all apps in a central IdP (like Azure AD)
Use access tokens for cross-app API communication
๐ Final Words
SAML has served enterprise SSO for years, but it falls short in a modern API-first world.
OAuth 2.0 + OIDC provides:
Lightweight tokens
Secure access control
Seamless experience across apps and APIs
Migrate if possible, and embrace the token-driven future.
๐ข Feedback or Questions?
Drop a comment or message :
Subscribe to my newsletter
Read articles from Fayaz Khan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Fayaz Khan
Fayaz Khan
Hi, Iโm Fayaz Khan โ a PLM Solution Architect with deep hands-on experience in 3DEXPERIENCE, real-world integrations, and enterprise system behavior. I work at the intersection of engineering, security, and systems thinking, navigating between PLM platforms, cloud infrastructure, APIs, and practical business needs. I prefer digging into why something works (or breaks), rather than just how to configure it. My writing is an attempt to document the often-overlooked details โ the silent bugs, the edge cases, the security gaps โ and sometimes, the mental models that help me make sense of it all.