- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: This article will take a high-level look at Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). We'll examine how each protocol works and the features and benefits of each. By the end of this article, you'll have a deeper understanding of when to use SAML vs. OIDC.
What Are SAML and OIDC?
SAML and OIDC are two identity protocols that authenticate users, transmit data, and provide access control information and a communication method for a user's ID. SAML is most commonly utilized by businesses to allow customers to access paid services, whereas OIDC is best suited for mobile and single-page web applications.
An identity provider (IdP) can choose to implement either protocol as the basis for user identity management. An IdP is a trusted third party that authenticates users and provides them with a single set of credentials that can be used to access multiple applications. This frees users from the burden of remembering multiple username and password combinations and makes it easier for organizations to manage security and control access to their systems.
Security Assertion Markup Language (SAML)
SAML (SAML 2.0 since 2005) is an authentication and authorization standard. Authentication proves that users are who they claim to be, while authorization allows authenticated parties to do what they request. SAML is an XML-based protocol for exchanging security information online. Because SAML enables single sign-on (SSO), a user can authenticate once and then access multiple applications without having to re-enter credentials.
SAML exchanges take place between system entities referred to as an asserting party (also called a SAML authority) and a relying party (RP) that processes the security assertions it receives. Security assertions are standardized statements in the markup language that determine access control decisions.
✨ Need to connect SAML with MongoDB, Redis, PostgreSQL, and more? No problem, StrongDM makes it easy.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 authorization framework. OIDC allows third-party applications to obtain basic end-user profile information and verify an end user's identity. OpenID Connect (OIDC) allows a wide range of users to be identified, from single-page applications (SPAs) to native and mobile apps. Like SAML, OIDC may also be used to provide single sign-on (SSO) across apps.
✨ Need to connect OIDC with Terraform, AWS Secrets Manager, Hashicorp Vault, and more? No problem, StrongDM makes it easy.
SAML vs. OIDC: What’s the Difference?
The main difference between SAML and OIDC is that SAML builds the trust relationship between the service provider (SP) and the IdP, whereas OIDC trusts the channel (HTTPS) that is used to obtain the security token.
SAML is an older standard and more widely adopted in enterprises that use web-based applications, while OIDC is newer and gaining traction with mobile and native applications.
Enterprises that adopt SAML must use a SAML-based IdP to authenticate users. When a user requests access, the SP asks the IdP to authenticate the user, and the IdP returns an assertion to the SP. If authentication is successful, the IdP grants the user access to multiple web applications based on a single set of login credentials.
OIDC uses a public, third-party IdP to authenticate users. Examples of IdPs that support OIDC include Google, Microsoft, and Amazon. With OIDC, a user can gain access to an application by signing on with a trusted, OIDC-compatible account.
SAML is more complex than OIDC, making it more challenging to implement. SAML uses verbose XML to exchange identity data. This creates heavier data handling loads. In contrast, OIDC is simpler to implement because it outsources encryption to HTTPS or SSL, which is already integrated on both the client and server sides. And it is easily accessible through application programming interfaces (APIs). Because OIDC relies on encoded JSON Web Tokens (JWTs) to authenticate users, it is a lighter-weight solution that delivers better performance.
Similarities Between SAML and OIDC
SAML and OIDC are similar in that they are both authentication protocols that provide users with a single sign-on experience. Both standards are highly secure and can be customized to improve user privacy by controlling which user attributes (called claims) are shared. In addition, both utilize a third-party identity provider to authenticate.
SAML and OIDC Use Cases
In the following sections, we will introduce three use cases: brute force attack prevention, phishing attack prevention, and general privacy protection. We will discuss how SAML and OIDC handle each use case.
Brute force attack prevention
Brute force attack is a hacking method that uses trial and error to crack passwords, encryption keys, and other login credentials. Blocking attempts to guess passwords or other authentication credentials is a critical security control that can stop this unauthorized access to systems and data.
SAML
SAML protects against brute force attacks through a strong authentication process that leverages multiple factors—for instance, something the user knows (a password), something the user has (a security token), or something the user is (biometrics).
OIDC
OIDC protects against brute force attacks by using a challenge-response mechanism. In this type of authentication, the user must prove their identity by solving a challenge such as a security question. This additional step makes it more difficult for an attacker to guess a valid user credential successfully.
Phishing attack prevention
A phishing attack is a way for hackers to steal user data, including login credentials, encryption details, and even credit card numbers. In a phishing attack, the attacker impersonates a known entity to win trust and gain access to sensitive information. A common example is a spoofed email from a bank claiming a lock on the user’s account unless the user provides information to prove their identity. The hacker then uses this information to gain access to the user’s bank account. At the organizational level, preventing phishing attacks is imperative to protect an organization’s sensitive data, finances, and reputation.
SAML
SAML protects against phishing attacks by storing the user’s identity, location data, timestamps, and validity conditions within an encrypted SAML assertion. The IdP can then return the SAML assertion to the service provider, granting the user access to the requested applications.
OIDC
Because OIDC allows users to sign on to an application through a trusted third party such as Google, users can skip the step of signing up for an account on that application. If no account exists for that user, there are no login credentials for a hacker to exploit.
Privacy protection
Privacy protection is an overall approach to keeping your information from getting into the wrong hands. Examples include protecting personal data, stopping unwanted solicitations, and protecting email addresses.
SAML
SAML provides privacy protection by allowing organizations to extract and delete sensitive data pertaining to a specific user.
OIDC
OIDC provides privacy protection by allowing users to control which claims—that is, individual pieces of information—are released to the relying party (RP) that provides access to an application. By specifying which claims get shared with the RP, the user can ensure that only the necessary information is shared. For example, a user may choose to share only their name and email address, but not their birthdate or home address.
SAML or OIDC? Which One Should You Choose?
OIDC and SAML are both powerful authentication protocols, each having unique features and benefits. Below are some factors to consider when deciding which one best fits the needs of your organization.
- If fast and easy implementation is your primary consideration, choose OIDC. It is much simpler to get up and running than SAML.
- If your organization uses an API-centered architecture, OIDC will provide a better experience for users of native and single-page applications. OIDC is lightweight and more performance-friendly than SAML.
- For large enterprises that require a higher level of security, SAML might be the better choice. SAML allows multi-factor authentication. It is a more mature standard with a proven track record and more feature-rich than OIDC.
SAML vs. OIDC: Frequently Asked Questions
Can OIDC replace SAML?
Yes, OIDC can replace SAML. However, because OIDC is newer and still evolving, it lacks some high-security features that are needed by certain sectors, such as the banking industry.
Is SAML obsolete?
SAML is a major player in SSO and won’t be phased out anytime soon. Many companies still use SAML, especially with enterprise-level applications. But visible signs of change are on the horizon. SAML will continue to play a role in SSO for the foreseeable future, but OIDC is quickly gaining ground. Eventually, OIDC will likely replace SAML as the industry standard.
Is OpenID Connect past its prime?
No, OpenID Connect is not on the decline. While other authentication protocols have gained popularity in recent years, OpenID Connect is still a widely used and supported standard. In fact, many newer authentication protocols have been built on top of OpenID Connect or leverage its capabilities.
How StrongDM Can Help with SAML and OIDC
SAML and OIDC are both powerful authentication standards, and both support SSO. SAML is a mature standard that is better suited for large enterprises that require a higher level of security, whereas OIDC delivers a lightweight, high-performance solution that provides a frustration-free user experience for mobile and single-page web applications.
StrongDM provides a central location for managing and controlling access to your organization’s infrastructure, including databases, servers, clusters, and more. StrongDM offers a variety of features that leverage your SSO provider and make using SAML and OIDC seamless for authentication.
Is SAML or OIDC Right for Your Business?
The right authentication standard for your business depends on your organization’s unique needs, including the level of protection required, the volume of login traffic per day, and what types of applications need to be secured.
By knowing the differences between SAML and OIDC and understanding which solution fits your organization best, you can strengthen your network while keeping workflows and costs in mind.
Want to learn more? Get a no-BS demo of StrongDM.
About the Author
Schuyler Brown, Chairman of the Board, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.