Skip to main content

What is the Real Difference Between SAML and OIDC

What is the Real Difference Between SAML and OIDC

As an Identity and Access Management (IAM) solution provider, we give our users several options when they need to configure authentication connections to applications. Two of the main authentication protocols are:

  • Security Access Markup Language (SAML)
  • OpenID Connect (OIDC)


Most applications will only support one of these options, but occasionally you might have to choose between SAML and OIDC. So, it might be helpful to know what the difference is so you can choose which will work best for your organization.

How are SAML and OIDC similar?

Both SAML and OIDC are considered identity protocols. They provide a means by which users can be authenticated and user information can be securely transmitted between the system that is doing the authentication, otherwise known as the Identity Provider (IdP) and the service or application the user is trying to access. One of the key steps in enabling this form of Single Sign-On (SSO) is that a trust has to be set up between the IdP and the application. SAML and OIDC are key protocols used in any SSO solution because the purpose of an SSO solution is users will need to only authenticate once with the IdP and then they are able to access any of the applications that have been configured to trust the IdP.

The basic login flow for both is the same.

  1. A user logs in to the Identity Provider.
  2. They select which app they want to go to.
  3. The user’s information is passed from the IdP to the user’s browser.
  4. Their information is then passed on to the application.
  5. The application confirms they are authorized to access resources.
  6. The user is allowed into the application.


Basic login flow for both SAML and OIDC

The login flow could also look like this.

  1. A user attempts to log directly into the application.
  2. The application redirects their login request through the user’s browser to the IdP.
  3. The user logs in to the IdP or is confirmed to already be logged in to the IdP
  4. The IdP confirms the user has access to the application that sent the request.
  5. The user’s information is passed from the IdP to the user’s browser.
  6. Their information is then passed on to the application.
  7. The application confirms they are authorized to access resources.
  8. The user is allowed into the application.


Login flow for both SAML and OIDC

How do SAML and OIDC differ?

SAML

SAML is older than OIDC. SAML first came on the scene in 2005. It transmits the data like users’ usernames, first names, last names, etc. using XML.

SAML refers to the application as the Service Provider (SP) and refers to the information it is sending from the IdP to the SP as an assertion.

In fact, the first flow we described above is referred to as an Identity Provider-Initiated (IdP-Initiated) SSO.

Identity Provider-Initiated SSO

The flow that begins with the user attempting to log directly into the application or SP first is referred to as Service Provider-Initiated (SP-Initiated) SSO.

Service Provider-Initiated SSO

SAML is still one of the most popular SSO protocols in use today.

OIDC

OIDC is built off of the OAuth 2.0 protocol. Whereas OAuth 2.0 is used to set up so that two applications such as two websites can trust each other and send data back and forth, OIDC works at the individual or user level.

In comparison to SAML, OIDC login flows work in the same way. But, there are three main differences:

  1. SAML transmits user data in XML format. OIDC transmits user data in JSON format.
  2. SAML calls the user data it sends a SAML Assertion. OIDC calls the data Claims.
  3. SAML calls the application or system the user is trying to get into the Service Provider. OIDC calls it the Relying Party.


So the overall flow looks the same, just the labels are different.

OIDC login flow

OpenID Connect is gaining in popularity. It is much simpler to implement than SAML and easily accessible through APIs because it works with RESTful API endpoints. This also means it works much better with mobile applications.

When configuring SSO to an application through an IdP like OneLogin, you will not often have a choice between SAML and OIDC. Your choices are based upon what the application developers choose to support. But if you do have the choice it is important to understand what the difference is between the two and which one is more likely to be supported longer. At this point in time, because developers find OIDC much easier to work with and because it is more flexible, OIDC looks like it will become the winner.