Understanding OIDC and SAML Connections for Secure Access
If you’ve attended our recent webinars on GoVerifyID, especially our webinar discussing integrations, you’ve heard us talking about OIDC and SAML connectors. If you’re not already familiar with what the acronyms stand for, however, understanding what they are and what they’re for (or why they’re different) can be confusing.
This will be a high level overview of the two secure connectors to help explain what they are and when they are used.
Both connectors are open standards for authentication and authorization of users between an identity provider and a service provider. An identity provider is the entity providing the identity record. Common identity providers are social media sites like Facebook or Twitter, or enterprise applications such as Windows Active Directory. The service provider is the entity providing the service (as you might have assumed); the service can be something as silly as a quiz whose results you’re sharing to your Facebook timeline, or it can be professional in nature, such as accessing Salesforce.
An OIDC authentication protocol adds an identity layer over the top of an existing authorization framework (OAuth 2.0). It uses JSON security tokens, or JSON web tokens, to communicate user information between the service provider and the user’s identity provider.
SAML, on the other hand, is XML-based when providing authentication between the user’s identity provider and the service provider. It is widely used and extremely common in single sign-on applications.
OIDC - OpenID Connect
OIDC stands for OpenID Connect. It adds a layer of identification over the baseline of authorization that Oauth 2.0 provides. OIDC is a secure way for identification attributes to be communicated between an application and an identity provider.
OIDC is lightweight and easy to implement, making it ideal for mobile applications (which is part of why it’s a common single sign on protocol for mobile games and social media integrations). OIDC does rely on HTTPS, so it needs a secure connection to be utilized.
OpenID Connect works by passing JSON web tokens between the service provider and identity provider. These web tokens contain various standardized claims as per OIDC specifications. Common claims include birth date, name, or email address. JSON web tokens also typically contain information about the user as well as any associated metadata.
This protocol is most commonly used by mobile applications, or web-based applications that are also available as mobile apps, such as Facebook. If you’ve ever posted a quiz result to Facebook and allowed the quiz site to post to Facebook on your behalf, that interaction was through an OIDC connector.
SAML - Security Assertion Markup Language
Similar to OIDC, SAML allows an identity provider to share authorization information with service providers. Security Assertion Markup Language (SAML) is an open standard that lets multiple computers on a shared network also share security credentials. SAML is the XML language that is used to share the information, keeping it secure and encoded when being transmitted.
While OIDC makes it easy for mobile applications to communicate authentication and authorization information, SAML is fairly common for Software as a Service (SaaS) solutions to do the same. SAML’s reliance on XML language means that it can authenticate or authorize users over non-https connections, which is why it is fairly common in enterprise applications. SAML is likely the connection being used if your organization is enabling Single Sign On for Salesforce, for example.
Is one better than the other?
Both OIDC and SAML are industry standard for secure authentication and authorization, they’re just applied in different ways or circumstances. For this reason, one isn’t necessarily better or worse than the other - they just have different scenarios they are better suited for.
For this reason, GoVerifyID can utilize either protocol, making it adaptable for any enterprise environment. Each organization has a unique technology stack, as well as unique and specifically configured protocols and workflows for identity and access management.
Learn more about easily replacing passwords and enabling single sign on with biometric security with this 30 minute on-demand webinar! Click below to register: