What are SAML and OIDC?
SAML (Security Assertion Markup Language) and OIDC (OpenID Connect), are two prominent protocols for Single Sign-On (SSO). Both serve similar purposes but differ significantly in structure, usage, and technical details.
Read More: SSO
Key Differences Explained
Data Structure: SAML uses XML, which is verbose and complex but suitable for rich, structured data exchange. OIDC, using JSON, is more lightweight and well-suited for web and mobile applications.
Token Format and Transport: SAML relies on assertions, which contain XML-based statements about the user. These are often signed and encrypted. OIDC uses JSON Web Tokens (JWTs) that are passed in HTTP headers, making it more compatible with REST APIs.
Ease of Integration: SAML is more complex, requiring significant setup, while OIDC is easier to implement due to its JSON and RESTful approach, widely supported by modern applications.
Single Logout (SLO): SAML has more comprehensive SLO support, whereas OIDC’s logout implementations are not standardized, making SAML more suitable for unified session termination across multiple services.
Session Management and Token Expiry: OIDC offers better built-in session management and token handling capabilities, with configurable token lifespans and support for refresh tokens.
SAML is ideal for enterprise, web-based SSO needs, while OIDC excels in applications where lightweight, web, and mobile compatibility are priorities.
This table portrays the differences in a simple way:
Aspect | SAML (Security Assertion Markup Language) | OIDC (OpenID Connect) |
Protocol Type | XML-based, focused on authentication and authorization | JSON/REST-based, focused on authentication with optional profile data |
Primary Use Case | Enterprise applications, especially for web-based SSO | Web and mobile applications, particularly with the OAuth 2.0 ecosystem |
Data Format | XML | JSON (JWT - JSON Web Tokens) |
Token Type | SAML Assertions (XML-based) | ID Token, Access Token (JWT) |
Transport Mechanism | Typically uses HTTP POST and HTTP Redirect binding | RESTful API calls over HTTPS |
Identity Provider (IdP) | The primary entity responsible for authentication | Also responsible for authentication, but often referred to as Authorization Server |
Service Provider (SP) | Entity relying on SAML assertion for user access | Relying Party (RP) using OIDC ID token to verify user identity |
Message Structure | Verbose XML messages, which can be complex | Lightweight, concise JSON tokens |
Supported Authentication | Username/Password, Multi-Factor Authentication, SAML assertions | Username/Password, Multi-Factor Authentication, OAuth2 mechanisms |
Session Management | Limited native session management, often requires customization | Native session support via OAuth 2.0 flows, token expiration and refresh |
Encryption | Built-in encryption and digital signatures | Can be used with encryption, but not mandatory |
Single Logout (SLO) | Supports Single Logout across connected services | Limited support for Single Logout |
Federation Support | Designed with federated identity management in mind | Basic federation capabilities, mainly intended for web and mobile apps |
Token Expiry | SAML assertions are typically short-lived | Configurable expiration for tokens (ID Token, Access Token) |
Popularity | Commonly used in enterprise applications and internal networks | Widely used in consumer-facing apps and mobile applications |
Ease of Implementation | Complex to implement and maintain | Easier, RESTful, and web-friendly due to JSON and simpler libraries |
Standards Organization | OASIS (Organization for the Advancement of Structured Information Standards) | OpenID Foundation |
The Trio business platform enables the users to choose any of these two protocols while integrating with their preferred SSO platform (Okta as an example). By providing facilitated use and implementations within the organization, users will easily manage the user authentication process from a unified dashboard provided by Trio.
If you have more questions regarding the protocols, please contact Trio support.