Given that SAML 2.0 supports the "federation" concept, and given that well-know players like Google use SAML, can someone explain why some other services (e.g., stackoverflow) use OpenID? Is that just a historical reason?
If your organization uses an API-centered architecture, OIDC will provide a better experience for users of native and single-page applications. OIDC is lightweight and more performance-friendly than SAML. For large enterprises that require a higher level of security, SAML might be the better choice.
Security Assertion Markup Language (SAML) is an open standard that attempts to bridge the divide between authentication and authorization. OAuth is an open authorization standard. OpenID Connect is an authentication standard that runs on top of OAuth 2.0.
Primarily, SAML 2.0 is designed to authenticate a user, so providing user identity data to a service. OAuth 2.0 is designed as an authorization protocol permitting a user to share access to specific resources with a service provider.
First I should say Google is a SAML provider and as well as an OpenID Provider.
In case of stackoverflow, if they are willing use SAML 2.0 for SSO, then they need to couple stackoverflow with Google or any other SAML Provider in advance. And when stackoverflow has coupled to many SAML providers, when a user tried to login, stackoverlow needs a mechanism to figure out to which identity provider it should redirect the user for authentication. (you may use SAML 2.0 Profiles, section 4.3 Identity Provider Discovery Profile). But anyways this is going to be a painful implementation.
But with OpenID, it has its own discovery profile, stackoverflow doesn't have to know the Identity Provider in advance, no direct coupling. So they are using the correct protocol.
As far as my knowledge:
OpenID allows a web (stackoverflow) to use identity from various OpenID providers (and there is no sharing identity on this)
SAML (/w federation) allows an Identity to be shared in various service providers/web(s)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With