Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SAML 2.0 vs OpenID

Given that SAML 2.0 supports the "federation" concept, and given that well-know players like Google use SAML, can someone explain why some other services (e.g., stackoverflow) use OpenID? Is that just a historical reason?

like image 674
chen Avatar asked Oct 18 '12 18:10

chen


People also ask

Is OpenID better than SAML?

If your organization uses an API-centered architecture, OIDC will provide a better experience for users of native and single-page applications. OIDC is lightweight and more performance-friendly than SAML. For large enterprises that require a higher level of security, SAML might be the better choice.

What is difference between SAML and OAuth and OpenID?

Security Assertion Markup Language (SAML) is an open standard that attempts to bridge the divide between authentication and authorization. OAuth is an open authorization standard. OpenID Connect is an authentication standard that runs on top of OAuth 2.0.

What is difference between OAuth2 and SAML?

Primarily, SAML 2.0 is designed to authenticate a user, so providing user identity data to a service. OAuth 2.0 is designed as an authorization protocol permitting a user to share access to specific resources with a service provider.


2 Answers

First I should say Google is a SAML provider and as well as an OpenID Provider.

In case of stackoverflow, if they are willing use SAML 2.0 for SSO, then they need to couple stackoverflow with Google or any other SAML Provider in advance. And when stackoverflow has coupled to many SAML providers, when a user tried to login, stackoverlow needs a mechanism to figure out to which identity provider it should redirect the user for authentication. (you may use SAML 2.0 Profiles, section 4.3 Identity Provider Discovery Profile). But anyways this is going to be a painful implementation.

But with OpenID, it has its own discovery profile, stackoverflow doesn't have to know the Identity Provider in advance, no direct coupling. So they are using the correct protocol.

like image 144
SureshAtt Avatar answered Sep 27 '22 22:09

SureshAtt


As far as my knowledge:

OpenID allows a web (stackoverflow) to use identity from various OpenID providers (and there is no sharing identity on this)

SAML (/w federation) allows an Identity to be shared in various service providers/web(s)

like image 29
yudis Avatar answered Sep 27 '22 23:09

yudis